(attempt to) fix CVE-2008-5824 (buffer overflow in msadpcm.c),

see Debian bug #510205, just done correctly. The IMA code might have similar problems. The code appearently can't handle stereo files correctly anyway, so bail out if >1 channel which should avoid the problem. bump PKGREVISION
2009-01-21 15:19:27 +00:00 · 2009-01-21 15:19:27 +00:00 · 62253534ba
commit 62253534ba
parent cf306a891b
4 changed files with 56 additions and 3 deletions
--- a/audio/libaudiofile/Makefile
+++ b/audio/libaudiofile/Makefile
@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.42 2008/05/25 14:45:16 tron Exp $
+# $NetBSD: Makefile,v 1.43 2009/01/21 15:19:27 drochner Exp $
 DISTNAME=		audiofile-0.2.6
 PKGNAME=		lib${DISTNAME}
-PKGREVISION=		1
+PKGREVISION=		2
 CATEGORIES=		audio
 MASTER_SITES=		http://www.68k.org/~michael/audiofile/ \
 			${MASTER_SITE_GNOME:=sources/audiofile/0.2/}
--- a/audio/libaudiofile/distinfo
+++ b/audio/libaudiofile/distinfo
@ -1,7 +1,9 @@
-$NetBSD: distinfo,v 1.11 2005/04/27 08:59:41 wiz Exp $
+$NetBSD: distinfo,v 1.12 2009/01/21 15:19:27 drochner Exp $
 SHA1 (audiofile-0.2.6.tar.gz) = 94a6ab8e5122bc1971cf186e5a52d032811c9bc5
 RMD160 (audiofile-0.2.6.tar.gz) = b61fbc856768a5838ca5c0fad602f35205e8d037
 Size (audiofile-0.2.6.tar.gz) = 374688 bytes
 SHA1 (patch-aa) = 7c498a63fe055f1f7e16f45f655341a9b6708f71
 SHA1 (patch-ab) = cd292a827aa18b9839305b2c62c3dbd526384430
 SHA1 (patch-ac) = 7f3f10988bb198a1d673147098fee89de3dbcde4
 SHA1 (patch-ad) = 0986c009c104c18c5a85c847c53213756cf0c8a5
--- a/audio/libaudiofile/patches/patch-ac
+++ b/audio/libaudiofile/patches/patch-ac
@ -0,0 +1,24 @@
 $NetBSD: patch-ac,v 1.1 2009/01/21 15:19:27 drochner Exp $
 --- libaudiofile/modules/msadpcm.c.orig	2004-03-06 07:39:23.000000000 +0100
 +++ libaudiofile/modules/msadpcm.c
@@ -129,8 +129,7 @@ static int ms_adpcm_decode_block (ms_adp
 	ms_adpcm_state	*state[2];
 	/* Calculate the number of bytes needed for decoded data. */
 -	outputLength = msadpcm->samplesPerBlock * sizeof (int16_t) *
 -		msadpcm->track->f.channelCount;
 +	outputLength = msadpcm->samplesPerBlock * sizeof (int16_t);
 	channelCount = msadpcm->track->f.channelCount;
@@ -180,8 +179,7 @@ static int ms_adpcm_decode_block (ms_adp
 		The first two samples have already been 'decoded' in
 		the block header.
 	*/
 -	samplesRemaining = (msadpcm->samplesPerBlock - 2) *
 -		msadpcm->track->f.channelCount;
 +	samplesRemaining = msadpcm->samplesPerBlock - (2 * channelCount);
 	while (samplesRemaining > 0)
 	{
--- a/audio/libaudiofile/patches/patch-ad
+++ b/audio/libaudiofile/patches/patch-ad
@ -0,0 +1,27 @@
 $NetBSD: patch-ad,v 1.1 2009/01/21 15:19:27 drochner Exp $
 --- libaudiofile/wave.c.orig	2004-03-06 07:39:23.000000000 +0100
 +++ libaudiofile/wave.c
@@ -220,7 +220,8 @@ static status ParseFormat (AFfilehandle 
 			extraByteCount = LENDIAN_TO_HOST_INT16(extraByteCount);
 			af_fread(&samplesPerBlock, 1, 2, fp);
 -			samplesPerBlock = LENDIAN_TO_HOST_INT16(samplesPerBlock);
 +			samplesPerBlock = LENDIAN_TO_HOST_INT16(samplesPerBlock)
 +				* track->f.channelCount;
 			af_fread(&numCoefficients, 1, 2, fp);
 			numCoefficients = LENDIAN_TO_HOST_INT16(numCoefficients);
@@ -281,6 +282,12 @@ static status ParseFormat (AFfilehandle 
 			u_int16_t	bitsPerSample, extraByteCount,
 					samplesPerBlock;
 +			if (track->f.channelCount != 1) {
 +				_af_error(AF_BAD_CHANNELS,
 +					"WAVE file with IMA compression: "
 +					"can only handle 1 channel");
 +			}
 +
 			af_fread(&bitsPerSample, 1, 2, fp);
 			bitsPerSample = LENDIAN_TO_HOST_INT16(bitsPerSample);