CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

vorbis-tools: fix CVE-2015-6749

Browse Source 
Backport patch to fix CVE-2015-6749 from:

https://trac.xiph.org/ticket/2212

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This commit is contained in:
Kai Kang 2015-10-16 11:23:02 +08:00 committed by Martin Jansa
parent 2effb83c6a
commit 9d5b4c712f
2 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch Normal file
View File

@ -0,0 +1,49 @@
Upstream-Status: Backport
Backport patch to fix CVE-2015-6749 from:
https://trac.xiph.org/ticket/2212
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
From 04815d3e1bfae3a6cdfb2c25358a5a72b61299f7 Mon Sep 17 00:00:00 2001
From: Mark Harris <mark.hsj@gmail.com>
Date: Sun, 30 Aug 2015 05:54:46 -0700
Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input
Fixes #2212
---
oggenc/audio.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/oggenc/audio.c b/oggenc/audio.c
index 477da8c..4921fb9 100644
--- a/oggenc/audio.c
+++ b/oggenc/audio.c
@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
{
int aifc; /* AIFC or AIFF? */
- unsigned int len;
- unsigned char *buffer;
+ unsigned int len, readlen;
+ unsigned char buffer[22];
unsigned char buf2[8];
aiff_fmt format;
aifffile *aiff = malloc(sizeof(aifffile));
@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
return 0; /* Weird common chunk */
}
- buffer = alloca(len);
-
- if(fread(buffer,1,len,in) < len)
+ readlen = len < sizeof(buffer) ? len : sizeof(buffer);
+ if(fread(buffer,1,readlen,in) < readlen ||
+ (len > readlen && !seek_forward(in, len-readlen)))
{
fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
return 0;
--
2.5.0

4
meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.0.bb
View File

@ -10,7 +10,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
DEPENDS = "libogg libvorbis curl libao"
SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz"
SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz \
file://0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch \
"
SRC_URI[md5sum] = "567e0fb8d321b2cd7124f8208b8b90e6"
SRC_URI[sha256sum] = "a389395baa43f8e5a796c99daf62397e435a7e73531c9f44d9084055a05d22bc"