openkylin
/
libsndfile
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix heap buffer overflows when writing strings in binheader 

Origin: upstream
Applied-Upstream: cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8

Gbp-Pq: Name binheader-heapoverflow.patch
This commit is contained in:
Jörn Heusipp 2017-07-12 00:00:00 +02:00 committed by openKylinBot
parent 04a3be41ad
commit e4a7ad988c
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/common.c
View File

@ -675,15 +675,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
/* Write a C string (guaranteed to have a zero terminator). */
strptr = va_arg (argptr, char *) ;
size = strlen (strptr) + 1 ;
size += (size & 1) ;
if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
return count ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
header_put_be_int (psf, size) ;
header_put_be_int (psf, size + (size & 1)) ;
else
header_put_le_int (psf, size) ;
header_put_le_int (psf, size + (size & 1)) ;
size += (size & 1) ;
memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
psf->header.indx += size ;
psf->header.ptr [psf->header.indx - 1] = 0 ;