[SCM] flac/master: backport patch from upstream git to fix another input validation bug.

fabian-guest at users.alioth.debian.org fabian-guest at users.alioth.debian.org
Mon Dec 1 11:57:47 UTC 2014 

The following commit has been merged in the master branch:
commit 0156a05e10e6ab09709eda47c4b957cc859da9f3
Author: Fabian Greffrath <fabian+debian at greffrath.com>
Date:   Mon Dec 1 12:58:18 2014 +0100

    backport patch from upstream git to fix another input validation bug.

diff --git a/debian/patches/flac.git-43ba7ad05f1656e885ce2f34a9a72494f45705ae.patch b/debian/patches/flac.git-43ba7ad05f1656e885ce2f34a9a72494f45705ae.patch
new file mode 100644
index 0000000..90fe4ff
--- /dev/null
+++ b/debian/patches/flac.git-43ba7ad05f1656e885ce2f34a9a72494f45705ae.patch
@@ -0,0 +1,36 @@
+From 43ba7ad05f1656e885ce2f34a9a72494f45705ae Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd at mega-nerd.com>
+Date: Fri, 28 Nov 2014 23:39:25 +1100
+Subject: [PATCH] src/libFLAC/stream_decoder.c : Fix another input validation bug.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+If a file says it contains a stupidly large number of vorbis comments,
+the stream decoder would try to allocate enough memory which would fail
+returning NULL and then write to that pointer anyway. The solution is
+to set a hard limit of 10000 vorbis comments and force num_comments to
+zero if the number is too large.
+
+Problem found using the afl (american fuzzy lop) fuzzer.
+
+Closes: https://sourceforge.net/p/flac/bugs/421/
+Reported-by : Hanno Böck <hanno at hboeck.de>
+---
+ src/libFLAC/stream_decoder.c |    5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+--- a/src/libFLAC/stream_decoder.c
++++ b/src/libFLAC/stream_decoder.c
+@@ -1728,6 +1728,11 @@ FLAC__bool read_metadata_vorbiscomment_(
+ 			return false; /* read_callback_ sets the state for us */
+ 
+ 		/* read comments */
++		if (obj->num_comments > 100000) {
++			/* Possibly malicious file. */
++			obj->num_comments = 0;
++			return false;
++		}
+ 		if (obj->num_comments > 0) {
+ 			if (0 == (obj->comments = safe_malloc_mul_2op_p(obj->num_comments, /*times*/sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) {
+ 				decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
diff --git a/debian/patches/series b/debian/patches/series
index f9ef3dc..906c617 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 Revert-man-Makefile-Fail-more-gracefully.patch
 requires-flac.patch
+flac.git-43ba7ad05f1656e885ce2f34a9a72494f45705ae.patch

-- 
flac packaging

More information about the pkg-multimedia-commits mailing list