[SCM] libquicktime/master: Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399)

rbalint at users.alioth.debian.org rbalint at users.alioth.debian.org
Mon Feb 27 22:54:39 UTC 2017


The following commit has been merged in the master branch:
commit f6bb364af6a2bc65eab832614afb578c5740a0cc
Author: Balint Reczey <balint at balintreczey.hu>
Date:   Mon Feb 27 23:13:47 2017 +0100

    Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399)
    
    Closes: #855099

diff --git a/debian/patches/CVE-2016-2399.patch b/debian/patches/CVE-2016-2399.patch
new file mode 100644
index 0000000..dfa8180
--- /dev/null
+++ b/debian/patches/CVE-2016-2399.patch
@@ -0,0 +1,22 @@
+diff --git a/src/util.c b/src/util.c
+index d8dc3c3..9422fc5 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -340,9 +340,14 @@ int64_t quicktime_byte_position(quicktime_t *file)
+ 
+ void quicktime_read_pascal(quicktime_t *file, char *data)
+ {
+-	char len = quicktime_read_char(file);
+-	quicktime_read_data(file, (uint8_t*)data, len);
+-	data[(int)len] = 0;
++	int len = quicktime_read_char(file);
++	if ((len > 0) && (len < 256)) {
++          /* data[] is expected to be 256 bytes long */
++          quicktime_read_data(file, (uint8_t*)data, len);
++          data[len] = 0;
++        } else {
++          data[0] = 0;
++        }
+ }
+ 
+ void quicktime_write_pascal(quicktime_t *file, char *data)
diff --git a/debian/patches/series b/debian/patches/series
index 078889d..2f95641 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 11-path_max.patch
 libav10.patch
 ffmpeg_2.9.patch
+CVE-2016-2399.patch

-- 
libquicktime packaging



More information about the pkg-multimedia-commits mailing list