[SCM] libopenmpt/debian/stretch: Add security patches from #867579
jcowgill at users.alioth.debian.org
jcowgill at users.alioth.debian.org
Sat Jul 15 21:55:27 UTC 2017
The following commit has been merged in the debian/stretch branch:
commit 9d26c588784845fc05fcba5e83e7b6c2b8d9c220
Author: James Cowgill <jcowgill at debian.org>
Date: Sat Jul 15 18:30:28 2017 +0100
Add security patches from #867579
up8: Out-of-bounds read while loading a malfomed PLM file.
up10: CVE-2017-11311: Arbitrary code execution by a crafted PSM file.
Thanks: Jörn Heusipp
Closes: #867579
diff --git a/debian/patches/series b/debian/patches/series
index deab105..5a1cac8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,5 @@ up2-infinite-loop-in-plugin-routing.patch
up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch
up5-excessive-cpu-consumption-on-malformed-files-ams.patch
up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch
+up8-out-of-bounds-read-plm.patch
+up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
diff --git a/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch b/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
new file mode 100644
index 0000000..1220e4d
--- /dev/null
+++ b/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
@@ -0,0 +1,30 @@
+Description: Fix CVE-2017-11311
+ See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html
+ Fix heap buffer overflow which may allow arbitrary code execution via a
+ crafted PSM File.
+Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision&rev=8460
+Bug-Debian: https://bugs.debian.org/867579
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/soundlib/Load_psm.cpp
++++ b/soundlib/Load_psm.cpp
+@@ -1187,15 +1187,16 @@ bool CSoundFile::ReadPSM16(FileReader &f
+ }
+
+ SAMPLEINDEX smp = sampleHeader.sampleNumber;
+- if(smp < MAX_SAMPLES)
++ if(smp > 0 && smp < MAX_SAMPLES)
+ {
+ m_nSamples = std::max(m_nSamples, smp);
+
+- mpt::String::Read<mpt::String::nullTerminated>(m_szNames[smp], sampleHeader.name);
+ sampleHeader.ConvertToMPT(Samples[smp]);
++ mpt::String::Read<mpt::String::nullTerminated>(m_szNames[smp], sampleHeader.name);
+
+- if((loadFlags & loadSampleData) && file.Seek(sampleHeader.offset))
++ if(loadFlags & loadSampleData)
+ {
++ file.Seek(sampleHeader.offset);
+ sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file);
+ }
+ }
diff --git a/debian/patches/up8-out-of-bounds-read-plm.patch b/debian/patches/up8-out-of-bounds-read-plm.patch
new file mode 100644
index 0000000..be2b785
--- /dev/null
+++ b/debian/patches/up8-out-of-bounds-read-plm.patch
@@ -0,0 +1,25 @@
+Description: Fix out-of-bounds read while loading a malformed PLM file
+ See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html
+Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision&rev=8428
+Bug-Debian: https://bugs.debian.org/867579
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/soundlib/Load_plm.cpp
++++ b/soundlib/Load_plm.cpp
+@@ -376,13 +376,10 @@ bool CSoundFile::ReadPLM(FileReader &fil
+ }
+ // Module ends with the last row of the last order item
+ ROWINDEX endPatSize = maxPos % rowsPerPat;
+- if(endPatSize > 0)
++ ORDERINDEX endOrder = static_cast<ORDERINDEX>(maxPos / rowsPerPat);
++ if(endPatSize > 0 && Order.IsValidPat(endOrder))
+ {
+- PATTERNINDEX endPat = Order[maxPos / rowsPerPat];
+- if(Patterns.IsValidPat(endPat))
+- {
+- Patterns[endPat].Resize(endPatSize, false);
+- }
++ Patterns[Order[endOrder]].Resize(endPatSize, false);
+ }
+ // If there are still any non-existent patterns in our order list, insert some blank patterns.
+ PATTERNINDEX blankPat = PATTERNINDEX_INVALID;
--
libopenmpt packaging
More information about the pkg-multimedia-commits
mailing list