[vorbis-tools] 01/01: oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749).

[Petter Reinholdtsen]

This is an automated email from the git hooks/post-receive script.

pere pushed a commit to branch master
in repository vorbis-tools.

commit 6729e0c0f9d643e1ba95e7d6382b7cb319a3bd7e
Author: Petter Reinholdtsen <pere at hungry.com>
Date:   Tue Sep 22 14:56:58 2015 +0200

    oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749).
    
    Patch from Mark Harris.
    
    Closes: 797461
---
 ...ge-alloca-on-bad-AIFF-input-CVE-2015-6749.patch | 37 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 38 insertions(+)

diff --git a/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch b/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch
new file mode 100644
index 0000000..bd212f9
--- /dev/null
+++ b/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch
@@ -0,0 +1,37 @@
+Description: oggenc: Fix large alloca on bad AIFF input
+ This is CVE-2015-6749.
+Author: Mark Harris <mark.hsj at gmail.com>
+
+Bug-Debian: https://bugs.debian.org/797461
+Forwarded: https://trac.xiph.org/ticket/2212
+Reviewed-By: Petter Reinholdtsen <pere at hungry.com>
+Last-Update: 2015-09-22
+
+diff --git a/oggenc/audio.c b/oggenc/audio.c
+index 22bbed4..05e42b3 100644
+--- a/oggenc/audio.c
++++ b/oggenc/audio.c
+@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+     int aifc; /* AIFC or AIFF? */
+-    unsigned int len;
+-    unsigned char *buffer;
++    unsigned int len, readlen;
++    unsigned char buffer[22];
+     unsigned char buf2[8];
+     aiff_fmt format;
+     aifffile *aiff = malloc(sizeof(aifffile));
+@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+         return 0; /* Weird common chunk */
+     }
+ 
+-    buffer = alloca(len);
+-
+-    if(fread(buffer,1,len,in) < len)
++    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
++    if(fread(buffer,1,readlen,in) < readlen ||
++       (len > readlen && !seek_forward(in, len-readlen)))
+     {
+         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
+         return 0;
diff --git a/debian/patches/series b/debian/patches/series
index bb094b7..3be8c5f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@
 0012-Fix-ogg123-speex-playback-Initialize-channel-matrix.patch
 0013-Fix-oggdec-crash-hang-Don-t-ignore-stream-errors.patch
 0014-Use-translations-in-oggdec.patch
+0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xiph/vorbis-tools.git