[vorbis-tools] 01/02: oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749).

[Petter Reinholdtsen]

This is an automated email from the git hooks/post-receive script.

pere pushed a commit to branch debian/wheezy
in repository vorbis-tools.

commit 172b3d3bfa8c21287aef73225cfc8dd6642da9bd
Author: Petter Reinholdtsen <pere at hungry.com>
Date:   Tue Sep 22 14:56:58 2015 +0200

    oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749).
    
    Patch from Mark Harris.
    
    Closes: 797461
---
 ...ge-alloca-on-bad-AIFF-input-CVE-2015-6749.patch | 37 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 38 insertions(+)

diff --git a/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch b/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch
new file mode 100644
index 0000000..bd212f9
--- /dev/null
+++ b/debian/patches/0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch
@@ -0,0 +1,37 @@
+Description: oggenc: Fix large alloca on bad AIFF input
+ This is CVE-2015-6749.
+Author: Mark Harris <mark.hsj at gmail.com>
+
+Bug-Debian: https://bugs.debian.org/797461
+Forwarded: https://trac.xiph.org/ticket/2212
+Reviewed-By: Petter Reinholdtsen <pere at hungry.com>
+Last-Update: 2015-09-22
+
+diff --git a/oggenc/audio.c b/oggenc/audio.c
+index 22bbed4..05e42b3 100644
+--- a/oggenc/audio.c
++++ b/oggenc/audio.c
+@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+     int aifc; /* AIFC or AIFF? */
+-    unsigned int len;
+-    unsigned char *buffer;
++    unsigned int len, readlen;
++    unsigned char buffer[22];
+     unsigned char buf2[8];
+     aiff_fmt format;
+     aifffile *aiff = malloc(sizeof(aifffile));
+@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+         return 0; /* Weird common chunk */
+     }
+ 
+-    buffer = alloca(len);
+-
+-    if(fread(buffer,1,len,in) < len)
++    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
++    if(fread(buffer,1,readlen,in) < readlen ||
++       (len > readlen && !seek_forward(in, len-readlen)))
+     {
+         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
+         return 0;
diff --git a/debian/patches/series b/debian/patches/series
index 76e7d92..af23375 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 no_debian_subdir.diff
+0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xiph/vorbis-tools.git