| libid3tag: patch for CVE-2004-2779 |
| |
| The patch comes from |
| https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch |
| |
| Upstream-Status: Pending |
| |
| CVE: CVE-2004-2779 |
| CVE: CVE-2017-11551 |
| |
| Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| |
| diff -urNad libid3tag-0.15.1b/utf16.c /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c |
| --- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100 |
| +++ /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100 |
| @@ -282,5 +282,18 @@ |
| |
| free(utf16); |
| |
| + if (end == *ptr && length % 2 != 0) |
| + { |
| + /* We were called with a bogus length. It should always |
| + * be an even number. We can deal with this in a few ways: |
| + * - Always give an error. |
| + * - Try and parse as much as we can and |
| + * - return an error if we're called again when we |
| + * already tried to parse everything we can. |
| + * - tell that we parsed it, which is what we do here. |
| + */ |
| + (*ptr)++; |
| + } |
| + |
| return ucs4; |
| } |