| Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 1 | From f833c53cb596e9e1792949f762e0b33661822748 Mon Sep 17 00:00:00 2001 |
| 2 | From: Erik de Castro Lopo <erikd@mega-nerd.com> |
| 3 | Date: Tue, 23 May 2017 20:15:24 +1000 |
| 4 | Subject: [PATCH] src/aiff.c: Fix a buffer read overflow |
| 5 | |
| 6 | Secunia Advisory SA76717. |
| 7 | |
| 8 | Found by: Laurent Delosieres, Secunia Research at Flexera Software |
| 9 | |
| 10 | CVE: CVE-2017-6892 |
| 11 | Upstream-Status: Backport |
| 12 | |
| 13 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> |
| 14 | |
| 15 | --- |
| 16 | src/aiff.c | 2 +- |
| 17 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 18 | |
| 19 | diff --git a/src/aiff.c b/src/aiff.c |
| 20 | index 5b5f9f5..45864b7 100644 |
| 21 | --- a/src/aiff.c |
| 22 | +++ b/src/aiff.c |
| 23 | @@ -1759,7 +1759,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword) |
| 24 | psf_binheader_readf (psf, "j", dword - bytesread) ; |
| 25 | |
| 26 | if (map_info->channel_map != NULL) |
| 27 | - { size_t chanmap_size = psf->sf.channels * sizeof (psf->channel_map [0]) ; |
| 28 | + { size_t chanmap_size = SF_MIN (psf->sf.channels, layout_tag & 0xffff) * sizeof (psf->channel_map [0]) ; |
| 29 | |
| 30 | free (psf->channel_map) ; |
| 31 | |
| 32 | -- |
| 33 | 1.9.1 |
| 34 | |