| Brad Bishop | bba38f3 | 2018-08-23 16:11:46 +0800 | [diff] [blame] | 1 | libid3tag: patch for CVE-2004-2779 |
| 2 | |
| 3 | The patch comes from |
| 4 | https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch |
| 5 | |
| 6 | Upstream-Status: Pending |
| 7 | |
| 8 | CVE: CVE-2004-2779 |
| 9 | |
| 10 | Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| 11 | |
| 12 | diff -urNad libid3tag-0.15.1b/utf16.c /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c |
| 13 | --- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100 |
| 14 | +++ /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100 |
| 15 | @@ -282,5 +282,18 @@ |
| 16 | |
| 17 | free(utf16); |
| 18 | |
| 19 | + if (end == *ptr && length % 2 != 0) |
| 20 | + { |
| 21 | + /* We were called with a bogus length. It should always |
| 22 | + * be an even number. We can deal with this in a few ways: |
| 23 | + * - Always give an error. |
| 24 | + * - Try and parse as much as we can and |
| 25 | + * - return an error if we're called again when we |
| 26 | + * already tried to parse everything we can. |
| 27 | + * - tell that we parsed it, which is what we do here. |
| 28 | + */ |
| 29 | + (*ptr)++; |
| 30 | + } |
| 31 | + |
| 32 | return ucs4; |
| 33 | } |