From 279ef0a0449e9554466f3014818f6f5be8412a61 Mon Sep 17 00:00:00 2001
From: Oliver Eikemeier <eik@FreeBSD.org>
Date: Wed, 28 Jul 2004 21:39:53 +0000
Subject: Fix SoX buffer overflows when handling .WAV files (CAN-2004-0557)
Buffer overflow when parsing .wav file headers in sox. The IFF chunks
concerned have a 2-byte size field, but sox reads them into a 256-byte
buffer.
portaudit reference:
<http://www.freebsd.org/ports/portaudit/3e4ffe76-e0d4-11d8-9b0a-000347a4fa7d.html>
PR: 69725
Submitted by: Dan Nelson <dnelson@allantgroup.com> (maintainer)
---
audio/sox/Makefile | 2 +-
audio/sox/files/patch-wav.c | 24 ++++++++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 audio/sox/files/patch-wav.c
(limited to 'audio/sox')
diff --git a/audio/sox/Makefile b/audio/sox/Makefile
index 0936d55e2a59..4b10f7a15bef 100644
--- a/audio/sox/Makefile
+++ b/audio/sox/Makefile
@@ -7,7 +7,7 @@
PORTNAME= sox
PORTVERSION= 12.17.4
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= audio
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= sox
diff --git a/audio/sox/files/patch-wav.c b/audio/sox/files/patch-wav.c
new file mode 100644
index 000000000000..2e7600888252
--- /dev/null
+++ b/audio/sox/files/patch-wav.c
@@ -0,0 +1,24 @@
+--- wav.c.old 2002-12-31 04:19:22.000000000 +0100
++++ wav.c 2004-07-18 19:25:46.000000000 +0200
+@@ -917,6 +917,10 @@
+ } else if(strncmp(magic,"ICRD",4) == 0){
+ st_readdw(ft,&len);
+ len = (len + 1) & ~1;
++ if (len > 254) {
++ fprintf(stderr, "Possible buffer overflow hack attack (ICRD)!\n");
++ exit(109);
++ }
+ st_reads(ft,text,len);
+ if (strlen(ft->comment) + strlen(text) < 254)
+ {
+@@ -926,6 +930,10 @@
+ } else if(strncmp(magic,"ISFT",4) == 0){
+ st_readdw(ft,&len);
+ len = (len + 1) & ~1;
++ if (len > 254) {
++ fprintf(stderr, "Possible buffer overflow hack attack (ISFT)!\n");
++ exit(110);
++ }
+ st_reads(ft,text,len);
+ if (strlen(ft->comment) + strlen(text) < 254)
+ {
--
cgit v1.2.3