openharmony/third_party_libsnd
1
0
Fork 0
mirror of https://gitee.com/openharmony/third_party_libsnd synced 2024-11-23 18:09:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

src/aiff.c : Fix potential (heap) buffer overflow when parsing 'MARK' chunk.

Browse Source
This commit is contained in:
Erik de Castro Lopo 2009-04-21 19:43:00 +10:00
parent a3956b9cc0
commit 6d47e69ca8
2 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -5,6 +5,9 @@
heap overflow. Thanks to Tobias Klein (http://www.trapkit.de) for reporting heap overflow. Thanks to Tobias Klein (http://www.trapkit.de) for reporting
this issue. this issue.
* src/aiff.c
Fix potential (heap) buffer overflow when parsing 'MARK' chunk.
2009-04-12 Erik de Castro Lopo <erikd AT mega-nerd DOT com> 2009-04-12 Erik de Castro Lopo <erikd AT mega-nerd DOT com>
* tests/stdin_test.c * tests/stdin_test.c

18
src/aiff.c
View File

@ -756,7 +756,6 @@ aiff_read_header (SF_PRIVATE *psf, COMM_CHUNK *comm_fmt)
pchk4_store (&paiff->chunk4, marker, psf_ftell (psf) - 8, dword) ; pchk4_store (&paiff->chunk4, marker, psf_ftell (psf) - 8, dword) ;
psf_log_printf (psf, " %M : %d\n", marker, dword) ; psf_log_printf (psf, " %M : %d\n", marker, dword) ;
{ unsigned short mark_id, n = 0 ; { unsigned short mark_id, n = 0 ;
unsigned char pstr_len ;
unsigned int position ; unsigned int position ;
bytesread = psf_binheader_readf (psf, "E2", &n) ; bytesread = psf_binheader_readf (psf, "E2", &n) ;
@ -771,13 +770,24 @@ aiff_read_header (SF_PRIVATE *psf, COMM_CHUNK *comm_fmt)
return SFE_MALLOC_FAILED ; return SFE_MALLOC_FAILED ;
for (n = 0 ; n < mark_count && bytesread < dword ; n++) for (n = 0 ; n < mark_count && bytesread < dword ; n++)
{ bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &pstr_len) ; { unsigned int pstr_len ;
unsigned char ch ;
bytesread += psf_binheader_readf (psf, "E241", &mark_id, &position, &ch) ;
psf_log_printf (psf, " Mark ID : %u\n Position : %u\n", mark_id, position) ; psf_log_printf (psf, " Mark ID : %u\n Position : %u\n", mark_id, position) ;
pstr_len += (pstr_len & 1) ? 0 : 1 ; pstr_len = (ch & 1) ? ch : ch + 1 ;
bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ; if (pstr_len < sizeof (psf->u.scbuf) - 1)
{ bytesread += psf_binheader_readf (psf, "b", psf->u.scbuf, pstr_len) ;
psf->u.scbuf [pstr_len] = 0 ; psf->u.scbuf [pstr_len] = 0 ;
}
else
{ unsigned int read_len = pstr_len - (sizeof (psf->u.scbuf) - 1) ;
bytesread += psf_binheader_readf (psf, "bj", psf->u.scbuf, read_len, pstr_len - read_len) ;
psf->u.scbuf [sizeof (psf->u.scbuf) - 1] = 0 ;
}
psf_log_printf (psf, " Name : %s\n", psf->u.scbuf) ; psf_log_printf (psf, " Name : %s\n", psf->u.scbuf) ;
paiff->markstr [n].markerID = mark_id ; paiff->markstr [n].markerID = mark_id ;