1 Fix CVE-2014-9638 (bnc#914439)
2 CVE-2014-9639 (bnc#914441)
3
4 ---
5 oggenc/audio.c | 19 +++++++++++++++++--
6 1 file changed, 17 insertions(+), 2 deletions(-)
7
8 --- a/oggenc/audio.c
9 +++ b/oggenc/audio.c
10 @@ -13,6 +13,7 @@
11 #include <config.h>
12 #endif
13
14 +#include <limits.h>
15 #include <stdlib.h>
16 #include <stdio.h>
17 #include <string.h>
18 @@ -251,6 +252,7 @@ int aiff_open(FILE *in, oe_enc_opt *opt,
19 aiff_fmt format;
20 aifffile *aiff = malloc(sizeof(aifffile));
21 int i;
22 + long channels;
23
24 if(buf[11]=='C')
25 aifc=1;
26 @@ -277,11 +279,17 @@ int aiff_open(FILE *in, oe_enc_opt *opt,
27 return 0;
28 }
29
30 - format.channels = READ_U16_BE(buffer);
31 + format.channels = channels = READ_U16_BE(buffer);
32 format.totalframes = READ_U32_BE(buffer+2);
33 format.samplesize = READ_U16_BE(buffer+6);
34 format.rate = (int)read_IEEE80(buffer+8);
35
36 + if(channels <= 0L || SHRT_MAX < channels)
37 + {
38 + fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n"));
39 + return 0;
40 + }
41 +
42 aiff->bigendian = 1;
43
44 if(aifc)
45 @@ -412,6 +420,7 @@ int wav_open(FILE *in, oe_enc_opt *opt,
46 wav_fmt format;
47 wavfile *wav = malloc(sizeof(wavfile));
48 int i;
49 + long channels;
50
51 /* Ok. At this point, we know we have a WAV file. Now we have to detect
52 * whether we support the subtype, and we have to find the actual data
53 @@ -449,12 +458,18 @@ int wav_open(FILE *in, oe_enc_opt *opt,
54 }
55
56 format.format = READ_U16_LE(buf);
57 - format.channels = READ_U16_LE(buf+2);
58 + format.channels = channels = READ_U16_LE(buf+2);
59 format.samplerate = READ_U32_LE(buf+4);
60 format.bytespersec = READ_U32_LE(buf+8);
61 format.align = READ_U16_LE(buf+12);
62 format.samplesize = READ_U16_LE(buf+14);
63
64 + if(channels <= 0L || SHRT_MAX < channels)
65 + {
66 + fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n"));
67 + return 0;
68 + }
69 +
70 if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */
71 {
72 if(len<40)
|
