Fix SoX buffer overflows when handling .WAV files (CAN-2004-0557)

Buffer overflow when parsing .wav file headers in sox. The IFF chunks concerned have a 2-byte size field, but sox reads them into a 256-byte buffer. portaudit reference: <http://www.freebsd.org/ports/portaudit/3e4ffe76-e0d4-11d8-9b0a-000347a4fa7d.html> PR: 69725 Submitted by: Dan Nelson <dnelson@allantgroup.com> (maintainer)
svn path=/head/; revision=114971
2024-11-21 00:25:50 +00:00 · 2004-07-28 21:39:53 +00:00 · 2004-07-28 21:39:53 +00:00 · 279ef0a044 · 2021-03-31 03:12:20 +00:00
commit 279ef0a044
parent 4bb553fa46
2 changed files with 25 additions and 1 deletions
--- a/audio/sox/Makefile
+++ b/audio/sox/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	sox
 PORTVERSION=	12.17.4
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	audio
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	sox
--- a/audio/sox/files/patch-wav.c
+++ b/audio/sox/files/patch-wav.c
@ -0,0 +1,24 @@
+--- wav.c.old	2002-12-31 04:19:22.000000000 +0100
+++ wav.c	2004-07-18 19:25:46.000000000 +0200
+@@ -917,6 +917,10 @@
+ 		} else if(strncmp(magic,"ICRD",4) == 0){
+ 			st_readdw(ft,&len); 
+ 			len = (len + 1) & ~1;
+			if (len > 254) {
+			    fprintf(stderr, "Possible buffer overflow hack attack (ICRD)!\n");
+			    exit(109);
+			}
+ 			st_reads(ft,text,len);
+ 			if (strlen(ft->comment) + strlen(text) < 254)
+ 			{
+@@ -926,6 +930,10 @@
+ 		} else if(strncmp(magic,"ISFT",4) == 0){
+ 			st_readdw(ft,&len); 
+ 			len = (len + 1) & ~1;
+			if (len > 254) {
+			    fprintf(stderr, "Possible buffer overflow hack attack (ISFT)!\n");
+			    exit(110);
+			}
+ 			st_reads(ft,text,len);
+ 			if (strlen(ft->comment) + strlen(text) < 254)
+ 			{