SECURITY: patch to fix integer overflow in wav handling (CVE-2008-2430)

Pulled from upstream GIT repository. ok brad
2008-07-09 17:28:42 +00:00 · 2008-07-09 17:28:42 +00:00 · f188c77b13
commit f188c77b13
parent 43118b6200
2 changed files with 52 additions and 2 deletions
--- a/x11/vlc/Makefile
+++ b/x11/vlc/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.72 2008/07/09 02:17:12 jakemsr Exp $
+# $OpenBSD: Makefile,v 1.73 2008/07/09 17:28:42 sthen Exp $

 SHARED_ONLY=	Yes

@ -6,7 +6,7 @@ COMMENT-main=	videolan client; multimedia player

 V=		0.8.6h
 DISTNAME=	vlc-${V}
-PKGNAME-main=	${DISTNAME}p0
+PKGNAME-main=	${DISTNAME}p1
 CATEGORIES=	x11
 MASTER_SITES=	http://download.videolan.org/pub/videolan/vlc/${V}/

--- a/x11/vlc/patches/patch-modules_demux_wav_c
+++ b/x11/vlc/patches/patch-modules_demux_wav_c
@ -0,0 +1,50 @@
+$OpenBSD: patch-modules_demux_wav_c,v 1.1 2008/07/09 17:28:42 sthen Exp $
+
+wav: fix integer overflow (CVE-2008-2430)
+
+When i_size is sufficiently large, we would overflow malloc(), and then
+overwrite the heap with stream_Read().
+
+Bug reported by: Alin Rad Pop, Secunia Research.
+
+--- modules/demux/wav.c.orig	Sun May 25 19:28:57 2008
+++ modules/demux/wav.c	Thu Jul  3 13:16:18 2008
+@@ -103,7 +103,8 @@ static int Open( vlc_object_t * p_this )
+     demux_sys_t *p_sys;
+ 
+     uint8_t     *p_peek;
+-    unsigned int i_size, i_extended;
+    uint32_t     i_size;
+    unsigned int i_extended;
+     char        *psz_name;
+ 
+     WAVEFORMATEXTENSIBLE *p_wf_ext = NULL;
+@@ -136,7 +137,8 @@ static int Open( vlc_object_t * p_this )
+         msg_Err( p_demux, "cannot find 'fmt ' chunk" );
+         goto error;
+     }
+-    if( i_size < sizeof( WAVEFORMATEX ) - 2 )   /* XXX -2 isn't a typo */
+    i_size += 2;
+    if( i_size < sizeof( WAVEFORMATEX ) )
+     {
+         msg_Err( p_demux, "invalid 'fmt ' chunk" );
+         goto error;
+@@ -144,14 +146,15 @@ static int Open( vlc_object_t * p_this )
+     stream_Read( p_demux->s, NULL, 8 );   /* Cannot fail */
+ 
+     /* load waveformatex */
+-    p_wf_ext = malloc( __EVEN( i_size ) + 2 );
+    p_wf_ext = malloc( i_size );
+     if( p_wf_ext == NULL )
+          goto error;
+ 
+     p_wf = (WAVEFORMATEX *)p_wf_ext;
+     p_wf->cbSize = 0;
+-    if( stream_Read( p_demux->s,
+-                     p_wf, __EVEN( i_size ) ) < (int)__EVEN( i_size ) )
+    i_size -= 2;
+    if( stream_Read( p_demux->s, p_wf, i_size ) != (int)i_size
+     || ( ( i_size & 1 ) && stream_Read( p_demux->s, NULL, 1 ) != 1 ) )
+     {
+         msg_Err( p_demux, "cannot load 'fmt ' chunk" );
+         goto error;