Update of /cvsroot/audacity/audacity-src/src/blockfile
In directory sc8-pr-cvs11.sourceforge.net:/tmp/cvs-serv7712/blockfile
Modified Files:
Tag: Audacity_UmixIt
LegacyAliasBlockFile.cpp LegacyBlockFile.cpp
PCMAliasBlockFile.cpp SimpleBlockFile.cpp
Log Message:
security vulnerability fixes, per NGS report for UmixIt
Index: LegacyBlockFile.cpp
===================================================================
RCS file: /cvsroot/audacity/audacity-src/src/blockfile/LegacyBlockFile.cpp,v
retrieving revision 1.8
retrieving revision 1.8.6.1
diff -u -d -r1.8 -r1.8.6.1
--- LegacyBlockFile.cpp 19 Sep 2003 08:09:24 -0000 1.8
+++ LegacyBlockFile.cpp 12 Dec 2006 03:27:12 -0000 1.8.6.1
@@ -258,7 +258,12 @@
const char *value = *attrs++;
if( !strcmp(attr, "name") )
- fileName.Assign(projDir, value);
+ {
+ if (IsGoodFileNameFromXML(value, projDir))
+ fileName.Assign(projDir, value);
+ else
+ return NULL;
+ }
if( !strcmp(attr, "len") )
len = atoi(value);
if( !strcmp(attr, "norms") )
Index: LegacyAliasBlockFile.cpp
===================================================================
RCS file:
/cvsroot/audacity/audacity-src/src/blockfile/LegacyAliasBlockFile.cpp,v
retrieving revision 1.3
retrieving revision 1.3.6.1
diff -u -d -r1.3 -r1.3.6.1
--- LegacyAliasBlockFile.cpp 15 Jun 2003 07:24:39 -0000 1.3
+++ LegacyAliasBlockFile.cpp 12 Dec 2006 03:27:12 -0000 1.3.6.1
@@ -94,9 +94,22 @@
const char *value = *attrs++;
if( !wxStricmp(attr, "name") )
- summaryFileName.Assign(projDir, value, "");
+ {
+ if (IsGoodFileNameFromXML(value, projDir))
+ summaryFileName.Assign(projDir, value, "");
+ else
+ return NULL;
+ }
if( !wxStricmp(attr, "aliaspath") )
- aliasFileName.Assign(value);
+ {
+ if (IsGoodPathNameFromXML(value))
+ aliasFileName.Assign(value);
+ else if (IsGoodFileNameFromXML(value, projDir))
+ // Allow fallback of looking for the file name, located in the
data directory.
+ aliasFileName.Assign(projDir, value);
+ else
+ return NULL;
+ }
if( !wxStricmp(attr, "aliasstart") )
aliasStart = atoi(value);
if( !wxStricmp(attr, "aliaslen") )
Index: SimpleBlockFile.cpp
===================================================================
RCS file: /cvsroot/audacity/audacity-src/src/blockfile/SimpleBlockFile.cpp,v
retrieving revision 1.8.2.2
retrieving revision 1.8.2.2.2.1
diff -u -d -r1.8.2.2 -r1.8.2.2.2.1
--- SimpleBlockFile.cpp 29 May 2004 04:57:50 -0000 1.8.2.2
+++ SimpleBlockFile.cpp 12 Dec 2006 03:27:12 -0000 1.8.2.2.2.1
@@ -252,8 +252,13 @@
const char *attr = *attrs++;
const char *value = *attrs++;
- if( !strcmp(attr, "filename") )
- fileName.Assign(projDir, value);
+ if( !strcmp(attr, "filename") )
+ {
+ if (IsGoodFileNameFromXML(value, projDir))
+ fileName.Assign(projDir, value);
+ else
+ return NULL;
+ }
if( !strcmp(attr, "len") )
len = atoi(value);
if( !strcmp(attr, "min") )
Index: PCMAliasBlockFile.cpp
===================================================================
RCS file: /cvsroot/audacity/audacity-src/src/blockfile/PCMAliasBlockFile.cpp,v
retrieving revision 1.4.2.1.4.1
retrieving revision 1.4.2.1.4.2
diff -u -d -r1.4.2.1.4.1 -r1.4.2.1.4.2
--- PCMAliasBlockFile.cpp 23 Nov 2006 03:56:21 -0000 1.4.2.1.4.1
+++ PCMAliasBlockFile.cpp 12 Dec 2006 03:27:12 -0000 1.4.2.1.4.2
@@ -38,8 +38,6 @@
{
}
-wxString gProjDir = ""; // Needs to be set in BuildFromXML, so just use a
global instead of a member.
-
/// Reads the specified data from the aliased file, using libsndfile,
/// and converts it to the given sample format.
///
@@ -54,13 +52,7 @@
memset(&info, 0, sizeof(info));
- wxString strFullPath = mAliasedFileName.GetFullPath();
- SNDFILE *sf = sf_open(FILENAME(strFullPath), SFM_READ, &info);
- if (!sf) {
- // Allow fallback of looking for the file name, located in the data
directory.
- strFullPath = gProjDir + "\\" + mAliasedFileName.GetFullName();
- sf = sf_open(FILENAME(strFullPath), SFM_READ, &info);
- }
+ SNDFILE *sf = sf_open(FILENAME(mAliasedFileName.GetFullPath()), SFM_READ,
&info);
if (!sf)
return 0;
@@ -135,8 +127,6 @@
BlockFile *PCMAliasBlockFile::BuildFromXML(wxString projDir, const char
**attrs)
{
- gProjDir = projDir;
-
wxFileName summaryFileName;
wxFileName aliasFileName;
int aliasStart=0, aliasLen=0, aliasChannel=0;
@@ -148,20 +138,33 @@
const char *value = *attrs++;
if( !wxStricmp(attr, "summaryfile") )
- summaryFileName.Assign(projDir, value);
- if( !wxStricmp(attr, "aliasfile") )
- aliasFileName.Assign(value);
- if( !wxStricmp(attr, "aliasstart") )
+ {
+ if (IsGoodFileNameFromXML(value, projDir))
+ summaryFileName.Assign(projDir, value);
+ else
+ return NULL;
+ }
+ else if( !wxStricmp(attr, "aliasfile") )
+ {
+ if (IsGoodPathNameFromXML(value))
+ aliasFileName.Assign(value);
+ else if (IsGoodFileNameFromXML(value, projDir))
+ // Allow fallback of looking for the file name, located in the
data directory.
+ aliasFileName.Assign(projDir, value);
+ else
+ return NULL;
+ }
+ else if( !wxStricmp(attr, "aliasstart") )
aliasStart = atoi(value);
- if( !wxStricmp(attr, "aliaslen") )
+ else if( !wxStricmp(attr, "aliaslen") )
aliasLen = atoi(value);
- if( !wxStricmp(attr, "aliaschannel") )
+ else if( !wxStricmp(attr, "aliaschannel") )
aliasChannel = atoi(value);
- if( !wxStricmp(attr, "min") )
+ else if( !wxStricmp(attr, "min") )
min = atoi(value);
- if( !wxStricmp(attr, "max") )
+ else if( !wxStricmp(attr, "max") )
max = atoi(value);
- if( !wxStricmp(attr, "rms") )
+ else if( !wxStricmp(attr, "rms") )
rms = atoi(value);
}
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Audacity-cvs mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/audacity-cvs
