Hello community, here is the log from the commit of package soundtouch for openSUSE:Factory checked in at 2018-09-13 12:09:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/soundtouch (Old) and /work/SRC/openSUSE:Factory/.soundtouch.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "soundtouch" Thu Sep 13 12:09:53 2018 rev:28 rq:633741 version:2.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/soundtouch/soundtouch.changes 2018-03-20 21:51:10.173537373 +0100 +++ /work/SRC/openSUSE:Factory/.soundtouch.new/soundtouch.changes 2018-09-13 12:09:57.862398672 +0200 @@ -1,0 +2,6 @@ +Thu Sep 6 12:29:20 UTC 2018 - Marketa Calabkova <[email protected]> + +- bsc #1103676: CVE-2018-1000223: soundtouch: Heap-based buffer overflow + added patch fix-buffer-overflow.patch + +------------------------------------------------------------------- New: ---- fix-buffer-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ soundtouch.spec ++++++ --- /var/tmp/diff_new_pack.qfyUZX/_old 2018-09-13 12:09:58.270398213 +0200 +++ /var/tmp/diff_new_pack.qfyUZX/_new 2018-09-13 12:09:58.274398209 +0200 @@ -32,6 +32,7 @@ BuildRequires: gcc-c++ BuildRequires: libtool BuildRequires: pkgconfig +Patch0: fix-buffer-overflow.patch %description SoundTouch is a C++ audio processing library that allows @@ -73,6 +74,7 @@ tr -d '\r' <README.html >README.html~ touch -r README.html README.html~ mv README.html~ README.html +%patch0 -p1 %build ./bootstrap ++++++ fix-buffer-overflow.patch ++++++ Index: soundtouch/source/SoundStretch/WavFile.cpp =================================================================== --- soundtouch.orig/source/SoundStretch/WavFile.cpp +++ soundtouch/source/SoundStretch/WavFile.cpp @@ -528,12 +528,16 @@ int WavInFile::readHeaderBlock() // read length of the format field if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; // swap byte order if necessary - _swap32(nLen); // int format_len; - header.format.format_len = nLen; + _swap32(nLen); - // calculate how much length differs from expected + // calculate how much length differs from expected nDump = nLen - ((int)sizeof(header.format) - 8); + // verify that header length isn't smaller than expected structure + if ((nLen < 0) || (nDump < 0)) return -1; + + header.format.format_len = nLen; + // if format_len is larger than expected, read only as much data as we've space for if (nDump > 0) { @@ -569,12 +573,16 @@ int WavInFile::readHeaderBlock() // read length of the fact field if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; // swap byte order if necessary - _swap32(nLen); // int fact_len; - header.fact.fact_len = nLen; + _swap32(nLen); // calculate how much length differs from expected nDump = nLen - ((int)sizeof(header.fact) - 8); + // verify that fact length isn't smaller than expected structure + if ((nLen < 0) || (nDump < 0)) return -1; + + header.fact.fact_len = nLen; + // if format_len is larger than expected, read only as much data as we've space for if (nDump > 0) {
