Hi,
I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
Proposed debdiffs in attachment.
Cheers,
Giuseppe.
diff -u libmodplug-0.7/src/libmodplug/stdafx.h
libmodplug-0.7/src/libmodplug/stdafx.h
--- libmodplug-0.7/src/libmodplug/stdafx.h
+++ libmodplug-0.7/src/libmodplug/stdafx.h
@@ -22,44 +22,42 @@
inline void ProcessPlugins(int n) {}
#else
-
+#if defined(HAVE_CONFIG_H) !defined(CONFIG_H_INCLUDED)
+# include config.h
+# define CONFIG_H_INCLUDED 1
+#endif
+#ifdef HAVE_INTTYPES_H
+# include inttypes.h
+#endif
+#ifdef HAVE_STDINT_H
+# include stdint.h
+#endif
#include stdlib.h
#include stdio.h
#include string.h
-typedef signed char CHAR;
-typedef unsigned char UCHAR;
-typedef unsigned char* PUCHAR;
-typedef unsigned short USHORT;
-#if defined(__x86_64__)
-typedef unsigned int ULONG;
-typedef unsigned int UINT;
-typedef unsigned int DWORD;
-typedef int LONG;
-typedef long LONGLONG;
-typedef int * LPLONG;
-typedef unsigned int * LPDWORD;
-#else
-typedef unsigned long ULONG;
-typedef unsigned long UINT;
-typedef unsigned long DWORD;
-typedef long LONG;
-typedef long long LONGLONG;
-typedef long * LPLONG;
-typedef unsigned long * LPDWORD;
-#endif
-typedef unsigned short WORD;
-typedef unsigned char BYTE;
-typedef unsigned char * LPBYTE;
+typedef int8_t CHAR;
+typedef uint8_t UCHAR;
+typedef uint8_t* PUCHAR;
+typedef uint16_t USHORT;
+typedef uint32_t ULONG;
+typedef uint32_t UINT;
+typedef uint32_t DWORD;
+typedef int32_t LONG;
+typedef int64_t LONGLONG;
+typedef int32_t* LPLONG;
+typedef uint32_t* LPDWORD;
+typedef uint16_t WORD;
+typedef uint8_t BYTE;
+typedef uint8_t* LPBYTE;
typedef bool BOOL;
-typedef char * LPSTR;
-typedef void * LPVOID;
-typedef unsigned short * LPWORD;
-typedef const char * LPCSTR;
-typedef void * PVOID;
+typedef char* LPSTR;
+typedef void* LPVOID;
+typedef uint16_t* LPWORD;
+typedef const char* LPCSTR;
+typedef void* PVOID;
typedef void VOID;
-
inline LONG MulDiv (long a, long b, long c)
{
// if (!c) return 0;
diff -u libmodplug-0.7/debian/changelog libmodplug-0.7/debian/changelog
--- libmodplug-0.7/debian/changelog
+++ libmodplug-0.7/debian/changelog
@@ -1,3 +1,11 @@
+libmodplug (1:0.7-5.3) oldstable-security; urgency=high
+
+ * Non-maintainer upload.
+ * Fixed CSoundFile::ReadMed() Integer Overflow in src/load_med.cp
+(Closes: #526657) (CVE-2009-1438)
+
+ -- Giuseppe Iuculano giuse...@iuculano.it Sat, 02 May 2009 18:16:49 +0200
+
libmodplug (1:0.7-5.2) unstable; urgency=medium
* Non-maintainer upload.
only in patch2:
unchanged:
--- libmodplug-0.7.orig/src/load_med.cpp
+++ libmodplug-0.7/src/load_med.cpp
@@ -692,21 +692,24 @@
}
}
// Song Comments
- UINT annotxt = bswapBE32(pmex-annotxt);
- UINT annolen = bswapBE32(pmex-annolen);
- if ((annotxt) (annolen) (annotxt+annolen = dwMemLength))
+ uint32_t annotxt = bswapBE32(pmex-annotxt);
+ uint32_t annolen = bswapBE32(pmex-annolen);
+ if ((annotxt) (annolen) (annotxt + annolen annotxt) //
overflow checks.
+(annotxt+annolen = dwMemLength))
{
m_lpszSongComments = new char[annolen+1];
memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
m_lpszSongComments[annolen] = 0;
}
// Song Name
- UINT songname = bswapBE32(pmex-songname);
- UINT songnamelen = bswapBE32(pmex-songnamelen);
- if ((songname) (songnamelen) (songname+songnamelen =
dwMemLength))
+ uint32_t songname = bswapBE32(pmex-songname);
+ uint32_t songnamelen = bswapBE32(pmex-songnamelen);
+ if ((songname) (songnamelen) (songname+songnamelen
songname)
+(songname+songnamelen = dwMemLength))
{
if (songnamelen 31) songnamelen = 31;
memcpy(m_szNames[0], lpStream+songname, songnamelen);
+ m_szNames[0][31] = '\0';
}
// Sample Names
DWORD smpinfoex = bswapBE32(pmex-iinfo);
@@ -716,14 +719,18 @@
UINT ientries = bswapBE16(pmex-i_ext_entries);
UINT ientrysz = bswapBE16(pmex-i_ext_entrsz);
- if ((iinfoptr) (ientrysz 256) (iinfoptr +
ientries*ientrysz dwMemLength))
+ if ((iinfoptr) (ientrysz 256)
+(ientries*ientrysz dwMemLength)
+(iinfoptr dwMemLength - (ientries*ientrysz)))
{
LPCSTR psznames = (LPCSTR)(lpStream + iinfoptr);
UINT maxnamelen = ientrysz;
+ // copy a max of 32 bytes.
if (maxnamelen