File taglib-CVE-2018-11439.patch of Package taglib.7688

References: https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278
From: Karol Babioch <kbabioch@suse.de>
Date: Wed Jun  6 11:00:43 CEST 2018
Subject: Backported fix for CVE-2018-11439
Upstream: submitted

Index: taglib-1.9.1/taglib/ogg/flac/oggflacfile.cpp
===================================================================
--- taglib-1.9.1.orig/taglib/ogg/flac/oggflacfile.cpp
+++ taglib-1.9.1/taglib/ogg/flac/oggflacfile.cpp
@@ -218,9 +218,21 @@ void Ogg::FLAC::File::scan()
 
   if (!metadataHeader.startsWith("fLaC"))  {
     // FLAC 1.1.2+
-    if (metadataHeader.mid(1,4) != "FLAC") return;
+    // See https://xiph.org/flac/ogg_mapping.html for the header specification.
+    if(metadataHeader.size() < 13)
+      return;
 
-    if (metadataHeader[5] != 1) return; // not version 1
+    if(metadataHeader[0] != 0x7f)
+      return;
+
+    if (metadataHeader.mid(1,4) != "FLAC")
+      return;
+
+    if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
+      return; // not version 1.0
+
+    if(metadataHeader.mid(9, 4) != "fLaC")
+      return;
 
     metadataHeader = metadataHeader.mid(13);
   }
Places

File taglib-CVE-2018-11439.patch of Package taglib.7688

Places
