Overview

File soundtouch-fix-buffer-overflow.patch of Package soundtouch.9257

Index: soundtouch/source/SoundStretch/WavFile.cpp
===================================================================
--- soundtouch.orig/source/SoundStretch/WavFile.cpp
+++ soundtouch/source/SoundStretch/WavFile.cpp
@@ -527,12 +527,16 @@ int WavInFile::readHeaderBlock()
         // read length of the format field
         if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
         // swap byte order if necessary
-        _swap32(nLen); // int format_len;
-        header.format.format_len = nLen;
+        _swap32(nLen);
 
-        // calculate how much length differs from expected
+        // calculate how much length differs from expected 
         nDump = nLen - ((int)sizeof(header.format) - 8);
 
+        // verify that header length isn't smaller than expected structure
+        if ((nLen < 0) || (nDump < 0)) return -1;
+
+        header.format.format_len = nLen;
+
         // if format_len is larger than expected, read only as much data as we've space for
         if (nDump > 0)
         {
openSUSE Build Service is sponsored by
Places