File libsndfile-CVE-2011-2696.diff of Package libsndfile.import4900
=== modified file 'ChangeLog'
---
src/common.h | 1 +
src/paf.c | 7 +++++--
src/sndfile.c | 1 +
3 files changed, 7 insertions(+), 2 deletions(-)
--- a/src/common.h
+++ b/src/common.h
@@ -557,6 +557,7 @@
SFE_PAF_VERSION,
SFE_PAF_UNKNOWN_FORMAT,
SFE_PAF_SHORT_HEADER,
+ SFE_PAF_BAD_CHANNELS,
SFE_SVX_NO_FORM,
SFE_SVX_NO_BODY,
--- a/src/paf.c
+++ b/src/paf.c
@@ -163,6 +163,9 @@
{ PAF_FMT paf_fmt ;
int marker ;
+ if (psf->filelength < PAF_HEADER_LENGTH)
+ return SFE_PAF_SHORT_HEADER ;
+
memset (&paf_fmt, 0, sizeof (paf_fmt)) ;
psf_binheader_readf (psf, "pm", 0, &marker) ;
@@ -199,8 +202,8 @@
psf->endian = SF_ENDIAN_BIG ;
} ;
- if (psf->filelength < PAF_HEADER_LENGTH)
- return SFE_PAF_SHORT_HEADER ;
+ if (paf_fmt.channels > SF_MAX_CHANNELS)
+ return SFE_PAF_BAD_CHANNELS ;
psf->datalength = psf->filelength - psf->dataoffset ;
--- a/src/sndfile.c
+++ b/src/sndfile.c
@@ -173,6 +173,7 @@
{ SFE_PAF_VERSION , "Error in PAF file, bad version." },
{ SFE_PAF_UNKNOWN_FORMAT , "Error in PAF file, unknown format." },
{ SFE_PAF_SHORT_HEADER , "Error in PAF file. File shorter than minimal header." },
+ { SFE_PAF_BAD_CHANNELS , "Error in PAF file. Bad channel count." },
{ SFE_SVX_NO_FORM , "Error in 8SVX / 16SV file, no 'FORM' marker." },
{ SFE_SVX_NO_BODY , "Error in 8SVX / 16SV file, no 'BODY' marker." },