Fri Sep 6 01:39:05 PDT 2013

1 files changed, 42 insertions, 0 deletions

diff --git a/extra/libmodplug/libmodplug-CVE-2013-4233-Fix.patch b/extra/libmodplug/libmodplug-CVE-2013-4233-Fix.patch
new file mode 100644
index 000000000..288b44d13
--- /dev/null
+++ b/extra/libmodplug/libmodplug-CVE-2013-4233-Fix.patch
@@ -0,0 +1,42 @@
+From c4d4e047862649a75f6dba905c613aff0df81309 Mon Sep 17 00:00:00 2001
+From: Konstanty Bialkowski <konstanty@ieee.org>
+Date: Wed, 14 Aug 2013 14:15:27 +1000
+Subject: [PATCH] CVE-2013-4233 Fix
+
+Integer overflow in j variable
+
+-- reported by Florian "Agix" Gaultier
+---
+ libmodplug/src/load_abc.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp
+index 9f4b328..ecb7b62 100644
+--- a/libmodplug/src/load_abc.cpp
++++ b/libmodplug/src/load_abc.cpp
+@@ -1814,7 +1814,7 @@ static int abc_extract_tempo(const char *p, int invoice)
+ 
+ static void	abc_set_parts(char **d, char *p)
+ {
+-	int i,j,k,m,n;
++	int i,j,k,m,n,size;
+ 	char *q;
+ #ifdef NEWMIKMOD
+ 	static MM_ALLOC *h;
+@@ -1852,10 +1852,11 @@ static void	abc_set_parts(char **d, char *p)
+ 			i += n-1;
+ 		}
+ 	}
+-	q = (char *)_mm_calloc(h, j+1, sizeof(char));	// enough storage for the worst case
++	size = (j + 1) > 0 ? j+1 : j;
++	q = (char *)_mm_calloc(h, size, sizeof(char));	// enough storage for the worst case
+ 	// now copy bytes from p to *d, taking parens and digits in account
+ 	j = 0;
+-	for( i=0; p[i] && p[i] != '%'; i++ ) {
++	for( i=0; p[i] && p[i] != '%' && j < size; i++ ) {
+ 		if( isdigit(p[i]) || isupper(p[i]) || p[i] == '(' || p[i] == ')' ) {
+ 			if( p[i] == ')' ) {
+ 				for( n=j; n > 0 && q[n-1] != '('; n-- )	;	// find open paren in q
+-- 
+1.8.4
+