diff options
Diffstat (limited to 'extra/libmodplug/libmodplug-CVE-2013-4234-Fix.patch')
| -rw-r--r-- | extra/libmodplug/libmodplug-CVE-2013-4234-Fix.patch | 95 |
1 files changed, 0 insertions, 95 deletions
diff --git a/extra/libmodplug/libmodplug-CVE-2013-4234-Fix.patch b/extra/libmodplug/libmodplug-CVE-2013-4234-Fix.patch deleted file mode 100644 index c4b105d19..000000000 --- a/extra/libmodplug/libmodplug-CVE-2013-4234-Fix.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 5de53a46283e7c463115444a9339978011dab961 Mon Sep 17 00:00:00 2001 -From: Konstanty Bialkowski <konstanty@ieee.org> -Date: Wed, 14 Aug 2013 15:15:09 +1000 -Subject: [PATCH] CVE-2013-4234 Fix - -Heap overflow in abc_MIDI_drum + abc_MIDI_gchord - --- reported by Florian "Agix" Gaultier ---- - libmodplug/src/load_abc.cpp | 34 +++++++++++++++++++++++----------- - 1 file changed, 23 insertions(+), 11 deletions(-) - -diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp -index ecb7b62..dd9cc6b 100644 ---- a/libmodplug/src/load_abc.cpp -+++ b/libmodplug/src/load_abc.cpp -@@ -3205,27 +3205,33 @@ static void abc_MIDI_chordname(const char *p) - static int abc_MIDI_drum(const char *p, ABCHANDLE *h) - { - char *q; -- int i,n,m; -+ int i, n, m, len; - while( isspace(*p) ) p++; - if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2; - if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1; -- n = 0; -+ n = 0; len = 0; - for( q = h->drum; *p && !isspace(*p); p++ ) { - if( !strchr("dz0123456789",*p) ) break; -- *q++ = *p; -- if( !isdigit(*p) ) { -- if( !isdigit(p[1]) ) *q++ = '1'; -+ *q++ = *p; len++; -+ if( !isdigit(*p) && len < sizeof(h->drum)-1 ) { -+ if( !isdigit(p[1]) ) { *q++ = '1'; len ++; } - n++; // count the silences too.... - } -+ if (len >= sizeof(h->drum)-1) { -+ // consume the rest of the input -+ // definitely enough "drum last state" stored. -+ while ( *p && !isspace(*p) ) p++; -+ break; -+ } - } - *q = '\0'; - q = h->drumins; - for( i = 0; i<n; i++ ) { - if( h->drum[i*2] == 'd' ) { -- while( isspace(*p) ) p++; -+ while( *p && isspace(*p) ) p++; - if( !isdigit(*p) ) { - m = 0; -- while( !isspace(*p) ) p++; -+ while( *p && !isspace(*p) ) p++; - } - else - p += abc_getnumber(p,&m); -@@ -3236,10 +3242,10 @@ static int abc_MIDI_drum(const char *p, ABCHANDLE *h) - q = h->drumvol; - for( i = 0; i<n; i++ ) { - if( h->drum[i*2] == 'd' ) { -- while( isspace(*p) ) p++; -+ while( *p && isspace(*p) ) p++; - if( !isdigit(*p) ) { - m = 0; -- while( !isspace(*p) ) p++; -+ while( *p && !isspace(*p) ) p++; - } - else - p += abc_getnumber(p,&m); -@@ -3254,13 +3260,19 @@ static int abc_MIDI_drum(const char *p, ABCHANDLE *h) - static int abc_MIDI_gchord(const char *p, ABCHANDLE *h) - { - char *q; -+ int len = 0; - while( isspace(*p) ) p++; - if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2; - if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1; - for( q = h->gchord; *p && !isspace(*p); p++ ) { - if( !strchr("fbcz0123456789ghijGHIJ",*p) ) break; -- *q++ = *p; -- if( !isdigit(*p) && !isdigit(p[1]) ) *q++ = '1'; -+ *q++ = *p; len++; -+ if( !isdigit(*p) && len < sizeof(h->gchord)-1 && !isdigit(p[1]) ) { *q++ = '1'; len ++; } -+ if (len >= sizeof(h->gchord)-1) { -+ // consume the rest of the input -+ // definitely enough "drum last state" stored. -+ while ( *p && !isspace(*p) ) p++; -+ } - } - *q = '\0'; - return 0; --- -1.8.4 - |