packages/flac
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
flac/CVE-2020-22219-0003-Leave-metadata-items-untouched-if-resize-function-fa.patch
chenhaixiang cbc2db2634 fix CVE-2020-22219 
signed-off-by chenhaixiang3@huawei.com
2023-08-29 07:17:06 -04:00

130 lines
5.7 KiB
Diff
Raw Permalink Blame History

From 707dace4bd82cd6042e524c72544ab50de223a10 Mon Sep 17 00:00:00 2001
From: Martijn van Beurden <mvanb1@gmail.com>
Date: Wed, 3 Aug 2022 19:23:46 +0200
Subject: [PATCH] Leave metadata items untouched if resize function fails
Conflict: delete the comment from the include/FLAC/all.h file.
Reference: https://github.com/xiph/flac/commit/707dace4bd82cd6042e524c72544ab50de223a10
---
include/FLAC/metadata.h | 12 ++++++++----
src/libFLAC/metadata_object.c | 36 ++++++++++++++++++++++++-----------
2 files changed, 33 insertions(+), 15 deletions(-)
diff --git a/include/FLAC/metadata.h b/include/FLAC/metadata.h
index aa369054..bf1bffe4 100644
--- a/include/FLAC/metadata.h
+++ b/include/FLAC/metadata.h
@@ -1398,7 +1398,8 @@ FLAC_API FLAC__bool FLAC__metadata_object_application_set_data(FLAC__StreamMetad
/** Resize the seekpoint array.
*
* If the size shrinks, elements will truncated; if it grows, new placeholder
- * points will be added to the end.
+ * points will be added to the end. If this function returns false, the
+ * object is left untouched.
*
* \param object A pointer to an existing SEEKTABLE object.
* \param new_num_points The desired length of the array; may be \c 0.
@@ -1611,7 +1612,8 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_set_vendor_string(FLAC__
/** Resize the comment array.
*
* If the size shrinks, elements will truncated; if it grows, new empty
- * fields will be added to the end.
+ * fields will be added to the end. If this function returns false, the
+ * object is left untouched.
*
* \param object A pointer to an existing VORBIS_COMMENT object.
* \param new_num_comments The desired length of the array; may be \c 0.
@@ -1891,7 +1893,8 @@ FLAC_API void FLAC__metadata_object_cuesheet_track_delete(FLAC__StreamMetadata_C
/** Resize a track's index point array.
*
* If the size shrinks, elements will truncated; if it grows, new blank
- * indices will be added to the end.
+ * indices will be added to the end. If this function returns false, the
+ * track object is left untouched.
*
* \param object A pointer to an existing CUESHEET object.
* \param track_num The index of the track to modify. NOTE: this is not
@@ -1977,7 +1980,8 @@ FLAC_API FLAC__bool FLAC__metadata_object_cuesheet_track_delete_index(FLAC__Stre
/** Resize the track array.
*
* If the size shrinks, elements will truncated; if it grows, new blank
- * tracks will be added to the end.
+ * tracks will be added to the end. If this function returns false, the
+ * object is left untouched.
*
* \param object A pointer to an existing CUESHEET object.
* \param new_num_tracks The desired length of the array; may be \c 0.
diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c
index 2c7da8db..d6ac3fc5 100644
--- a/src/libFLAC/metadata_object.c
+++ b/src/libFLAC/metadata_object.c
@@ -952,8 +952,13 @@ FLAC_API FLAC__bool FLAC__metadata_object_seektable_resize_points(FLAC__StreamMe
free(object->data.seek_table.points);
object->data.seek_table.points = 0;
}
- else if ((object->data.seek_table.points = safe_realloc_(object->data.seek_table.points, new_size)) == NULL)
- return false;
+ else {
+ /* Leave object->data.seek_table.points untouched if realloc fails */
+ FLAC__StreamMetadata_SeekPoint *tmpptr;
+ if ((tmpptr = realloc(object->data.seek_table.points, new_size)) == NULL)
+ return false;
+ object->data.seek_table.points = tmpptr;
+ }
/* if growing, set new elements to placeholders */
if (new_size > old_size) {
@@ -1207,12 +1212,11 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_resize_comments(FLAC__St
object->data.vorbis_comment.comments = 0;
}
else {
- FLAC__StreamMetadata_VorbisComment_Entry *oldptr = object->data.vorbis_comment.comments;
- if ((object->data.vorbis_comment.comments = realloc(object->data.vorbis_comment.comments, new_size)) == NULL) {
- vorbiscomment_entry_array_delete_(oldptr, object->data.vorbis_comment.num_comments);
- object->data.vorbis_comment.num_comments = 0;
+ /* Leave object->data.vorbis_comment.comments untouched if realloc fails */
+ FLAC__StreamMetadata_VorbisComment_Entry *tmpptr;
+ if ((tmpptr = realloc(object->data.vorbis_comment.comments, new_size)) == NULL)
return false;
- }
+ object->data.vorbis_comment.comments = tmpptr;
}
/* if growing, zero all the length/pointers of new elements */
@@ -1520,8 +1524,13 @@ FLAC_API FLAC__bool FLAC__metadata_object_cuesheet_track_resize_indices(FLAC__St
free(track->indices);
track->indices = 0;
}
- else if ((track->indices = safe_realloc_(track->indices, new_size)) == NULL)
- return false;
+ else {
+ /* Leave track->indices untouched if realloc fails */
+ FLAC__StreamMetadata_CueSheet_Index *tmpptr;
+ if ((tmpptr = realloc(track->indices, new_size)) == NULL)
+ return false;
+ track->indices = tmpptr;
+ }
/* if growing, zero all the lengths/pointers of new elements */
if (new_size > old_size)
@@ -1615,8 +1624,13 @@ FLAC_API FLAC__bool FLAC__metadata_object_cuesheet_resize_tracks(FLAC__StreamMet
free(object->data.cue_sheet.tracks);
object->data.cue_sheet.tracks = 0;
}
- else if ((object->data.cue_sheet.tracks = safe_realloc_(object->data.cue_sheet.tracks, new_size)) == NULL)
- return false;
+ else {
+ /* Leave object->data.cue_sheet.tracks untouched if realloc fails */
+ FLAC__StreamMetadata_CueSheet_Track *tmpptr;
+ if ((tmpptr = realloc(object->data.cue_sheet.tracks, new_size)) == NULL)
+ return false;
+ object->data.cue_sheet.tracks = tmpptr;
+ }
/* if growing, zero all the lengths/pointers of new elements */
if (new_size > old_size)
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink