ports/audio/dumb/patches/patch-src_it_itread_c

Fix heap-based buffer overflow in the it_read_envelope function
(CVE-2006-3668)

--- src/it/itread.c.orig	Mon Aug  8 02:18:41 2005
+++ src/it/itread.c	Fri Oct 11 16:37:22 2013
@@ -292,6 +292,11 @@ static int it_read_envelope(IT_ENVELOPE *envelope, DUM
 
 	envelope->flags = dumbfile_getc(f);
 	envelope->n_nodes = dumbfile_getc(f);
+	if(envelope->n_nodes > 25) {
+		TRACE("IT error: wrong number of envelope nodes (%d)\n", envelope->n_nodes);
+		envelope->n_nodes = 0;
+		return -1;
+	}
 	envelope->loop_start = dumbfile_getc(f);
 	envelope->loop_end = dumbfile_getc(f);
 	envelope->sus_loop_start = dumbfile_getc(f);
SecBSD's official ports repository 2023-08-16 22:26:55 +00:00			`Fix heap-based buffer overflow in the it_read_envelope function`
			`(CVE-2006-3668)`

			`--- src/it/itread.c.orig Mon Aug 8 02:18:41 2005`
			`+++ src/it/itread.c Fri Oct 11 16:37:22 2013`
			`@@ -292,6 +292,11 @@ static int it_read_envelope(IT_ENVELOPE *envelope, DUM`

			`envelope->flags = dumbfile_getc(f);`
			`envelope->n_nodes = dumbfile_getc(f);`
			`+ if(envelope->n_nodes > 25) {`
			`+ TRACE("IT error: wrong number of envelope nodes (%d)\n", envelope->n_nodes);`
			`+ envelope->n_nodes = 0;`
			`+ return -1;`
			`+ }`
			`envelope->loop_start = dumbfile_getc(f);`
			`envelope->loop_end = dumbfile_getc(f);`
			`envelope->sus_loop_start = dumbfile_getc(f);`