[xiph-commits] r3535 - libfishsound/branches/1.0-stable/src/libfishsound
conrad at svn.annodex.net
conrad at svn.annodex.net
Sat Apr 5 22:22:20 PDT 2008
Author: conrad
Date: 2008-04-05 22:22:19 -0700 (Sat, 05 Apr 2008)
New Revision: 3535
Modified:
libfishsound/branches/1.0-stable/src/libfishsound/speex.c
Log:
Fix exploitable condition in Speex mode checking:
The bug is due to insufficient bounds checking in the process_header()
function in libfishsound/speex.c. The header structure is populated from
the memory at buf which is read directly from the Speex (.spx) file being
decoded. Reported by pbeck, via oCERT.
Modified: libfishsound/branches/1.0-stable/src/libfishsound/speex.c
===================================================================
--- libfishsound/branches/1.0-stable/src/libfishsound/speex.c 2008-04-01 21:24:37 UTC (rev 3534)
+++ libfishsound/branches/1.0-stable/src/libfishsound/speex.c 2008-04-06 05:22:19 UTC (rev 3535)
@@ -136,7 +136,7 @@
return NULL;
}
- if (header->mode >= SPEEX_NB_MODES) {
+ if (header->mode >= SPEEX_NB_MODES || header->mode < 0) {
/*
info_dialog_new ("Speex error", NULL,
"Mode number %d does not (any longer) exist in this version\n",
More information about the commits
mailing list