Description: fix buffer overflow when changing both sample format and number of channels Origin: https://github.com/mpruett/audiofile/pull/25 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721 Bug-Debian: https://bugs.debian.org/801102 Downloaded from https://gitweb.gentoo.org/repo/gentoo.git/tree/media-libs/audiofile/files/audiofile-0.3.6-CVE-2015-7747.patch Signed-off-by: Bernd Kuhls --- a/libaudiofile/modules/ModuleState.cpp +++ b/libaudiofile/modules/ModuleState.cpp @@ -402,7 +402,7 @@ status ModuleState::arrange(AFfilehandle addModule(new Transform(outfc, in.pcm, out.pcm)); if (in.channelCount != out.channelCount) - addModule(new ApplyChannelMatrix(infc, isReading, + addModule(new ApplyChannelMatrix(outfc, isReading, in.channelCount, out.channelCount, in.pcm.minClip, in.pcm.maxClip, track->channelMatrix)); --- a/test/Makefile.am +++ b/test/Makefile.am @@ -26,6 +26,7 @@ TESTS = \ VirtualFile \ floatto24 \ query2 \ + sixteen-stereo-to-eight-mono \ sixteen-to-eight \ testchannelmatrix \ testdouble \ @@ -139,6 +140,7 @@ printmarkers_SOURCES = printmarkers.c printmarkers_LDADD = $(LIBAUDIOFILE) -lm sixteen_to_eight_SOURCES = sixteen-to-eight.c TestUtilities.cpp TestUtilities.h +sixteen_stereo_to_eight_mono_SOURCES = sixteen-stereo-to-eight-mono.c TestUtilities.cpp TestUtilities.h testchannelmatrix_SOURCES = testchannelmatrix.c TestUtilities.cpp TestUtilities.h --- /dev/null +++ b/test/sixteen-stereo-to-eight-mono.c @@ -0,0 +1,118 @@ +/* + Audio File Library + + Copyright 2000, Silicon Graphics, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +/* + sixteen-stereo-to-eight-mono.c + + This program tests the conversion from 2-channel 16-bit integers to + 1-channel 8-bit integers. +*/ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include + +#include + +#include "TestUtilities.h" + +int main (int argc, char **argv) +{ + AFfilehandle file; + AFfilesetup setup; + int16_t frames16[] = {14298, 392, 3923, -683, 958, -1921}; + int8_t frames8[] = {28, 6, -2}; + int i, frameCount = 3; + int8_t byte; + AFframecount result; + + setup = afNewFileSetup(); + + afInitFileFormat(setup, AF_FILE_WAVE); + + afInitSampleFormat(setup, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 16); + afInitChannels(setup, AF_DEFAULT_TRACK, 2); + + char *testFileName; + if (!createTemporaryFile("sixteen-to-eight", &testFileName)) + { + fprintf(stderr, "Could not create temporary file.\n"); + exit(EXIT_FAILURE); + } + + file = afOpenFile(testFileName, "w", setup); + if (file == AF_NULL_FILEHANDLE) + { + fprintf(stderr, "could not open file for writing\n"); + exit(EXIT_FAILURE); + } + + afFreeFileSetup(setup); + + afWriteFrames(file, AF_DEFAULT_TRACK, frames16, frameCount); + + afCloseFile(file); + + file = afOpenFile(testFileName, "r", AF_NULL_FILESETUP); + if (file == AF_NULL_FILEHANDLE) + { + fprintf(stderr, "could not open file for reading\n"); + exit(EXIT_FAILURE); + } + + afSetVirtualSampleFormat(file, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 8); + afSetVirtualChannels(file, AF_DEFAULT_TRACK, 1); + + for (i=0; i