libid3tag: patch for CVE-2004-2779
|
|
The patch comes from
|
https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch
|
|
Upstream-Status: Pending
|
|
CVE: CVE-2004-2779
|
CVE: CVE-2017-11551
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
|
diff -urNad libid3tag-0.15.1b/utf16.c /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c
|
--- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100
|
+++ /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100
|
@@ -282,5 +282,18 @@
|
|
free(utf16);
|
|
+ if (end == *ptr && length % 2 != 0)
|
+ {
|
+ /* We were called with a bogus length. It should always
|
+ * be an even number. We can deal with this in a few ways:
|
+ * - Always give an error.
|
+ * - Try and parse as much as we can and
|
+ * - return an error if we're called again when we
|
+ * already tried to parse everything we can.
|
+ * - tell that we parsed it, which is what we do here.
|
+ */
|
+ (*ptr)++;
|
+ }
|
+
|
return ucs4;
|
}
|
