summaryrefslogblamecommitdiff
path: root/user/libid3tag/CVE-2004-2779.patch
blob: b7e1e22809fb16444d551599f00b5a1203919b1c (plain) (tree)































                                                                          
Lifted from Debian:
https://sources.debian.org/patches/libid3tag/0.15.1b-14/10_utf16.dpatch/

Also fixes:

CVE-2008-2109 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480187#12
CVE-2017-11551 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870333#10

Handle bogus UTF16 sequences that have a length that is not
an even number of 8 bit characters.

--- libid3tag-0.15.1b/utf16.c	2006-01-13 15:26:29.000000000 +0100
+++ libid3tag-0.15.1b/utf16.c	2006-01-13 15:27:19.000000000 +0100
@@ -282,5 +282,18 @@
 
   free(utf16);
 
+  if (end == *ptr && length % 2 != 0)
+  {
+     /* We were called with a bogus length.  It should always
+      * be an even number.  We can deal with this in a few ways:
+      * - Always give an error.
+      * - Try and parse as much as we can and
+      *   - return an error if we're called again when we
+      *     already tried to parse everything we can.
+      *   - tell that we parsed it, which is what we do here.
+      */
+     (*ptr)++;
+  }
+
   return ucs4;
 }