user/libid3tag: CVE-2017-11550, change fix for CVE-2008-2109 (#126)

1 files changed, 32 insertions, 0 deletions

diff --git a/user/libid3tag/CVE-2004-2779.patch b/user/libid3tag/CVE-2004-2779.patch
new file mode 100644
index 000000000..b7e1e2280
--- /dev/null
+++ b/user/libid3tag/CVE-2004-2779.patch
@@ -0,0 +1,32 @@
+Lifted from Debian:
+https://sources.debian.org/patches/libid3tag/0.15.1b-14/10_utf16.dpatch/
+
+Also fixes:
+
+CVE-2008-2109 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480187#12
+CVE-2017-11551 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870333#10
+
+Handle bogus UTF16 sequences that have a length that is not
+an even number of 8 bit characters.
+
+--- libid3tag-0.15.1b/utf16.c	2006-01-13 15:26:29.000000000 +0100
++++ libid3tag-0.15.1b/utf16.c	2006-01-13 15:27:19.000000000 +0100
+@@ -282,5 +282,18 @@
+ 
+   free(utf16);
+ 
++  if (end == *ptr && length % 2 != 0)
++  {
++     /* We were called with a bogus length.  It should always
++      * be an even number.  We can deal with this in a few ways:
++      * - Always give an error.
++      * - Try and parse as much as we can and
++      *   - return an error if we're called again when we
++      *     already tried to parse everything we can.
++      *   - tell that we parsed it, which is what we do here.
++      */
++     (*ptr)++;
++  }
++
+   return ucs4;
+ }