changeset 527:b5ddeebce808

Check if Speex header has bogus data (CVE-2008-1686).
author Ryan C. Gordon <icculus@icculus.org>
date Fri, 11 Apr 2008 19:53:57 +0000
parents 2df1f5c62d38
children ff4ada280780
files CHANGELOG decoders/speex.c
diffstat 2 files changed, 2 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGELOG	Mon Aug 06 09:44:02 2007 +0000
+++ b/CHANGELOG	Fri Apr 11 19:53:57 2008 +0000
@@ -2,6 +2,7 @@
  * CHANGELOG.
  */
 
+04112008 - Check if Speex header has bogus data (CVE-2008-1686).
 08062007 - Updated my email address. Added -fvisibility=hidden support.
 07152007 - Minor correction in Timidity resampling code (Thanks, Sam!).
 07062007 - Fixed uninitialized buffer in mpglib. (Thanks, Phil!).
--- a/decoders/speex.c	Mon Aug 06 09:44:02 2007 +0000
+++ b/decoders/speex.c	Fri Apr 11 19:53:57 2008 +0000
@@ -136,6 +136,7 @@
     free(hptr);  /* lame that this forces you to malloc... */
 
     BAIL_IF_MACRO(header.mode >= SPEEX_NB_MODES, "SPEEX: Unknown mode", 0);
+    BAIL_IF_MACRO(header.mode < 0, "SPEEX: Unknown mode", 0);
     mode = speex_mode_list[header.mode];
     BAIL_IF_MACRO(header.speex_version_id > 1, "SPEEX: Unknown version", 0);
     BAIL_IF_MACRO(mode->bitstream_version < header.mode_bitstream_version,