[PD-cvs] externals/ggee/signal streamin~.c,1.9,1.10
Russell Bryant
russellbryant at users.sourceforge.net
Sun Jan 6 15:20:06 CET 2008
Update of /cvsroot/pure-data/externals/ggee/signal
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv31630/signal
Modified Files:
streamin~.c
Log Message:
Fix a security issue.
streamin~ was vulnerable to a remotely exploitable heap buffer overflow that
could potentially allow an attacker to execute arbitrary code on a machine
that is using streamin~. The issue is that the defined frame header includes
a field for frame size which indicates how much additional data is available.
However, this frame size was not checked to ensure that it was smaller than
the size of the buffer that was allocated to store this data.
(one of my patches from issue #1848356)
Index: streamin~.c
===================================================================
RCS file: /cvsroot/pure-data/externals/ggee/signal/streamin~.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -C2 -d -r1.9 -r1.10
*** streamin~.c 3 Jul 2007 11:04:57 -0000 1.9
--- streamin~.c 6 Jan 2008 14:20:04 -0000 1.10
***************
*** 157,160 ****
--- 157,166 ----
ret = recv(x->x_socket, (char*) &x->frames[x->framein].tag,sizeof(t_tag),0);
+ if ((x->frames[x->framein].tag.framesize - sizeof(t_tag)) > MAXFRAMESIZE) {
+ error("streamin~: got an invalid frame size of %d, maximum is %d\n",
+ x->frames[x->framein].tag.framesize, MAXFRAMESIZE);
+ x->frames[x->framein].tag.framesize = MAXFRAMESIZE + sizeof(t_tag);
+ }
+
x->nbytes = n = x->frames[x->framein].tag.framesize;
}
More information about the Pd-cvs
mailing list