| From: | dam [...] cpan.org |
| Subject: | [PATCH] stack corruption in discid_put |
In Debian we are currently applying the following patch to
MusicBrainz-DiscID.
We thought you might be interested in it too.
Description: stack corruption in discid_put
This patch fixes two ways to corrupt the stack. One is by supplying
more that 99 offset arguments. The offsets array is declared with space
for 100 elements, but the first is reserved for the sectors argument.
The patch addresses this by limitting the filling of offsets[] to 99 elements
(plus the sectors argument which is in offsets[0]). It relies on libdiscid
to return false if the request was for more than 99 offsets.
.
The second stack corruption is because of a typo in the initialization
for() loop. Because of that, the for loop is essentially reduced to
"i=100" and the following line (not part of the loop) sets
offsets[100], which is beyond the allocated space for the array. Using
memset is safer and probably faster.
Author: Damyan Ivanov <dmn@debian.org>
Bug-Debian: https://bugs.debian.org/758216
The patch is tracked in our Git repository at
https://anonscm.debian.org/cgit/pkg-perl/packages/libmusicbrainz-discid-perl.git/plain/debian/patches/stack-corruption-discid_put.patch
Thanks for considering,
Damyan Ivanov,
Debian Perl Group