Sophie: libmikmod-3.2.0-11.beta2.fc13 src

libmikmod-3.2.0-11.beta2.fc13.src.rpm

#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE-2009-3995f.dpatch by  <aw@linux.de>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Patch for CVE-2009-3995 and CVE-2009-3996

@DPATCH@

diff -Ndurp libmikmod-3.1.11/loaders/load_it.c libmikmod-3.1.11-fixed/loaders/load_it.c
--- libmikmod-3.1.11/loaders/load_it.c	2010-05-31 14:10:34.000000000 +0200
+++ libmikmod-3.1.11-fixed/loaders/load_it.c	2010-05-31 14:10:10.000000000 +0200
@@ -862,6 +862,10 @@ BOOL IT_Load(BOOL curious)
 #endif
 
 				IT_ProcessEnvelope(vol);
+				/* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */
+				if (ih.volpts>= ENVPOINTS)
+					ih.volpts = ENVPOINTS-1;
+
 				for(u=0;u<ih.volpts;u++)
 					d->volenv[u].val=(ih.volnode[u]<<2);
 
diff -Ndurp libmikmod-3.1.11/loaders/load_ult.c libmikmod-3.1.11-fixed/loaders/load_ult.c
--- libmikmod-3.1.11/loaders/load_ult.c	2010-05-31 14:10:34.000000000 +0200
+++ libmikmod-3.1.11-fixed/loaders/load_ult.c	2010-05-31 14:10:10.000000000 +0200
@@ -224,6 +224,9 @@ BOOL ULT_Load(BOOL curious)
 	for(u=0;u<of.numchn;u++)
 		for(t=0;t<of.numpat;t++)
 			of.patterns[(t*of.numchn)+u]=tracks++;
+	/* fix for CVE-2009-3996 - snatched from SuSe's fix -- AW */
+    if (of.numchn>=UF_MAXCHAN)
+		of.numchn=UF_MAXCHAN - 1;
 
 	/* read pan position table for v1.5 and higher */
 	if(mh.id[14]>='3') {
--- libmikmod-3.2.0-beta2/loaders/load_it.c.orig	2010-07-22 16:02:16.000000000 +0200
+++ libmikmod-3.2.0-beta2/loaders/load_it.c	2010-07-22 16:07:48.000000000 +0200
@@ -743,6 +743,8 @@ BOOL IT_Load(BOOL curious)
 #define IT_LoadEnvelope(name,type) 										\
 				ih. name##flg   =_mm_read_UBYTE(modreader);				\
 				ih. name##pts   =_mm_read_UBYTE(modreader);				\
+				if (ih. name##pts > ITENVCNT)							\
+					ih. name##pts = ITENVCNT;							\
 				ih. name##beg   =_mm_read_UBYTE(modreader);				\
 				ih. name##end   =_mm_read_UBYTE(modreader);				\
 				ih. name##susbeg=_mm_read_UBYTE(modreader);				\
@@ -756,6 +758,8 @@ BOOL IT_Load(BOOL curious)
 #define IT_LoadEnvelope(name,type) 										\
 				ih. name/**/flg   =_mm_read_UBYTE(modreader);			\
 				ih. name/**/pts   =_mm_read_UBYTE(modreader);			\
+				if (ih. name/**/pts > ITENVCNT)							\
+					ih. name/**/pts = ITENVCNT;							\
 				ih. name/**/beg   =_mm_read_UBYTE(modreader);			\
 				ih. name/**/end   =_mm_read_UBYTE(modreader);			\
 				ih. name/**/susbeg=_mm_read_UBYTE(modreader);			\
@@ -862,10 +866,6 @@ BOOL IT_Load(BOOL curious)
 #endif
 
 				IT_ProcessEnvelope(vol);
-				/* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */
-				if (ih.volpts>= ENVPOINTS)
-					ih.volpts = ENVPOINTS-1;
-
 				for(u=0;u<ih.volpts;u++)
 					d->volenv[u].val=(ih.volnode[u]<<2);