Fix oggenc buffer overflow.

PR:		202941
Submitted by:	junovitch
Obtained from:	https://trac.xiph.org/ticket/2212
Security:	a35f415d-572a-11e5-b0a4-f8b156b6dcc8
Security:	CVE-2015-6749
MFH:		2015Q3

2 files changed, 27 insertions, 1 deletions

diff --git a/audio/vorbis-tools/Makefile b/audio/vorbis-tools/Makefile
index a30baa28de29..9a480815f3c2 100644
--- a/audio/vorbis-tools/Makefile
+++ b/audio/vorbis-tools/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	vorbis-tools
 PORTVERSION=	1.4.0
-PORTREVISION=	8
+PORTREVISION=	9
 PORTEPOCH=	3
 CATEGORIES=	audio
 MASTER_SITES=	http://downloads.xiph.org/releases/vorbis/
diff --git a/audio/vorbis-tools/files/patch-oggenc_audio.c b/audio/vorbis-tools/files/patch-oggenc_audio.c
new file mode 100644
index 000000000000..067475093247
--- /dev/null
+++ b/audio/vorbis-tools/files/patch-oggenc_audio.c
@@ -0,0 +1,26 @@
+--- oggenc/audio.c.orig	2010-03-24 08:27:14 UTC
++++ oggenc/audio.c
+@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] = 
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+     int aifc; /* AIFC or AIFF? */
+-    unsigned int len;
+-    unsigned char *buffer;
++    unsigned int len, readlen;
++    unsigned char buffer[22];
+     unsigned char buf2[8];
+     aiff_fmt format;
+     aifffile *aiff = malloc(sizeof(aifffile));
+@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt,
+         return 0; /* Weird common chunk */
+     }
+ 
+-    buffer = alloca(len);
+-
+-    if(fread(buffer,1,len,in) < len)
++    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
++    if(fread(buffer,1,readlen,in) < readlen ||
++       (len > readlen && !seek_forward(in, len-readlen)))
+     {
+         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
+         return 0;