Description: Fix heap buffer overflows when writing strings in binheader
Author: Jörn Heusipp <osmanx@problemloesungsmaschine.de>
Origin: upstream
Applied-Upstream: cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8
Last-Update: 2017-07-12
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- libsndfile.orig/src/common.c
+++ libsndfile/src/common.c
@@ -675,15 +675,15 @@
 					/* Write a C string (guaranteed to have a zero terminator). */
 					strptr = va_arg (argptr, char *) ;
 					size = strlen (strptr) + 1 ;
-					size += (size & 1) ;
 
-					if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
+					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
 						return count ;
 
 					if (psf->rwf_endian == SF_ENDIAN_BIG)
-						header_put_be_int (psf, size) ;
+						header_put_be_int (psf, size + (size & 1)) ;
 					else
-						header_put_le_int (psf, size) ;
+						header_put_le_int (psf, size + (size & 1)) ;
+					size += (size & 1) ;
 					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
 					psf->header.indx += size ;
 					psf->header.ptr [psf->header.indx - 1] = 0 ;