commit 4d3238843385b9929d7a1ab9034a6fc13949c7b4
Author: Bastien Roucariès <rouca@debian.org>
Date:   Sat Nov 11 15:58:50 2023 +0000

    Fix CVE-2022-24599
    
    Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer
    with a user declared string.
    
    Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0'
    for printf
    
    Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1.
    
    Before under valgrind:
    libtool --mode=execute valgrind --track-origins=yes  ./sfinfo heapleak_poc.aiff
    
    Duration       -inf seconds
    ==896222== Invalid read of size 1
    ==896222==    at 0x4846794: strlen (vg_replace_strmem.c:494)
    ==896222==    by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435)
    ==896222==    by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459)
    ==896222==    by 0x49DE986: __printf_chk (printf_chk.c:33)
    ==896222==    by 0x10985C: printf (stdio2.h:86)
    ==896222==    by 0x10985C: printfileinfo (printinfo.c:134)
    ==896222==    by 0x10930A: main (sfinfo.c:113)
    ==896222==  Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd
    ==896222==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
    ==896222==    by 0x109825: copyrightstring (printinfo.c:163)
    ==896222==    by 0x109825: printfileinfo (printinfo.c:131)
    ==896222==    by 0x10930A: main (sfinfo.c:113)
    ==896222==
    Copyright      C
    
    After:
    Duration       -inf seconds
    Copyright      C

diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c
index 60e6947..f5cf925 100644
--- a/sfcommands/printinfo.c
+++ b/sfcommands/printinfo.c
@@ -37,6 +37,7 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <limits.h>
 
 static char *copyrightstring (AFfilehandle file);
 
@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file)
 	int		i, misccount;
 
 	misccount = afGetMiscIDs(file, NULL);
-	miscids = (int *) malloc(sizeof (int) * misccount);
+	if(!misccount)
+		return NULL;
+	miscids = (int *) calloc(misccount, sizeof(int));
+	if(!miscids)
+		return NULL;
 	afGetMiscIDs(file, miscids);
 
 	for (i=0; i<misccount; i++)
@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file)
 			If this code executes, the miscellaneous chunk is a
 			copyright chunk.
 		*/
-		int datasize = afGetMiscSize(file, miscids[i]);
-		char *data = (char *) malloc(datasize);
+		size_t datasize = afGetMiscSize(file, miscids[i]);
+		if(datasize >= INT_MAX -1 ) {
+			goto error;
+		}
+		char *data = (char *) calloc(datasize + 1, 1);
 		afReadMisc(file, miscids[i], data, datasize);
 		copyright = data;
 		break;
 	}
-
+error:
 	free(miscids);
 
 	return copyright;