The attached patch fixes the buffer overrun for the fixed-size header
buffer.
--- snack-2.2.10-dfsg1/generic/jkSoundFile.c 2005-12-14 12:29:38.000000000 +0100
+++ snack-2.2.10-dfsg1+karcher/generic/jkSoundFile.c 2013-01-02 00:29:56.836287036 +0100
@@ -1796,7 +1796,14 @@
GetHeaderBytes(Sound *s, Tcl_Interp *interp, Tcl_Channel ch, char *buf,
int len)
{
- int rlen = Tcl_Read(ch, &buf[s->firstNRead], len - s->firstNRead);
+ int rlen;
+
+ if (len > max(CHANNEL_HEADER_BUFFER, HEADBUF)){
+ Tcl_AppendResult(interp, "Excessive header size", NULL);
+ return TCL_ERROR;
+ }
+
+ rlen = Tcl_Read(ch, &buf[s->firstNRead], len - s->firstNRead);
if (rlen < len - s->firstNRead){
Tcl_AppendResult(interp, "Failed reading header bytes", NULL);
