kumquat-buildroot/package/audiofile/0003-Always-check-the-number-of-coefficients.patch

37 lines
1.1 KiB
Diff
Raw Normal View History

audiofile: add security patch for CVE-2017-6827 / CVE-2017-6828 / CVE-2017-6832 / CVE-2017-6833 / CVE-2017-6835 / CVE-2017-6837 CVE-2017-6827: A heap-based buffer overflow in the MSADPCM::initializeCoefficients function in MSADPCM.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted audio file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp https://github.com/mpruett/audiofile/issues/32 CVE-2017-6828: A Heap-based buffer overflow in the readValue function in FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted WAV file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp https://github.com/mpruett/audiofile/issues/31 CVE-2017-6832: A Heap-based buffer overflow in the decodeBlock in MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp https://github.com/mpruett/audiofile/issues/36 CVE-2017-6833: The runPull function in libaudiofile/modules/BlockCodec.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp https://github.com/mpruett/audiofile/issues/37 CVE-2017-6835: The reset1 function in libaudiofile/modules/BlockCodec.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp https://github.com/mpruett/audiofile/issues/39 CVE-2017-6837: WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via vectors related to a large number of coefficients. http://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ https://github.com/mpruett/audiofile/issues/41 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-03-30 23:03:31 +02:00
From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <larrosa@kde.org>
Date: Mon, 6 Mar 2017 12:51:22 +0100
Subject: [PATCH] Always check the number of coefficients
When building the library with NDEBUG, asserts are eliminated
so it's better to always check that the number of coefficients
is inside the array range.
This fixes the 00191-audiofile-indexoob issue in #41
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
libaudiofile/WAVE.cpp | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
index 0e81cf7..61f9541 100644
--- a/libaudiofile/WAVE.cpp
+++ b/libaudiofile/WAVE.cpp
@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
/* numCoefficients should be at least 7. */
assert(numCoefficients >= 7 && numCoefficients <= 255);
+ if (numCoefficients < 7 || numCoefficients > 255)
+ {
+ _af_error(AF_BAD_HEADER,
+ "Bad number of coefficients");
+ return AF_FAIL;
+ }
m_msadpcmNumCoefficients = numCoefficients;
--
2.11.0