NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
28912be4f2
kumquat-buildroot/package/wavpack/0003-issue-28-do-not-overwrite-heap-on-corrupt-DSDIFF-fil.patch
Peter Korsgaard 4de7e07e6e wavpack: add upstream security fixes 
Fixes the following security issues:

CVE-2018-6767: A stack-based buffer over-read in the ParseRiffHeaderConfig
function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to
cause a denial-of-service attack or possibly have unspecified other impact
via a maliciously crafted RF64 file.

CVE-2018-7253: The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file
of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service
(heap-based buffer over-read) or possibly overwrite the heap via a
maliciously crafted DSDIFF file.

CVE-2018-7254: The ParseCaffHeaderConfig function of the cli/caff.c file of
WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global
buffer over-read), or possibly trigger a buffer overflow or incorrect memory
allocation, via a maliciously crafted CAF file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-02-28 09:13:53 +01:00

39 lines
1.4 KiB
Diff
Raw Blame History

From 36a24c7881427d2e1e4dc1cef58f19eee0d13aec Mon Sep 17 00:00:00 2001
From: David Bryant <david@wavpack.com>
Date: Sat, 10 Feb 2018 16:01:39 -0800
Subject: [PATCH] issue #28, do not overwrite heap on corrupt DSDIFF file
Fixes CVE-2018-7253
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
cli/dsdiff.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/cli/dsdiff.c b/cli/dsdiff.c
index 410dc1c..c016df9 100644
--- a/cli/dsdiff.c
+++ b/cli/dsdiff.c
@@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
error_line ("dsdiff file version = 0x%08x", version);
}
else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
- char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
+ char *prop_chunk;
+
+ if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) {
+ error_line ("%s is not a valid .DFF file!", infilename);
+ return WAVPACK_SOFT_ERROR;
+ }
+
+ if (debug_logging_mode)
+ error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
+
+ prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) ||
bcount != dff_chunk_header.ckDataSize) {
--
2.11.0
Reference in New Issue View Git Blame Copy Permalink