NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
28912be4f2
kumquat-buildroot/package/wavpack/0006-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch
Peter Korsgaard bc73055757 wavpack: add upstream security fixes 
Fixes the following security issues:

CVE-2018-10536: An issue was discovered in WavPack 5.1.0 and earlier.  The
WAV parser component contains a vulnerability that allows writing to memory
because ParseRiffHeaderConfig in riff.c does not reject multiple format
chunks.

CVE-2018-10537: An issue was discovered in WavPack 5.1.0 and earlier.  The
W64 parser component contains a vulnerability that allows writing to memory
because ParseWave64HeaderConfig in wave64.c does not reject multiple format
chunks.

CVE-2018-10538: An issue was discovered in WavPack 5.1.0 and earlier for WAV
input.  Out-of-bounds writes can occur because ParseRiffHeaderConfig in
riff.c does not validate the sizes of unknown chunks before attempting
memory allocation, related to a lack of integer-overflow protection within a
bytes_to_copy calculation and subsequent malloc call, leading to
insufficient memory allocation.

CVE-2018-10539: An issue was discovered in WavPack 5.1.0 and earlier for
DSDiff input.  Out-of-bounds writes can occur because
ParseDsdiffHeaderConfig in dsdiff.c does not validate the sizes of unknown
chunks before attempting memory allocation, related to a lack of
integer-overflow protection within a bytes_to_copy calculation and
subsequent malloc call, leading to insufficient memory allocation.

CVE-2018-10540: An issue was discovered in WavPack 5.1.0 and earlier for W64
input.  Out-of-bounds writes can occur because ParseWave64HeaderConfig in
wave64.c does not validate the sizes of unknown chunks before attempting
memory allocation, related to a lack of integer-overflow protection within a
bytes_to_copy calculation and subsequent malloc call, leading to
insufficient memory allocation.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-05-21 17:47:08 +02:00

76 lines
2.7 KiB
Diff
Raw Blame History

From 6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d Mon Sep 17 00:00:00 2001
From: David Bryant <david@wavpack.com>
Date: Tue, 24 Apr 2018 17:27:01 -0700
Subject: [PATCH] issue #33, sanitize size of unknown chunks before malloc()
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
cli/dsdiff.c | 9 ++++++++-
cli/riff.c | 9 ++++++++-
cli/wave64.c | 9 ++++++++-
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/cli/dsdiff.c b/cli/dsdiff.c
index c016df9..fa56bbb 100644
--- a/cli/dsdiff.c
+++ b/cli/dsdiff.c
@@ -279,7 +279,14 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
else { // just copy unknown chunks to output file
int bytes_to_copy = (int)(((dff_chunk_header.ckDataSize) + 1) & ~(int64_t)1);
- char *buff = malloc (bytes_to_copy);
+ char *buff;
+
+ if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
+ error_line ("%s is not a valid .DFF file!", infilename);
+ return WAVPACK_SOFT_ERROR;
+ }
+
+ buff = malloc (bytes_to_copy);
if (debug_logging_mode)
error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
diff --git a/cli/riff.c b/cli/riff.c
index de98c1e..7bddf63 100644
--- a/cli/riff.c
+++ b/cli/riff.c
@@ -286,7 +286,14 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
else { // just copy unknown chunks to output file
int bytes_to_copy = (chunk_header.ckSize + 1) & ~1L;
- char *buff = malloc (bytes_to_copy);
+ char *buff;
+
+ if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
+ error_line ("%s is not a valid .WAV file!", infilename);
+ return WAVPACK_SOFT_ERROR;
+ }
+
+ buff = malloc (bytes_to_copy);
if (debug_logging_mode)
error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
diff --git a/cli/wave64.c b/cli/wave64.c
index 591d640..fa928a0 100644
--- a/cli/wave64.c
+++ b/cli/wave64.c
@@ -241,7 +241,14 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
}
else { // just copy unknown chunks to output file
int bytes_to_copy = (chunk_header.ckSize + 7) & ~7L;
- char *buff = malloc (bytes_to_copy);
+ char *buff;
+
+ if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
+ error_line ("%s is not a valid .W64 file!", infilename);
+ return WAVPACK_SOFT_ERROR;
+ }
+
+ buff = malloc (bytes_to_copy);
if (debug_logging_mode)
error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
--
2.11.0
Reference in New Issue View Git Blame Copy Permalink