kumquat-buildroot/package/audiofile/0006-Actually-fail-when-error-occurs-in-parseFormat.patch
Peter Korsgaard bd5f84d301 audiofile: add security patch for CVE-2017-6831
Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in
Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
denial of service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp
https://github.com/mpruett/audiofile/issues/35

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-03-31 13:36:26 +02:00

43 lines
1.4 KiB
Diff

From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <larrosa@kde.org>
Date: Mon, 6 Mar 2017 18:59:26 +0100
Subject: [PATCH] Actually fail when error occurs in parseFormat
When there's an unsupported number of bits per sample or an invalid
number of samples per block, don't only print an error message using
the error handler, but actually stop parsing the file.
This fixes #35 (also reported at
https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
libaudiofile/WAVE.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
index 0e81cf7..d762249 100644
--- a/libaudiofile/WAVE.cpp
+++ b/libaudiofile/WAVE.cpp
@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
{
_af_error(AF_BAD_NOT_IMPLEMENTED,
"IMA ADPCM compression supports only 4 bits per sample");
+ return AF_FAIL;
}
int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
{
_af_error(AF_BAD_CODEC_CONFIG,
"Invalid samples per block for IMA ADPCM compression");
+ return AF_FAIL;
}
track->f.sampleWidth = 16;
--
2.11.0