cc00bde57f
CVE-2017-6827: A heap-based buffer overflow in the MSADPCM::initializeCoefficients function in MSADPCM.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted audio file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp https://github.com/mpruett/audiofile/issues/32 CVE-2017-6828: A Heap-based buffer overflow in the readValue function in FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted WAV file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp https://github.com/mpruett/audiofile/issues/31 CVE-2017-6832: A Heap-based buffer overflow in the decodeBlock in MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp https://github.com/mpruett/audiofile/issues/36 CVE-2017-6833: The runPull function in libaudiofile/modules/BlockCodec.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp https://github.com/mpruett/audiofile/issues/37 CVE-2017-6835: The reset1 function in libaudiofile/modules/BlockCodec.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp https://github.com/mpruett/audiofile/issues/39 CVE-2017-6837: WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via vectors related to a large number of coefficients. http://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ https://github.com/mpruett/audiofile/issues/41 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
37 lines
1.1 KiB
Diff
37 lines
1.1 KiB
Diff
From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001
|
|
From: Antonio Larrosa <larrosa@kde.org>
|
|
Date: Mon, 6 Mar 2017 12:51:22 +0100
|
|
Subject: [PATCH] Always check the number of coefficients
|
|
|
|
When building the library with NDEBUG, asserts are eliminated
|
|
so it's better to always check that the number of coefficients
|
|
is inside the array range.
|
|
|
|
This fixes the 00191-audiofile-indexoob issue in #41
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
libaudiofile/WAVE.cpp | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
|
|
index 0e81cf7..61f9541 100644
|
|
--- a/libaudiofile/WAVE.cpp
|
|
+++ b/libaudiofile/WAVE.cpp
|
|
@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
|
|
|
|
/* numCoefficients should be at least 7. */
|
|
assert(numCoefficients >= 7 && numCoefficients <= 255);
|
|
+ if (numCoefficients < 7 || numCoefficients > 255)
|
|
+ {
|
|
+ _af_error(AF_BAD_HEADER,
|
|
+ "Bad number of coefficients");
|
|
+ return AF_FAIL;
|
|
+ }
|
|
|
|
m_msadpcmNumCoefficients = numCoefficients;
|
|
|
|
--
|
|
2.11.0
|
|
|