4a1a8277bb
CVE-2017-6830: A heap-based buffer overflow in the alaw2linear_buf function in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp https://github.com/mpruett/audiofile/issues/34 CVE-2017-6834: A heap-based buffer overflow in the ulaw2linear_buf function in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp https://github.com/mpruett/audiofile/issues/38 CVE-2017-6836: A heap-based buffer overflow in the Expand3To4Module::run function in libaudiofile/modules/SimpleModule.h in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h https://github.com/mpruett/audiofile/issues/40 CVE-2017-6838: Integer overflow in sfcommands/sfconvert.c in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ https://github.com/mpruett/audiofile/issues/41 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
73 lines
2.1 KiB
Diff
73 lines
2.1 KiB
Diff
From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
|
|
From: Antonio Larrosa <larrosa@kde.org>
|
|
Date: Mon, 6 Mar 2017 13:54:52 +0100
|
|
Subject: [PATCH] Check for multiplication overflow in sfconvert
|
|
|
|
Checks that a multiplication doesn't overflow when
|
|
calculating the buffer size, and if it overflows,
|
|
reduce the buffer size instead of failing.
|
|
|
|
This fixes the 00192-audiofile-signintoverflow-sfconvert case
|
|
in #41
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
|
|
1 file changed, 32 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
|
|
index 80a1bc4..970a3e4 100644
|
|
--- a/sfcommands/sfconvert.c
|
|
+++ b/sfcommands/sfconvert.c
|
|
@@ -45,6 +45,33 @@ void printusage (void);
|
|
void usageerror (void);
|
|
bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
|
|
|
|
+int firstBitSet(int x)
|
|
+{
|
|
+ int position=0;
|
|
+ while (x!=0)
|
|
+ {
|
|
+ x>>=1;
|
|
+ ++position;
|
|
+ }
|
|
+ return position;
|
|
+}
|
|
+
|
|
+#ifndef __has_builtin
|
|
+#define __has_builtin(x) 0
|
|
+#endif
|
|
+
|
|
+int multiplyCheckOverflow(int a, int b, int *result)
|
|
+{
|
|
+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
|
|
+ return __builtin_mul_overflow(a, b, result);
|
|
+#else
|
|
+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
|
|
+ return true;
|
|
+ *result = a * b;
|
|
+ return false;
|
|
+#endif
|
|
+}
|
|
+
|
|
int main (int argc, char **argv)
|
|
{
|
|
if (argc == 2)
|
|
@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
|
|
{
|
|
int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
|
|
|
|
- const int kBufferFrameCount = 65536;
|
|
- void *buffer = malloc(kBufferFrameCount * frameSize);
|
|
+ int kBufferFrameCount = 65536;
|
|
+ int bufferSize;
|
|
+ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
|
|
+ kBufferFrameCount /= 2;
|
|
+ void *buffer = malloc(bufferSize);
|
|
|
|
AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
|
|
AFframecount totalFramesWritten = 0;
|
|
--
|
|
2.11.0
|
|
|