bd5f84d301
Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp https://github.com/mpruett/audiofile/issues/35 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
|
|
From: Antonio Larrosa <larrosa@kde.org>
|
|
Date: Mon, 6 Mar 2017 18:59:26 +0100
|
|
Subject: [PATCH] Actually fail when error occurs in parseFormat
|
|
|
|
When there's an unsupported number of bits per sample or an invalid
|
|
number of samples per block, don't only print an error message using
|
|
the error handler, but actually stop parsing the file.
|
|
|
|
This fixes #35 (also reported at
|
|
https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
|
|
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
|
|
)
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
libaudiofile/WAVE.cpp | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
|
|
index 0e81cf7..d762249 100644
|
|
--- a/libaudiofile/WAVE.cpp
|
|
+++ b/libaudiofile/WAVE.cpp
|
|
@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
|
|
{
|
|
_af_error(AF_BAD_NOT_IMPLEMENTED,
|
|
"IMA ADPCM compression supports only 4 bits per sample");
|
|
+ return AF_FAIL;
|
|
}
|
|
|
|
int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
|
|
@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
|
|
{
|
|
_af_error(AF_BAD_CODEC_CONFIG,
|
|
"Invalid samples per block for IMA ADPCM compression");
|
|
+ return AF_FAIL;
|
|
}
|
|
|
|
track->f.sampleWidth = 16;
|
|
--
|
|
2.11.0
|
|
|