434890df2a
The decodeSample function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp https://github.com/mpruett/audiofile/issues/33 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
40 lines
1.3 KiB
Diff
40 lines
1.3 KiB
Diff
From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001
|
|
From: Antonio Larrosa <larrosa@kde.org>
|
|
Date: Mon, 6 Mar 2017 18:02:31 +0100
|
|
Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp
|
|
|
|
This fixes #33
|
|
(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981
|
|
and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/)
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
libaudiofile/modules/IMA.cpp | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp
|
|
index 7476d44..df4aad6 100644
|
|
--- a/libaudiofile/modules/IMA.cpp
|
|
+++ b/libaudiofile/modules/IMA.cpp
|
|
@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded)
|
|
if (encoded[1] & 0x80)
|
|
m_adpcmState[c].previousValue -= 0x10000;
|
|
|
|
- m_adpcmState[c].index = encoded[2];
|
|
+ m_adpcmState[c].index = clamp(encoded[2], 0, 88);
|
|
|
|
*decoded++ = m_adpcmState[c].previousValue;
|
|
|
|
@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded)
|
|
predictor -= 0x10000;
|
|
|
|
state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
|
|
- state.index = encoded[1] & 0x7f;
|
|
+ state.index = clamp(encoded[1] & 0x7f, 0, 88);
|
|
encoded += 2;
|
|
|
|
for (int n=0; n<m_framesPerPacket; n+=2)
|
|
--
|
|
2.11.0
|
|
|