fix CVE-2015-7805: Heap overflow vulnerability when parsing specially

crafted AIFF header
This commit is contained in:
Michal Hlavinka 2015-11-06 10:29:15 +01:00
parent 5aafa63b10
commit 01c7afde1d
2 changed files with 98 additions and 1 deletions

View File

@ -0,0 +1,90 @@
From d2a87385c1ca1d72918e9a2875d24f202a5093e8 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Sat, 7 Feb 2015 15:45:10 +1100
Subject: [PATCH] src/common.c : Fix a header parsing bug.
When the file header is bigger that SF_HEADER_LEN, the code would seek
instead of reading causing file parse errors.
The current header parsing and writing code *badly* needs a re-write.
---
src/common.c | 27 +++++++++++----------------
1 file changed, 11 insertions(+), 16 deletions(-)
diff --git a/src/common.c b/src/common.c
index dd4edb7..c6b88cc 100644
--- a/src/common.c
+++ b/src/common.c
@@ -1,5 +1,5 @@
/*
-** Copyright (C) 1999-2011 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 1999-2015 Erik de Castro Lopo <erikd@mega-nerd.com>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU Lesser General Public License as published by
@@ -800,21 +800,16 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
{ int count = 0 ;
if (psf->headindex >= SIGNED_SIZEOF (psf->header))
- { memset (ptr, 0, SIGNED_SIZEOF (psf->header) - psf->headindex) ;
-
- /* This is the best that we can do. */
- psf_fseek (psf, bytes, SEEK_CUR) ;
- return bytes ;
- } ;
+ return psf_fread (ptr, 1, bytes, psf) ;
if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header))
{ int most ;
most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
psf_fread (psf->header + psf->headend, 1, most, psf) ;
- memset ((char *) ptr + most, 0, bytes - most) ;
-
- psf_fseek (psf, bytes - most, SEEK_CUR) ;
+ memcpy (ptr, psf->header + psf->headend, most) ;
+ psf->headend = psf->headindex += most ;
+ psf_fread ((char *) ptr + most, bytes - most, 1, psf) ;
return bytes ;
} ;
@@ -822,7 +817,7 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
{ count = psf_fread (psf->header + psf->headend, 1, bytes - (psf->headend - psf->headindex), psf) ;
if (count != bytes - (int) (psf->headend - psf->headindex))
{ psf_log_printf (psf, "Error : psf_fread returned short count.\n") ;
- return 0 ;
+ return count ;
} ;
psf->headend += count ;
} ;
@@ -836,7 +831,6 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
static void
header_seek (SF_PRIVATE *psf, sf_count_t position, int whence)
{
-
switch (whence)
{ case SEEK_SET :
if (position > SIGNED_SIZEOF (psf->header))
@@ -885,8 +879,7 @@ header_seek (SF_PRIVATE *psf, sf_count_t position, int whence)
static int
header_gets (SF_PRIVATE *psf, char *ptr, int bufsize)
-{
- int k ;
+{ int k ;
for (k = 0 ; k < bufsize - 1 ; k++)
{ if (psf->headindex < psf->headend)
@@ -1073,8 +1066,10 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
case 'j' :
/* Get the seek position first. */
count = va_arg (argptr, size_t) ;
- header_seek (psf, count, SEEK_CUR) ;
- byte_count += count ;
+ if (count)
+ { header_seek (psf, count, SEEK_CUR) ;
+ byte_count += count ;
+ } ;
break ;
default :

View File

@ -1,7 +1,7 @@
Summary: Library for reading and writing sound files Summary: Library for reading and writing sound files
Name: libsndfile Name: libsndfile
Version: 1.0.25 Version: 1.0.25
Release: 17%{?dist} Release: 18%{?dist}
License: LGPLv2+ and GPLv2+ and BSD License: LGPLv2+ and GPLv2+ and BSD
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.mega-nerd.com/libsndfile/ URL: http://www.mega-nerd.com/libsndfile/
@ -9,6 +9,8 @@ Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
Patch0: %{name}-1.0.25-system-gsm.patch Patch0: %{name}-1.0.25-system-gsm.patch
Patch1: libsndfile-1.0.25-zerodivfix.patch Patch1: libsndfile-1.0.25-zerodivfix.patch
Patch2: libsndfile-1.0.25-cve2014_9496.patch Patch2: libsndfile-1.0.25-cve2014_9496.patch
# from upstream, for <= 1.0.25, rhbz#1277899
Patch3: libsndfile-1.0.25-d2a87385c1ca1d72918e9a2875d24f202a5093e8.patch
BuildRequires: alsa-lib-devel BuildRequires: alsa-lib-devel
BuildRequires: flac-devel BuildRequires: flac-devel
@ -57,6 +59,7 @@ This package contains command line utilities for libsndfile.
%patch0 -p1 %patch0 -p1
%patch1 -p1 -b .zerodivfix %patch1 -p1 -b .zerodivfix
%patch2 -p1 -b .cve2014_9496 %patch2 -p1 -b .cve2014_9496
%patch3 -p1 -b .d2a87385c1ca1d72918e9a2875d24f202a5093e8
rm -r src/GSM610 rm -r src/GSM610
%build %build
@ -150,6 +153,10 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
%changelog %changelog
* Fri Nov 06 2015 Michal Hlavinka <mhlavink@redhat.com> - 1.0.25-18
- fix CVE-2015-7805: Heap overflow vulnerability when parsing specially
crafted AIFF header
* Thu Aug 27 2015 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 1.0.25-17 * Thu Aug 27 2015 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 1.0.25-17
- Use __isa_bits macro instead of list of 64-bit architectures - Use __isa_bits macro instead of list of 64-bit architectures