fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840)

- division by zero leading to denial of service in psf_fwrite (#1177254)
This commit is contained in:
Michal Hlavinka 2015-01-13 17:22:42 +01:00
parent beddd35e08
commit eabbff42cb
3 changed files with 89 additions and 1 deletions

View File

@ -0,0 +1,51 @@
diff -up libsndfile-1.0.25/src/sd2.c.cve2014_9496 libsndfile-1.0.25/src/sd2.c
--- libsndfile-1.0.25/src/sd2.c.cve2014_9496 2011-01-19 11:10:36.000000000 +0100
+++ libsndfile-1.0.25/src/sd2.c 2015-01-13 17:00:35.920285526 +0100
@@ -395,6 +395,21 @@ read_marker (const unsigned char * data,
return 0x666 ;
} /* read_marker */
+static inline int
+read_rsrc_marker (const SD2_RSRC *prsrc, int offset)
+{ const unsigned char * data = prsrc->rsrc_data ;
+
+ if (offset < 0 || offset + 3 >= prsrc->rsrc_len)
+ return 0 ;
+
+ if (CPU_IS_BIG_ENDIAN)
+ return (((uint32_t) data [offset]) << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ;
+ if (CPU_IS_LITTLE_ENDIAN)
+ return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (((uint32_t) data [offset + 3]) << 24) ;
+
+ return 0 ;
+} /* read_rsrc_marker */
+
static void
read_str (const unsigned char * data, int offset, char * buffer, int buffer_len)
{ int k ;
@@ -496,6 +511,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
rsrc.type_offset = rsrc.map_offset + 30 ;
+ if (rsrc.map_offset + 28 > rsrc.rsrc_len)
+ { psf_log_printf (psf, "Bad map offset.\n") ;
+ goto parse_rsrc_fork_cleanup ;
+ } ;
+
rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
if (rsrc.type_count < 1)
{ psf_log_printf (psf, "Bad type count.\n") ;
@@ -512,7 +532,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
rsrc.str_index = -1 ;
for (k = 0 ; k < rsrc.type_count ; k ++)
- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
+ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
+ { psf_log_printf (psf, "Bad rsrc marker.\n") ;
+ goto parse_rsrc_fork_cleanup ;
+ } ;
+
+ marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
if (marker == STR_MARKER)
{ rsrc.str_index = k ;

View File

@ -0,0 +1,25 @@
From 725c7dbb95bfaf8b4bb7b04820e3a00cceea9ce6 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Wed, 24 Dec 2014 21:02:35 +1100
Subject: [PATCH] src/file_io.c : Prevent potential divide-by-zero.
Closes: https://github.com/erikd/libsndfile/issues/92
---
src/file_io.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/file_io.c b/src/file_io.c
index 26d3d6d..6ccab78 100644
--- a/src/file_io.c
+++ b/src/file_io.c
@@ -358,6 +358,9 @@ psf_fwrite (const void *ptr, sf_count_t bytes, sf_count_t items, SF_PRIVATE *psf
{ sf_count_t total = 0 ;
ssize_t count ;
+ if (bytes == 0 || items == 0)
+ return 0 ;
+
if (psf->virtual_io)
return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ;

View File

@ -1,7 +1,7 @@
Summary: Library for reading and writing sound files
Name: libsndfile
Version: 1.0.17
Release: 5%{?dist}
Release: 6%{?dist}
License: LGPL
Group: System Environment/Libraries
URL: http://www.mega-nerd.com/libsndfile/
@ -19,6 +19,12 @@ Patch3: voc-aiff-patch-1.0.17.diff
#from upstream, for libsndfile < 1.0.25, crash by overflow with some PAF files (#721239)
Patch4: libsndfile-1.0.17-r1305,1610.patch
#from upstream, for libsndfile <= 1.0.25, rhbz#1177254
Patch5: libsndfile-1.0.25-zerodivfix.patch
#from upstream, for libsndfile <= 1.0.25, rhbz#1178840
Patch6: libsndfile-1.0.25-cve2014_9496.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
BuildRequires: alsa-lib-devel
@ -49,6 +55,8 @@ This package contains files needed to develop with libsndfile.
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1 -b .zerodivfix
%patch6 -p1 -b .cve2014_9496
%build
%configure --disable-dependency-tracking
@ -96,6 +104,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Tue Jan 13 2015 Michal Hlavinka <mhlavink@redhat.com> - 1.0.17-6
- fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840)
- division by zero leading to denial of service in psf_fwrite (#1177254)
* Thu Jul 14 2011 Michal Hlavinka <mhlavink@redhat.com> - 1.0.17-5
- fixes integer overflow by processing certain PAF audio files (#721239)