From eabbff42cb5e38068b81462fb66bf5ce2e37926a Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 13 Jan 2015 17:22:42 +0100 Subject: [PATCH] fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840) - division by zero leading to denial of service in psf_fwrite (#1177254) --- libsndfile-1.0.25-cve2014_9496.patch | 51 ++++++++++++++++++++++++++++ libsndfile-1.0.25-zerodivfix.patch | 25 ++++++++++++++ libsndfile.spec | 14 +++++++- 3 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 libsndfile-1.0.25-cve2014_9496.patch create mode 100644 libsndfile-1.0.25-zerodivfix.patch diff --git a/libsndfile-1.0.25-cve2014_9496.patch b/libsndfile-1.0.25-cve2014_9496.patch new file mode 100644 index 0000000..56a084d --- /dev/null +++ b/libsndfile-1.0.25-cve2014_9496.patch @@ -0,0 +1,51 @@ +diff -up libsndfile-1.0.25/src/sd2.c.cve2014_9496 libsndfile-1.0.25/src/sd2.c +--- libsndfile-1.0.25/src/sd2.c.cve2014_9496 2011-01-19 11:10:36.000000000 +0100 ++++ libsndfile-1.0.25/src/sd2.c 2015-01-13 17:00:35.920285526 +0100 +@@ -395,6 +395,21 @@ read_marker (const unsigned char * data, + return 0x666 ; + } /* read_marker */ + ++static inline int ++read_rsrc_marker (const SD2_RSRC *prsrc, int offset) ++{ const unsigned char * data = prsrc->rsrc_data ; ++ ++ if (offset < 0 || offset + 3 >= prsrc->rsrc_len) ++ return 0 ; ++ ++ if (CPU_IS_BIG_ENDIAN) ++ return (((uint32_t) data [offset]) << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ; ++ if (CPU_IS_LITTLE_ENDIAN) ++ return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (((uint32_t) data [offset + 3]) << 24) ; ++ ++ return 0 ; ++} /* read_rsrc_marker */ ++ + static void + read_str (const unsigned char * data, int offset, char * buffer, int buffer_len) + { int k ; +@@ -496,6 +511,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) + + rsrc.type_offset = rsrc.map_offset + 30 ; + ++ if (rsrc.map_offset + 28 > rsrc.rsrc_len) ++ { psf_log_printf (psf, "Bad map offset.\n") ; ++ goto parse_rsrc_fork_cleanup ; ++ } ; ++ + rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ; + if (rsrc.type_count < 1) + { psf_log_printf (psf, "Bad type count.\n") ; +@@ -512,7 +532,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) + + rsrc.str_index = -1 ; + for (k = 0 ; k < rsrc.type_count ; k ++) +- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ; ++ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len) ++ { psf_log_printf (psf, "Bad rsrc marker.\n") ; ++ goto parse_rsrc_fork_cleanup ; ++ } ; ++ ++ marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ; + + if (marker == STR_MARKER) + { rsrc.str_index = k ; diff --git a/libsndfile-1.0.25-zerodivfix.patch b/libsndfile-1.0.25-zerodivfix.patch new file mode 100644 index 0000000..499c168 --- /dev/null +++ b/libsndfile-1.0.25-zerodivfix.patch @@ -0,0 +1,25 @@ +From 725c7dbb95bfaf8b4bb7b04820e3a00cceea9ce6 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo +Date: Wed, 24 Dec 2014 21:02:35 +1100 +Subject: [PATCH] src/file_io.c : Prevent potential divide-by-zero. + +Closes: https://github.com/erikd/libsndfile/issues/92 +--- + src/file_io.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/file_io.c b/src/file_io.c +index 26d3d6d..6ccab78 100644 +--- a/src/file_io.c ++++ b/src/file_io.c +@@ -358,6 +358,9 @@ psf_fwrite (const void *ptr, sf_count_t bytes, sf_count_t items, SF_PRIVATE *psf + { sf_count_t total = 0 ; + ssize_t count ; + ++ if (bytes == 0 || items == 0) ++ return 0 ; ++ + if (psf->virtual_io) + return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ; + + diff --git a/libsndfile.spec b/libsndfile.spec index 64c1762..07695b7 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.17 -Release: 5%{?dist} +Release: 6%{?dist} License: LGPL Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -19,6 +19,12 @@ Patch3: voc-aiff-patch-1.0.17.diff #from upstream, for libsndfile < 1.0.25, crash by overflow with some PAF files (#721239) Patch4: libsndfile-1.0.17-r1305,1610.patch +#from upstream, for libsndfile <= 1.0.25, rhbz#1177254 +Patch5: libsndfile-1.0.25-zerodivfix.patch + +#from upstream, for libsndfile <= 1.0.25, rhbz#1178840 +Patch6: libsndfile-1.0.25-cve2014_9496.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n) BuildRequires: alsa-lib-devel @@ -49,6 +55,8 @@ This package contains files needed to develop with libsndfile. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 -b .zerodivfix +%patch6 -p1 -b .cve2014_9496 %build %configure --disable-dependency-tracking @@ -96,6 +104,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Tue Jan 13 2015 Michal Hlavinka - 1.0.17-6 +- fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840) +- division by zero leading to denial of service in psf_fwrite (#1177254) + * Thu Jul 14 2011 Michal Hlavinka - 1.0.17-5 - fixes integer overflow by processing certain PAF audio files (#721239)