fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840)
- division by zero leading to denial of service in psf_fwrite (#1177254)
This commit is contained in:
Michal Hlavinka
parent
1bbdc52f87
commit
f22a30c5e7
|
|
@ -0,0 +1,51 @@
|
|||
diff -up libsndfile-1.0.25/src/sd2.c.cve2014_9496 libsndfile-1.0.25/src/sd2.c
|
||||
--- libsndfile-1.0.25/src/sd2.c.cve2014_9496 2011-01-19 11:10:36.000000000 +0100
|
||||
+++ libsndfile-1.0.25/src/sd2.c 2015-01-13 17:00:35.920285526 +0100
|
||||
@@ -395,6 +395,21 @@ read_marker (const unsigned char * data,
|
||||
return 0x666 ;
|
||||
} /* read_marker */
|
||||
|
||||
+static inline int
|
||||
+read_rsrc_marker (const SD2_RSRC *prsrc, int offset)
|
||||
+{ const unsigned char * data = prsrc->rsrc_data ;
|
||||
+
|
||||
+ if (offset < 0 || offset + 3 >= prsrc->rsrc_len)
|
||||
+ return 0 ;
|
||||
+
|
||||
+ if (CPU_IS_BIG_ENDIAN)
|
||||
+ return (((uint32_t) data [offset]) << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ;
|
||||
+ if (CPU_IS_LITTLE_ENDIAN)
|
||||
+ return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (((uint32_t) data [offset + 3]) << 24) ;
|
||||
+
|
||||
+ return 0 ;
|
||||
+} /* read_rsrc_marker */
|
||||
+
|
||||
static void
|
||||
read_str (const unsigned char * data, int offset, char * buffer, int buffer_len)
|
||||
{ int k ;
|
||||
@@ -496,6 +511,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
|
||||
|
||||
rsrc.type_offset = rsrc.map_offset + 30 ;
|
||||
|
||||
+ if (rsrc.map_offset + 28 > rsrc.rsrc_len)
|
||||
+ { psf_log_printf (psf, "Bad map offset.\n") ;
|
||||
+ goto parse_rsrc_fork_cleanup ;
|
||||
+ } ;
|
||||
+
|
||||
rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
|
||||
if (rsrc.type_count < 1)
|
||||
{ psf_log_printf (psf, "Bad type count.\n") ;
|
||||
@@ -512,7 +532,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
|
||||
|
||||
rsrc.str_index = -1 ;
|
||||
for (k = 0 ; k < rsrc.type_count ; k ++)
|
||||
- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
|
||||
+ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
|
||||
+ { psf_log_printf (psf, "Bad rsrc marker.\n") ;
|
||||
+ goto parse_rsrc_fork_cleanup ;
|
||||
+ } ;
|
||||
+
|
||||
+ marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
|
||||
|
||||
if (marker == STR_MARKER)
|
||||
{ rsrc.str_index = k ;
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
From 725c7dbb95bfaf8b4bb7b04820e3a00cceea9ce6 Mon Sep 17 00:00:00 2001
|
||||
From: Erik de Castro Lopo <erikd@mega-nerd.com>
|
||||
Date: Wed, 24 Dec 2014 21:02:35 +1100
|
||||
Subject: [PATCH] src/file_io.c : Prevent potential divide-by-zero.
|
||||
|
||||
Closes: https://github.com/erikd/libsndfile/issues/92
|
||||
---
|
||||
src/file_io.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/file_io.c b/src/file_io.c
|
||||
index 26d3d6d..6ccab78 100644
|
||||
--- a/src/file_io.c
|
||||
+++ b/src/file_io.c
|
||||
@@ -358,6 +358,9 @@ psf_fwrite (const void *ptr, sf_count_t bytes, sf_count_t items, SF_PRIVATE *psf
|
||||
{ sf_count_t total = 0 ;
|
||||
ssize_t count ;
|
||||
|
||||
+ if (bytes == 0 || items == 0)
|
||||
+ return 0 ;
|
||||
+
|
||||
if (psf->virtual_io)
|
||||
return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ;
|
||||
|
||||
|
||||
|
|
@ -1,12 +1,14 @@
|
|||
Summary: Library for reading and writing sound files
|
||||
Name: libsndfile
|
||||
Version: 1.0.25
|
||||
Release: 13%{?dist}
|
||||
Release: 14%{?dist}
|
||||
License: LGPLv2+ and GPLv2+ and BSD
|
||||
Group: System Environment/Libraries
|
||||
URL: http://www.mega-nerd.com/libsndfile/
|
||||
Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
|
||||
Patch0: %{name}-1.0.25-system-gsm.patch
|
||||
Patch1: libsndfile-1.0.25-zerodivfix.patch
|
||||
Patch2: libsndfile-1.0.25-cve2014_9496.patch
|
||||
|
||||
BuildRequires: alsa-lib-devel
|
||||
BuildRequires: flac-devel
|
||||
|
|
@ -54,6 +56,8 @@ This package contains command line utilities for libsndfile.
|
|||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1 -b .zerodivfix
|
||||
%patch2 -p1 -b .cve2014_9496
|
||||
rm -r src/GSM610 ; autoreconf -I M4 -fiv # for system-gsm patch
|
||||
|
||||
%build
|
||||
|
|
@ -151,6 +155,10 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Jan 13 2015 Michal Hlavinka <mhlavink@redhat.com> - 1.0.25-14
|
||||
- fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840)
|
||||
- division by zero leading to denial of service in psf_fwrite (#1177254)
|
||||
|
||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.25-13
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
|
|
@ -240,7 +248,7 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
|
|||
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.17-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
||||
|
||||
* Thu Oct 25 2008 Andreas Thienemann <andreas@bawue.net> - 1.0.17-6
|
||||
* Sat Oct 25 2008 Andreas Thienemann <andreas@bawue.net> - 1.0.17-6
|
||||
- Removed spurious #endif in the libsndfile.h wrapper. Thx to Edward
|
||||
Sheldrake for finding it. Fixes #468508.
|
||||
- Fix build for autoconf-2.63
|
||||
|
|
|
|||
Loading…
Reference in New Issue