Takashi Iwai
c349a7f6d8
- Backport upstream fixes: buffer overflow fixes in aplay, segfault in aplaymidi, etc: 0008-topology-include-locale.h.patch 0009-nhlt-dmic-info.c-include-sys-types.h.patch 0010-topology-pre-processor-Add-support-for-enum-controls.patch 0011-configure.ac-fix-UMP-support-detection.patch 0012-bat-really-skip-analysis-of-the-first-period-and-upd.patch 0013-topology-add-include-for-ENABLE_NLS-on-musl.patch 0014-nhlt-use-stdint.h-types.patch 0015-Revert-nhlt-dmic-info.c-include-sys-types.h.patch 0016-aplay-use-stdint.h-types-instead-u_int-u_short-u_cha.patch 0017-alsa-restore.rules-use-devnode-instead-number-atribu.patch 0018-nhlt-Revert-SSP_ANALOG-device_type-field.patch 0019-alsactl-fix-potential-buffer-overwrite.patch 0020-aplay-fix-buffer-overflow-and-tainted-format-string.patch 0021-misc-fix-incorrect-usages-of-strerror.patch 0022-aplay-Add-option-for-specifying-subformat.patch 0023-aplay-allow-to-compile-with-older-alsa-lib-subformat.patch 0024-aplay-log-pcm-status-before-reporting-a-fatal-error.patch 0025-aplay-enable-timestamps-by-default.patch 0026-aplay-status-dumps-are-called-only-in-verbose-mode.patch 0027-aplaymidi-Set-event-completely-for-tempo-event.patch OBS-URL: https://build.opensuse.org/request/show/1137523 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/alsa-utils?expand=0&rev=210
71 lines
2.4 KiB
Diff
71 lines
2.4 KiB
Diff
From 4ce6a0a4af518700c3e44257af5f44ff24d58fc9 Mon Sep 17 00:00:00 2001
|
|
From: Mingjie Shen <shen497@purdue.edu>
|
|
Date: Wed, 6 Dec 2023 16:09:58 -0500
|
|
Subject: [PATCH] aplay: fix buffer overflow and tainted format string
|
|
|
|
Prior this commit, memcpy from names[0] to format[] will overwrite if
|
|
strlen(names[0]) is greater than 1024. Also, the length of malloc()ed
|
|
names[channel] is insufficient, leading to another buffer overwriting
|
|
when calling sprintf(). Moreover, the format string of sprintf()
|
|
can be controlled by user input. An attacker can exploit this weakness
|
|
to crash the program, disclose information or even execute arbitrary
|
|
code.
|
|
|
|
Fix by allocating enough space for arrays and using constant expressions
|
|
as the format strings.
|
|
|
|
Fixes: https://github.com/alsa-project/alsa-utils/pull/246/
|
|
Signed-off-by: Mingjie Shen <shen497@purdue.edu>
|
|
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
|
|
---
|
|
aplay/aplay.c | 20 ++++++++++----------
|
|
1 file changed, 10 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/aplay/aplay.c b/aplay/aplay.c
|
|
index 9cf36dee2d9d..f1c27b6c4929 100644
|
|
--- a/aplay/aplay.c
|
|
+++ b/aplay/aplay.c
|
|
@@ -3436,14 +3436,14 @@ static void playbackv(char **names, unsigned int count)
|
|
|
|
if (count == 1 && channels > 1) {
|
|
size_t len = strlen(names[0]);
|
|
- char format[1024];
|
|
- memcpy(format, names[0], len);
|
|
- strcpy(format + len, ".%d");
|
|
- len += 4;
|
|
+ char buf[len + 1];
|
|
+ strcpy(buf, names[0]);
|
|
+ /* 1 for "." + 3 for channel (<= 256) + 1 for null terminator */
|
|
+ len += 5;
|
|
names = malloc(sizeof(*names) * channels);
|
|
for (channel = 0; channel < channels; ++channel) {
|
|
names[channel] = malloc(len);
|
|
- sprintf(names[channel], format, channel);
|
|
+ snprintf(names[channel], len, "%s.%d", buf, channel);
|
|
}
|
|
alloced = 1;
|
|
} else if (count != channels) {
|
|
@@ -3489,14 +3489,14 @@ static void capturev(char **names, unsigned int count)
|
|
|
|
if (count == 1) {
|
|
size_t len = strlen(names[0]);
|
|
- char format[1024];
|
|
- memcpy(format, names[0], len);
|
|
- strcpy(format + len, ".%d");
|
|
- len += 4;
|
|
+ char buf[len + 1];
|
|
+ strcpy(buf, names[0]);
|
|
+ /* 1 for "." + 3 for channel (<= 256) + 1 for null terminator */
|
|
+ len += 5;
|
|
names = malloc(sizeof(*names) * channels);
|
|
for (channel = 0; channel < channels; ++channel) {
|
|
names[channel] = malloc(len);
|
|
- sprintf(names[channel], format, channel);
|
|
+ snprintf(names[channel], len, "%s.%d", buf, channel);
|
|
}
|
|
alloced = 1;
|
|
} else if (count != channels) {
|
|
--
|
|
2.35.3
|
|
|