Accepting request 907968 from home:tiwai:branches:multimedia:libs

- Fix heap buffer overflow vulnerability in msadpcm_decode_block (CVE-2021-3246, bsc#1188540): ms_adpcm-Fix-and-extend-size-checks.patch OBS-URL: https://build.opensuse.org/request/show/907968 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libsndfile?expand=0&rev=82
2021-07-23 12:17:52 +00:00 · 2021-07-23 12:17:52 +00:00 · 06d8106a98
commit 06d8106a98
parent ad79e1dc20
3 changed files with 47 additions and 0 deletions
--- a/libsndfile.changes
+++ b/libsndfile.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Jul 23 12:59:11 CEST 2021 - tiwai@suse.de
+
+- Fix heap buffer overflow vulnerability in msadpcm_decode_block
+  (CVE-2021-3246, bsc#1188540):
+  ms_adpcm-Fix-and-extend-size-checks.patch
+
 -------------------------------------------------------------------
 Wed Mar 17 08:09:51 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/libsndfile.spec
+++ b/libsndfile.spec
@ -29,6 +29,7 @@ Source1:        https://github.com/libsndfile/libsndfile/releases/download/%{ver
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch34:        sndfile-deinterlace-channels-check.patch
+Patch35:        ms_adpcm-Fix-and-extend-size-checks.patch
 # PATCH-FIX-OPENSUSE
 Patch100:       sndfile-ocloexec.patch
 BuildRequires:  cmake
--- a/ms_adpcm-Fix-and-extend-size-checks.patch
+++ b/ms_adpcm-Fix-and-extend-size-checks.patch
@ -0,0 +1,39 @@
+From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Thu, 18 Feb 2021 21:52:09 +0000
+Subject: [PATCH] ms_adpcm: Fix and extend size checks
+
+'blockalign' is the size of a block, and each block contains 7 samples
+per channel as part of the preamble, so check against 'samplesperblock'
+rather than 'blockalign'. Also add an additional check that the block
+is big enough to hold the samples it claims to hold.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
+---
+ src/ms_adpcm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
+index 5e8f1a316507..a21cb994105e 100644
+--- a/src/ms_adpcm.c
+++ b/src/ms_adpcm.c
+@@ -128,8 +128,14 @@ wavlike_msadpcm_init	(SF_PRIVATE *psf, int blockalign, int samplesperblock)
+ 	if (psf->file.mode == SFM_WRITE)
+ 		samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
+ 
+-	if (blockalign < 7 * psf->sf.channels)
+-	{	psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
+	/* There's 7 samples per channel in the preamble of each block */
+	if (samplesperblock < 7 * psf->sf.channels)
+	{	psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
+		return SFE_INTERNAL ;
+		} ;
+
+	if (2 * blockalign < samplesperblock * psf->sf.channels)
+	{	psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
+ 		return SFE_INTERNAL ;
+ 		} ;
+ 
+-- 
+2.26.2
+