From 06d8106a983b2dc0ff41474c9b79358df469418363466747c698e62872dcf495 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Fri, 23 Jul 2021 12:17:52 +0000 Subject: [PATCH] Accepting request 907968 from home:tiwai:branches:multimedia:libs - Fix heap buffer overflow vulnerability in msadpcm_decode_block (CVE-2021-3246, bsc#1188540): ms_adpcm-Fix-and-extend-size-checks.patch OBS-URL: https://build.opensuse.org/request/show/907968 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libsndfile?expand=0&rev=82 --- libsndfile.changes | 7 ++++ libsndfile.spec | 1 + ms_adpcm-Fix-and-extend-size-checks.patch | 39 +++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 ms_adpcm-Fix-and-extend-size-checks.patch diff --git a/libsndfile.changes b/libsndfile.changes index e6a4c0f..d6e3a36 100644 --- a/libsndfile.changes +++ b/libsndfile.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Jul 23 12:59:11 CEST 2021 - tiwai@suse.de + +- Fix heap buffer overflow vulnerability in msadpcm_decode_block + (CVE-2021-3246, bsc#1188540): + ms_adpcm-Fix-and-extend-size-checks.patch + ------------------------------------------------------------------- Wed Mar 17 08:09:51 UTC 2021 - Dominique Leuenberger diff --git a/libsndfile.spec b/libsndfile.spec index 5d14a9a..53222c4 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -29,6 +29,7 @@ Source1: https://github.com/libsndfile/libsndfile/releases/download/%{ver Source2: %{name}.keyring Source3: baselibs.conf Patch34: sndfile-deinterlace-channels-check.patch +Patch35: ms_adpcm-Fix-and-extend-size-checks.patch # PATCH-FIX-OPENSUSE Patch100: sndfile-ocloexec.patch BuildRequires: cmake diff --git a/ms_adpcm-Fix-and-extend-size-checks.patch b/ms_adpcm-Fix-and-extend-size-checks.patch new file mode 100644 index 0000000..415110d --- /dev/null +++ b/ms_adpcm-Fix-and-extend-size-checks.patch @@ -0,0 +1,39 @@ +From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001 +From: bobsayshilol +Date: Thu, 18 Feb 2021 21:52:09 +0000 +Subject: [PATCH] ms_adpcm: Fix and extend size checks + +'blockalign' is the size of a block, and each block contains 7 samples +per channel as part of the preamble, so check against 'samplesperblock' +rather than 'blockalign'. Also add an additional check that the block +is big enough to hold the samples it claims to hold. + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803 +--- + src/ms_adpcm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c +index 5e8f1a316507..a21cb994105e 100644 +--- a/src/ms_adpcm.c ++++ b/src/ms_adpcm.c +@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) + if (psf->file.mode == SFM_WRITE) + samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ; + +- if (blockalign < 7 * psf->sf.channels) +- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ; ++ /* There's 7 samples per channel in the preamble of each block */ ++ if (samplesperblock < 7 * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; ++ return SFE_INTERNAL ; ++ } ; ++ ++ if (2 * blockalign < samplesperblock * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; + return SFE_INTERNAL ; + } ; + +-- +2.26.2 +