Dirk Mueller
020ed5f8a8
- Added patches:
* CVE-2017-11332.patch: Fixed the startread function in wav.c, which allowed
remote attackers to cause a DoS (divide-by-zero) via a crafted wav file.
(CVE-2017-11332 bsc#1081140)
* CVE-2017-11358.patch: Fixed the read_samples function in hcom.c, which
allowed remote attackers to cause a DoS (invalid memory read) via a crafted
hcom file. (CVE-2017-11358 bsc#1081141)
* CVE-2017-11359.patch: Fixed the wavwritehdr function in wav.c, which
allowed remote attackers to cause a DoS (divide-by-zero) when converting a
a crafted snd file to a wav file. (CVE-2017-11359 bsc#1081142)
* CVE-2017-15370.patch: Fixed a heap-based buffer overflow in the ImaExpandS
function of ima_rw.c, which allowed remote attackers to cause a DoS during
conversion of a crafted audio file. (CVE-2017-15370 bsc#1063439)
* CVE-2017-15371.patch: Fixed an assertion abort in the function
sox_append_comment() in formats.c, which allowed remote attackers to cause
a DoS during conversion of a crafted audio file. (CVE-2017-15371
bsc#1063450)
* CVE-2017-15372.patch: Fixed a stack-based buffer overflow in the
lsx_ms_adpcm_block_expand_i function of adpcm.c, which allowed remote
attackers to cause a DoS during conversion of a crafted audio file.
(CVE-2017-15372 bsc#1063456)
* CVE-2017-15642.patch: Fixed an Use-After-Free vulnerability in
lsx_aiffstartread in aiff.c, which could be triggered by an attacker by
providing a malformed AIFF file. (CVE-2017-15642 bsc#1064576)
* CVE-2017-18189.patch: Fixed a NULL pointer dereference triggered by a
corrupt header specifying zero channels in the startread function in
xa.c, which allowed remote attackers to cause a DoS (CVE-2017-18189
bsc#1081146).
- Removed sox-doublefree.patch
OBS-URL: https://build.opensuse.org/request/show/576951
OBS-URL: https://build.opensuse.org/package/show/multimedia:apps/sox?expand=0&rev=38
98 lines
3.7 KiB
Diff
98 lines
3.7 KiB
Diff
From 3f7ed312614649e2695b54b398475d32be4f64f3 Mon Sep 17 00:00:00 2001
|
|
From: Mans Rullgard <mans@mansr.com>
|
|
Date: Wed, 8 Nov 2017 00:29:14 +0000
|
|
Subject: adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
|
|
|
|
---
|
|
src/adpcm.c | 8 +++++++-
|
|
src/adpcm.h | 3 +++
|
|
src/wav.c | 5 ++++-
|
|
3 files changed, 14 insertions(+), 2 deletions(-)
|
|
|
|
Index: sox/src/adpcm.c
|
|
===================================================================
|
|
--- sox.orig/src/adpcm.c
|
|
+++ sox/src/adpcm.c
|
|
@@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] =
|
|
{ 392,-232}
|
|
};
|
|
|
|
+extern void *lsx_ms_adpcm_alloc(unsigned chans)
|
|
+{
|
|
+ return lsx_malloc(chans * sizeof(MsState_t));
|
|
+}
|
|
+
|
|
static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state,
|
|
sox_sample_t sample1, sox_sample_t sample2)
|
|
{
|
|
@@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(s
|
|
|
|
/* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
|
|
const char *lsx_ms_adpcm_block_expand_i(
|
|
+ void *priv,
|
|
unsigned chans, /* total channels */
|
|
int nCoef,
|
|
const short *coef,
|
|
@@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i(
|
|
const unsigned char *ip;
|
|
unsigned ch;
|
|
const char *errmsg = NULL;
|
|
- MsState_t state[4]; /* One decompressor state for each channel */
|
|
+ MsState_t *state = priv; /* One decompressor state for each channel */
|
|
|
|
/* Read the four-byte header for each channel */
|
|
ip = ibuff;
|
|
Index: sox/src/adpcm.h
|
|
===================================================================
|
|
--- sox.orig/src/adpcm.h
|
|
+++ sox/src/adpcm.h
|
|
@@ -29,8 +29,11 @@
|
|
/* default coef sets */
|
|
extern const short lsx_ms_adpcm_i_coef[7][2];
|
|
|
|
+extern void *lsx_ms_adpcm_alloc(unsigned chans);
|
|
+
|
|
/* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
|
|
extern const char *lsx_ms_adpcm_block_expand_i(
|
|
+ void *priv,
|
|
unsigned chans, /* total channels */
|
|
int nCoef,
|
|
const short *coef,
|
|
Index: sox/src/wav.c
|
|
===================================================================
|
|
--- sox.orig/src/wav.c
|
|
+++ sox/src/wav.c
|
|
@@ -82,6 +82,7 @@ typedef struct {
|
|
/* following used by *ADPCM wav files */
|
|
unsigned short nCoefs; /* ADPCM: number of coef sets */
|
|
short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */
|
|
+ void *ms_adpcm_data; /* Private data of adpcm decoder */
|
|
unsigned char *packet; /* Temporary buffer for packets */
|
|
short *samples; /* interleaved samples buffer */
|
|
short *samplePtr; /* Pointer to current sample */
|
|
@@ -175,7 +176,7 @@ static unsigned short AdpcmReadBlock(so
|
|
}
|
|
}
|
|
|
|
- errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
|
|
+ errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
|
|
|
|
if (errmsg)
|
|
lsx_warn("%s", errmsg);
|
|
@@ -791,6 +792,7 @@ static int startread(sox_format_t * ft)
|
|
|
|
/* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */
|
|
wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short));
|
|
+ wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels);
|
|
{
|
|
int i, errct=0;
|
|
for (i=0; len>=2 && i < 2*wav->nCoefs; i++) {
|
|
@@ -1216,6 +1218,7 @@ static int stopread(sox_format_t * ft)
|
|
free(wav->packet);
|
|
free(wav->samples);
|
|
free(wav->lsx_ms_adpcm_i_coefs);
|
|
+ free(wav->ms_adpcm_data);
|
|
free(wav->comment);
|
|
wav->comment = NULL;
|
|
|