pool/timidity
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity
Files
factory
timidity/timidity-resample-frac-overflow-fix.patch
Takashi Iwai bce932a6aa Accepting request 578383 from home:tiwai:branches:multimedia:apps 
- Fix division-by-zero with malformed MIDI file (CVE-2017-11546,
  bsc#1081694):
  timidity-readmidi-zero-division-fix.patch
- Fix out-of-bound accesses in the resamplers (CVE-2017-11547,
  bsc#1081694):
  timidity-resample-frac-overflow-fix.patch
- Drop tcl/tk dependency; it's already broken with Tcl/Tk 8.6

OBS-URL: https://build.opensuse.org/request/show/578383
OBS-URL: https://build.opensuse.org/package/show/multimedia:apps/timidity?expand=0&rev=35
2018-02-20 15:06:01 +00:00

57 lines
2.0 KiB
Diff
Raw Permalink Blame History

From: Takashi Iwai <tiwai@suse.de>
Subject: resample: Fix out-of-bound access in resamplers
References: CVE-2017-11547
An adhoc fix for out-of-bound accesses in resamples.
The offset might overflow the given data range.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
--- a/timidity/resample.c
+++ b/timidity/resample.c
@@ -57,6 +57,8 @@ static resample_t resample_cspline(sample_t *src, splen_t ofs, resample_rec_t *r
{
int32 ofsi, ofsf, v0, v1, v2, v3, temp;
+ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+ return src[ofs >> FRACTION_BITS];
ofsi = ofs >> FRACTION_BITS;
v1 = src[ofsi];
v2 = src[ofsi + 1];
@@ -96,6 +98,8 @@ static resample_t resample_lagrange(sample_t *src, splen_t ofs, resample_rec_t *
{
int32 ofsi, ofsf, v0, v1, v2, v3;
+ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+ return src[ofs >> FRACTION_BITS];
ofsi = ofs >> FRACTION_BITS;
v1 = (int32)src[ofsi];
v2 = (int32)src[ofsi + 1];
@@ -154,6 +158,8 @@ static resample_t resample_gauss(sample_t *src, splen_t ofs, resample_rec_t *rec
sample_t *sptr;
int32 left, right, temp_n;
+ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+ return src[ofs >> FRACTION_BITS];
left = (ofs>>FRACTION_BITS);
right = (rec->data_length>>FRACTION_BITS) - left - 1;
temp_n = (right<<1)-1;
@@ -261,6 +267,8 @@ static resample_t resample_newton(sample_t *src, splen_t ofs, resample_rec_t *re
int32 left, right, temp_n;
int ii, jj;
+ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+ return src[ofs >> FRACTION_BITS];
left = (ofs>>FRACTION_BITS);
right = (rec->data_length>>FRACTION_BITS)-(ofs>>FRACTION_BITS)-1;
temp_n = (right<<1)-1;
@@ -330,6 +338,8 @@ static resample_t resample_linear(sample_t *src, splen_t ofs, resample_rec_t *re
{
int32 v1, v2, ofsi;
+ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+ return src[ofs >> FRACTION_BITS];
ofsi = ofs >> FRACTION_BITS;
v1 = src[ofsi];
v2 = src[ofsi + 1];
Reference in New Issue View Git Blame Copy Permalink