5a39746c5b
- Added CVE-2018-7253.patch: Fixed a heap based buffer overread in cli/dsdiff.c, which allowed remote attackers to cause DoS via a specially crafted input file (CVE-2018-7253, bsc#1081692) - Added CVE-2018-7254.patch: Fixed a buffer overread in cli/caff.c, which allowed remote attackers to cause DoS via a specially crafted input file (CVE-2018-7254, bsc#1081693) OBS-URL: https://build.opensuse.org/request/show/578281 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/wavpack?expand=0&rev=22
34 lines
1.4 KiB
Diff
34 lines
1.4 KiB
Diff
From 36a24c7881427d2e1e4dc1cef58f19eee0d13aec Mon Sep 17 00:00:00 2001
|
|
From: David Bryant <david@wavpack.com>
|
|
Date: Sat, 10 Feb 2018 16:01:39 -0800
|
|
Subject: [PATCH] issue #28, do not overwrite heap on corrupt DSDIFF file
|
|
Upstream: merged
|
|
|
|
---
|
|
cli/dsdiff.c | 12 +++++++++++-
|
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/cli/dsdiff.c b/cli/dsdiff.c
|
|
index 410dc1c..c016df9 100644
|
|
--- a/cli/dsdiff.c
|
|
+++ b/cli/dsdiff.c
|
|
@@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
|
|
error_line ("dsdiff file version = 0x%08x", version);
|
|
}
|
|
else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
|
|
- char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
|
|
+ char *prop_chunk;
|
|
+
|
|
+ if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) {
|
|
+ error_line ("%s is not a valid .DFF file!", infilename);
|
|
+ return WAVPACK_SOFT_ERROR;
|
|
+ }
|
|
+
|
|
+ if (debug_logging_mode)
|
|
+ error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
|
|
+
|
|
+ prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
|
|
|
|
if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) ||
|
|
bcount != dff_chunk_header.ckDataSize) {
|