don't free memory that is still used after realloc() error (CVE-2020-22219)
Resolves: CVE-2020-22219
This commit is contained in:
Miroslav Lichvar
parent
479065c151
commit
a2cecbaf48
177
flac-cve-2020-22219.patch
Normal file
177
flac-cve-2020-22219.patch
Normal file
@ -0,0 +1,177 @@
|
||||
Backported to 1.3.2
|
||||
|
||||
commit 21fe95ee828b0b9b944f6aa0bb02d24fbb981815
|
||||
Author: Martijn van Beurden <mvanb1@gmail.com>
|
||||
Date: Wed Aug 3 13:52:19 2022 +0200
|
||||
|
||||
Add and use _nofree variants of safe_realloc functions
|
||||
|
||||
Parts of the code use realloc like
|
||||
|
||||
x = safe_realloc(x, somesize);
|
||||
|
||||
when this is the case, the safe_realloc variant used must free the
|
||||
old memory block in case it fails, otherwise it will leak. However,
|
||||
there are also instances in the code where handling is different:
|
||||
|
||||
if (0 == (x = safe_realloc(y, somesize)))
|
||||
return false
|
||||
|
||||
in this case, y should not be freed, as y is not set to NULL we
|
||||
could encounter double frees. Here the safe_realloc_nofree
|
||||
functions are used.
|
||||
|
||||
diff -up flac-1.3.2/include/share/alloc.h.cve-2020-22219 flac-1.3.2/include/share/alloc.h
|
||||
--- flac-1.3.2/include/share/alloc.h.cve-2020-22219 2016-12-07 21:10:26.218454157 +0100
|
||||
+++ flac-1.3.2/include/share/alloc.h 2023-08-31 11:32:36.335453612 +0200
|
||||
@@ -161,17 +161,30 @@ static inline void *safe_realloc_(void *
|
||||
free(oldptr);
|
||||
return newptr;
|
||||
}
|
||||
-static inline void *safe_realloc_add_2op_(void *ptr, size_t size1, size_t size2)
|
||||
+static inline void *safe_realloc_nofree_add_2op_(void *ptr, size_t size1, size_t size2)
|
||||
+{
|
||||
+ size2 += size1;
|
||||
+ if(size2 < size1)
|
||||
+ return 0;
|
||||
+ return realloc(ptr, size2);
|
||||
+}
|
||||
+
|
||||
+static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
|
||||
{
|
||||
size2 += size1;
|
||||
if(size2 < size1) {
|
||||
free(ptr);
|
||||
return 0;
|
||||
}
|
||||
- return realloc(ptr, size2);
|
||||
+ size3 += size2;
|
||||
+ if(size3 < size2) {
|
||||
+ free(ptr);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return safe_realloc_(ptr, size3);
|
||||
}
|
||||
|
||||
-static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
|
||||
+static inline void *safe_realloc_nofree_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
|
||||
{
|
||||
size2 += size1;
|
||||
if(size2 < size1)
|
||||
@@ -182,7 +195,7 @@ static inline void *safe_realloc_add_3op
|
||||
return realloc(ptr, size3);
|
||||
}
|
||||
|
||||
-static inline void *safe_realloc_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
|
||||
+static inline void *safe_realloc_nofree_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
|
||||
{
|
||||
size2 += size1;
|
||||
if(size2 < size1)
|
||||
@@ -205,6 +218,15 @@ static inline void *safe_realloc_mul_2op
|
||||
return safe_realloc_(ptr, size1*size2);
|
||||
}
|
||||
|
||||
+static inline void *safe_realloc_nofree_mul_2op_(void *ptr, size_t size1, size_t size2)
|
||||
+{
|
||||
+ if(!size1 || !size2)
|
||||
+ return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
|
||||
+ if(size1 > SIZE_MAX / size2)
|
||||
+ return 0;
|
||||
+ return realloc(ptr, size1*size2);
|
||||
+}
|
||||
+
|
||||
/* size1 * (size2 + size3) */
|
||||
static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
|
||||
{
|
||||
@@ -216,4 +238,15 @@ static inline void *safe_realloc_muladd2
|
||||
return safe_realloc_mul_2op_(ptr, size1, size2);
|
||||
}
|
||||
|
||||
+/* size1 * (size2 + size3) */
|
||||
+static inline void *safe_realloc_nofree_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
|
||||
+{
|
||||
+ if(!size1 || (!size2 && !size3))
|
||||
+ return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
|
||||
+ size2 += size3;
|
||||
+ if(size2 < size3)
|
||||
+ return 0;
|
||||
+ return safe_realloc_nofree_mul_2op_(ptr, size1, size2);
|
||||
+}
|
||||
+
|
||||
#endif
|
||||
diff -up flac-1.3.2/src/flac/encode.c.cve-2020-22219 flac-1.3.2/src/flac/encode.c
|
||||
--- flac-1.3.2/src/flac/encode.c.cve-2020-22219 2016-12-07 21:10:26.218454157 +0100
|
||||
+++ flac-1.3.2/src/flac/encode.c 2023-08-31 11:32:36.335453612 +0200
|
||||
@@ -1744,10 +1744,10 @@ static void static_metadata_clear(static
|
||||
static FLAC__bool static_metadata_append(static_metadata_t *m, FLAC__StreamMetadata *d, FLAC__bool needs_delete)
|
||||
{
|
||||
void *x;
|
||||
- if(0 == (x = safe_realloc_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
|
||||
+ if(0 == (x = safe_realloc_nofree_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
|
||||
return false;
|
||||
m->metadata = (FLAC__StreamMetadata**)x;
|
||||
- if(0 == (x = safe_realloc_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
|
||||
+ if(0 == (x = safe_realloc_nofree_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
|
||||
return false;
|
||||
m->needs_delete = (FLAC__bool*)x;
|
||||
m->metadata[m->num_metadata] = d;
|
||||
diff -up flac-1.3.2/src/flac/foreign_metadata.c.cve-2020-22219 flac-1.3.2/src/flac/foreign_metadata.c
|
||||
--- flac-1.3.2/src/flac/foreign_metadata.c.cve-2020-22219 2016-12-07 21:10:26.222454288 +0100
|
||||
+++ flac-1.3.2/src/flac/foreign_metadata.c 2023-08-31 11:32:36.335453612 +0200
|
||||
@@ -75,7 +75,7 @@ static FLAC__bool copy_data_(FILE *fin,
|
||||
|
||||
static FLAC__bool append_block_(foreign_metadata_t *fm, FLAC__off_t offset, FLAC__uint32 size, const char **error)
|
||||
{
|
||||
- foreign_block_t *fb = safe_realloc_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
|
||||
+ foreign_block_t *fb = safe_realloc_nofree_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
|
||||
if(fb) {
|
||||
fb[fm->num_blocks].offset = offset;
|
||||
fb[fm->num_blocks].size = size;
|
||||
diff -up flac-1.3.2/src/libFLAC/bitwriter.c.cve-2020-22219 flac-1.3.2/src/libFLAC/bitwriter.c
|
||||
--- flac-1.3.2/src/libFLAC/bitwriter.c.cve-2020-22219 2016-12-07 21:10:26.222454288 +0100
|
||||
+++ flac-1.3.2/src/libFLAC/bitwriter.c 2023-08-31 11:32:36.335453612 +0200
|
||||
@@ -124,7 +124,7 @@ FLAC__bool bitwriter_grow_(FLAC__BitWrit
|
||||
FLAC__ASSERT(new_capacity > bw->capacity);
|
||||
FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
|
||||
|
||||
- new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
|
||||
+ new_buffer = safe_realloc_nofree_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
|
||||
if(new_buffer == 0)
|
||||
return false;
|
||||
bw->buffer = new_buffer;
|
||||
diff -up flac-1.3.2/src/libFLAC/metadata_object.c.cve-2020-22219 flac-1.3.2/src/libFLAC/metadata_object.c
|
||||
--- flac-1.3.2/src/libFLAC/metadata_object.c.cve-2020-22219 2023-08-31 11:32:36.336453612 +0200
|
||||
+++ flac-1.3.2/src/libFLAC/metadata_object.c 2023-08-31 11:34:18.844405405 +0200
|
||||
@@ -98,7 +98,7 @@ static FLAC__bool free_copy_bytes_(FLAC_
|
||||
/* realloc() failure leaves entry unchanged */
|
||||
static FLAC__bool ensure_null_terminated_(FLAC__byte **entry, unsigned length)
|
||||
{
|
||||
- FLAC__byte *x = safe_realloc_add_2op_(*entry, length, /*+*/1);
|
||||
+ FLAC__byte *x = safe_realloc_nofree_add_2op_(*entry, length, /*+*/1);
|
||||
if (x != NULL) {
|
||||
x[length] = '\0';
|
||||
*entry = x;
|
||||
diff -up flac-1.3.2/src/plugin_common/tags.c.cve-2020-22219 flac-1.3.2/src/plugin_common/tags.c
|
||||
--- flac-1.3.2/src/plugin_common/tags.c.cve-2020-22219 2016-12-07 21:10:26.234454678 +0100
|
||||
+++ flac-1.3.2/src/plugin_common/tags.c 2023-08-31 11:32:36.336453612 +0200
|
||||
@@ -317,7 +317,7 @@ FLAC__bool FLAC_plugin__tags_add_tag_utf
|
||||
const size_t value_len = strlen(value);
|
||||
const size_t separator_len = strlen(separator);
|
||||
FLAC__byte *new_entry;
|
||||
- if(0 == (new_entry = safe_realloc_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
|
||||
+ if(0 == (new_entry = safe_realloc_nofree_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
|
||||
return false;
|
||||
memcpy(new_entry+entry->length, separator, separator_len);
|
||||
entry->length += separator_len;
|
||||
diff -up flac-1.3.2/src/share/utf8/iconvert.c.cve-2020-22219 flac-1.3.2/src/share/utf8/iconvert.c
|
||||
--- flac-1.3.2/src/share/utf8/iconvert.c.cve-2020-22219 2016-12-07 21:10:26.234454678 +0100
|
||||
+++ flac-1.3.2/src/share/utf8/iconvert.c 2023-08-31 11:32:36.336453612 +0200
|
||||
@@ -149,7 +149,7 @@ int iconvert(const char *fromcode, const
|
||||
iconv_close(cd1);
|
||||
return ret;
|
||||
}
|
||||
- newbuf = safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
|
||||
+ newbuf = safe_realloc_nofree_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
|
||||
if (!newbuf)
|
||||
goto fail;
|
||||
ob = (ob - utfbuf) + newbuf;
|
||||
@ -12,6 +12,8 @@ Patch1: flac-cflags.patch
|
||||
Patch2: flac-memleak.patch
|
||||
# disable nasm detection
|
||||
Patch3: flac-nonasm.patch
|
||||
# don't free memory that is still used after realloc() error
|
||||
Patch4: flac-cve-2020-22219.patch
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
BuildRequires: libogg-devel
|
||||
BuildRequires: gcc automake autoconf libtool gettext-devel doxygen
|
||||
@ -57,6 +59,7 @@ will use the Free Lossless Audio Codec.
|
||||
%patch1 -p1 -b .cflags
|
||||
%patch2 -p1 -b .memleak
|
||||
%patch3 -p1 -b .nonasm
|
||||
%patch4 -p1 -b .cve-2020-22219
|
||||
|
||||
%build
|
||||
# use our libtool to avoid problems with RPATH
|
||||
|
||||
Loading…
Reference in New Issue
Block a user