a crafted wav file could cause heap buffer overflow that allowed an arbitrary code execution(#1985029)

Resolves: #1985029
This commit is contained in:
Michal Hlavinka 2021-08-11 15:08:47 +02:00
parent d7583f7f52
commit 054e68671b
2 changed files with 28 additions and 1 deletions

View File

@ -0,0 +1,21 @@
diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
index 5e8f1a31..a21cb994 100644
--- a/src/ms_adpcm.c
+++ b/src/ms_adpcm.c
@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
if (psf->file.mode == SFM_WRITE)
samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
- if (blockalign < 7 * psf->sf.channels)
- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
+ /* There's 7 samples per channel in the preamble of each block */
+ if (samplesperblock < 7 * psf->sf.channels)
+ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
+ return SFE_INTERNAL ;
+ } ;
+
+ if (2 * blockalign < samplesperblock * psf->sf.channels)
+ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
return SFE_INTERNAL ;
} ;

View File

@ -1,12 +1,14 @@
Summary: Library for reading and writing sound files Summary: Library for reading and writing sound files
Name: libsndfile Name: libsndfile
Version: 1.0.31 Version: 1.0.31
Release: 5%{?dist} Release: 6%{?dist}
License: LGPLv2+ and GPLv2+ and BSD License: LGPLv2+ and GPLv2+ and BSD
URL: http://libsndfile.github.io/libsndfile/ URL: http://libsndfile.github.io/libsndfile/
Source0: https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2 Source0: https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2
Patch0: libsndfile-1.0.25-system-gsm.patch Patch0: libsndfile-1.0.25-system-gsm.patch
Patch1: libsndfile-1.0.25-zerodivfix.patch Patch1: libsndfile-1.0.25-zerodivfix.patch
# from upstream, for <= 1.0.31, rhbz#1985029
Patch2: libsndfile-1.0.31-deb669ee.patch
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: alsa-lib-devel BuildRequires: alsa-lib-devel
BuildRequires: flac-devel BuildRequires: flac-devel
@ -58,6 +60,7 @@ This package contains command line utilities for libsndfile.
rm -r src/GSM610 rm -r src/GSM610
# TODO: check if this patch is still needed # TODO: check if this patch is still needed
%patch1 -p1 -b .zerodivfix %patch1 -p1 -b .zerodivfix
%patch2 -p1 -b .deb669ee
%build %build
autoreconf -I M4 -fiv # for system-gsm patch autoreconf -I M4 -fiv # for system-gsm patch
@ -149,6 +152,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
%changelog %changelog
* Wed Aug 11 2021 Michal Hlavinka <mhlavink@redhat.com> - 1.0.31-6
- a crafted wav file could cause heap buffer overflow that allowed an arbitrary code execution(#1985029)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com>
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688