fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840)

- division by zero leading to denial of service in psf_fwrite (#1177254)
2015-01-13 17:03:51 +01:00 · 2015-01-13 17:03:51 +01:00 · f22a30c5e7
commit f22a30c5e7
parent 1bbdc52f87
3 changed files with 86 additions and 2 deletions
--- a/libsndfile-1.0.25-cve2014_9496.patch
+++ b/libsndfile-1.0.25-cve2014_9496.patch
@ -0,0 +1,51 @@
+diff -up libsndfile-1.0.25/src/sd2.c.cve2014_9496 libsndfile-1.0.25/src/sd2.c
+--- libsndfile-1.0.25/src/sd2.c.cve2014_9496	2011-01-19 11:10:36.000000000 +0100
+++ libsndfile-1.0.25/src/sd2.c	2015-01-13 17:00:35.920285526 +0100
+@@ -395,6 +395,21 @@ read_marker (const unsigned char * data,
+ 		return 0x666 ;
+ } /* read_marker */
+ 
+static inline int
+read_rsrc_marker (const SD2_RSRC *prsrc, int offset)
+{	const unsigned char * data = prsrc->rsrc_data ;
+
+	if (offset < 0 || offset + 3 >= prsrc->rsrc_len)
+		return 0 ;
+
+	if (CPU_IS_BIG_ENDIAN)
+		return (((uint32_t) data [offset]) << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ;
+	if (CPU_IS_LITTLE_ENDIAN)
+		return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (((uint32_t) data [offset + 3]) << 24) ;
+
+	return 0 ;
+} /* read_rsrc_marker */
+
+ static void
+ read_str (const unsigned char * data, int offset, char * buffer, int buffer_len)
+ {	int k ;
+@@ -496,6 +511,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+ 
+ 	rsrc.type_offset = rsrc.map_offset + 30 ;
+ 
+	if (rsrc.map_offset + 28 > rsrc.rsrc_len)
+	{       psf_log_printf (psf, "Bad map offset.\n") ;
+		goto parse_rsrc_fork_cleanup ;
+		} ;
+
+ 	rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
+ 	if (rsrc.type_count < 1)
+ 	{	psf_log_printf (psf, "Bad type count.\n") ;
+@@ -512,7 +532,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+ 
+ 	rsrc.str_index = -1 ;
+ 	for (k = 0 ; k < rsrc.type_count ; k ++)
+-	{	marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
+	{	if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
+		{	psf_log_printf (psf, "Bad rsrc marker.\n") ;
+			goto parse_rsrc_fork_cleanup ;
+			} ;
+
+		marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
+ 
+ 		if (marker == STR_MARKER)
+ 		{	rsrc.str_index = k ;
--- a/libsndfile-1.0.25-zerodivfix.patch
+++ b/libsndfile-1.0.25-zerodivfix.patch
@ -0,0 +1,25 @@
+From 725c7dbb95bfaf8b4bb7b04820e3a00cceea9ce6 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Wed, 24 Dec 2014 21:02:35 +1100
+Subject: [PATCH] src/file_io.c : Prevent potential divide-by-zero.
+
+Closes: https://github.com/erikd/libsndfile/issues/92
+---
+ src/file_io.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/file_io.c b/src/file_io.c
+index 26d3d6d..6ccab78 100644
+--- a/src/file_io.c
+++ b/src/file_io.c
+@@ -358,6 +358,9 @@ psf_fwrite (const void *ptr, sf_count_t bytes, sf_count_t items, SF_PRIVATE *psf
+ {	sf_count_t total = 0 ;
+ 	ssize_t	count ;
+ 
+	if (bytes == 0 || items == 0)
+		return 0 ;
+
+ 	if (psf->virtual_io)
+ 		return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ;
+ 
+
--- a/libsndfile.spec
+++ b/libsndfile.spec
@ -1,12 +1,14 @@
 Summary:	Library for reading and writing sound files
 Name:		libsndfile
 Version:	1.0.25
-Release:	13%{?dist}
+Release:	14%{?dist}
 License:	LGPLv2+ and GPLv2+ and BSD
 Group:		System Environment/Libraries
 URL:		http://www.mega-nerd.com/libsndfile/
 Source0:	http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
 Patch0:		%{name}-1.0.25-system-gsm.patch
+Patch1: libsndfile-1.0.25-zerodivfix.patch
+Patch2: libsndfile-1.0.25-cve2014_9496.patch

 BuildRequires:	alsa-lib-devel
 BuildRequires:	flac-devel
@ -54,6 +56,8 @@ This package contains command line utilities for libsndfile.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1 -b .zerodivfix
+%patch2 -p1 -b .cve2014_9496
 rm -r src/GSM610 ; autoreconf -I M4 -fiv # for system-gsm patch

 %build
@ -151,6 +155,10 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check


 %changelog
+* Tue Jan 13 2015 Michal Hlavinka <mhlavink@redhat.com> - 1.0.25-14
+- fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840)
+- division by zero leading to denial of service in psf_fwrite (#1177254)
+
 * Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.25-13
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

@ -240,7 +248,7 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
 * Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.17-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

-* Thu Oct 25 2008 Andreas Thienemann <andreas@bawue.net> - 1.0.17-6
+* Sat Oct 25 2008 Andreas Thienemann <andreas@bawue.net> - 1.0.17-6
 - Removed spurious #endif in the libsndfile.h wrapper. Thx to Edward
  Sheldrake for finding it. Fixes #468508.
 - Fix build for autoconf-2.63