fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840)

- division by zero leading to denial of service in psf_fwrite (#1177254)
This commit is contained in:
Michal Hlavinka 2015-01-13 17:03:51 +01:00
parent 1bbdc52f87
commit f22a30c5e7
3 changed files with 86 additions and 2 deletions

View File

@ -0,0 +1,51 @@
diff -up libsndfile-1.0.25/src/sd2.c.cve2014_9496 libsndfile-1.0.25/src/sd2.c
--- libsndfile-1.0.25/src/sd2.c.cve2014_9496 2011-01-19 11:10:36.000000000 +0100
+++ libsndfile-1.0.25/src/sd2.c 2015-01-13 17:00:35.920285526 +0100
@@ -395,6 +395,21 @@ read_marker (const unsigned char * data,
return 0x666 ;
} /* read_marker */
+static inline int
+read_rsrc_marker (const SD2_RSRC *prsrc, int offset)
+{ const unsigned char * data = prsrc->rsrc_data ;
+
+ if (offset < 0 || offset + 3 >= prsrc->rsrc_len)
+ return 0 ;
+
+ if (CPU_IS_BIG_ENDIAN)
+ return (((uint32_t) data [offset]) << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ;
+ if (CPU_IS_LITTLE_ENDIAN)
+ return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (((uint32_t) data [offset + 3]) << 24) ;
+
+ return 0 ;
+} /* read_rsrc_marker */
+
static void
read_str (const unsigned char * data, int offset, char * buffer, int buffer_len)
{ int k ;
@@ -496,6 +511,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
rsrc.type_offset = rsrc.map_offset + 30 ;
+ if (rsrc.map_offset + 28 > rsrc.rsrc_len)
+ { psf_log_printf (psf, "Bad map offset.\n") ;
+ goto parse_rsrc_fork_cleanup ;
+ } ;
+
rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
if (rsrc.type_count < 1)
{ psf_log_printf (psf, "Bad type count.\n") ;
@@ -512,7 +532,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
rsrc.str_index = -1 ;
for (k = 0 ; k < rsrc.type_count ; k ++)
- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
+ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
+ { psf_log_printf (psf, "Bad rsrc marker.\n") ;
+ goto parse_rsrc_fork_cleanup ;
+ } ;
+
+ marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
if (marker == STR_MARKER)
{ rsrc.str_index = k ;

View File

@ -0,0 +1,25 @@
From 725c7dbb95bfaf8b4bb7b04820e3a00cceea9ce6 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Wed, 24 Dec 2014 21:02:35 +1100
Subject: [PATCH] src/file_io.c : Prevent potential divide-by-zero.
Closes: https://github.com/erikd/libsndfile/issues/92
---
src/file_io.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/file_io.c b/src/file_io.c
index 26d3d6d..6ccab78 100644
--- a/src/file_io.c
+++ b/src/file_io.c
@@ -358,6 +358,9 @@ psf_fwrite (const void *ptr, sf_count_t bytes, sf_count_t items, SF_PRIVATE *psf
{ sf_count_t total = 0 ;
ssize_t count ;
+ if (bytes == 0 || items == 0)
+ return 0 ;
+
if (psf->virtual_io)
return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ;

View File

@ -1,12 +1,14 @@
Summary: Library for reading and writing sound files Summary: Library for reading and writing sound files
Name: libsndfile Name: libsndfile
Version: 1.0.25 Version: 1.0.25
Release: 13%{?dist} Release: 14%{?dist}
License: LGPLv2+ and GPLv2+ and BSD License: LGPLv2+ and GPLv2+ and BSD
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.mega-nerd.com/libsndfile/ URL: http://www.mega-nerd.com/libsndfile/
Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
Patch0: %{name}-1.0.25-system-gsm.patch Patch0: %{name}-1.0.25-system-gsm.patch
Patch1: libsndfile-1.0.25-zerodivfix.patch
Patch2: libsndfile-1.0.25-cve2014_9496.patch
BuildRequires: alsa-lib-devel BuildRequires: alsa-lib-devel
BuildRequires: flac-devel BuildRequires: flac-devel
@ -54,6 +56,8 @@ This package contains command line utilities for libsndfile.
%prep %prep
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1 -b .zerodivfix
%patch2 -p1 -b .cve2014_9496
rm -r src/GSM610 ; autoreconf -I M4 -fiv # for system-gsm patch rm -r src/GSM610 ; autoreconf -I M4 -fiv # for system-gsm patch
%build %build
@ -151,6 +155,10 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
%changelog %changelog
* Tue Jan 13 2015 Michal Hlavinka <mhlavink@redhat.com> - 1.0.25-14
- fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840)
- division by zero leading to denial of service in psf_fwrite (#1177254)
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.25-13 * Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.25-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
@ -240,7 +248,7 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.17-7 * Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.17-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Thu Oct 25 2008 Andreas Thienemann <andreas@bawue.net> - 1.0.17-6 * Sat Oct 25 2008 Andreas Thienemann <andreas@bawue.net> - 1.0.17-6
- Removed spurious #endif in the libsndfile.h wrapper. Thx to Edward - Removed spurious #endif in the libsndfile.h wrapper. Thx to Edward
Sheldrake for finding it. Fixes #468508. Sheldrake for finding it. Fixes #468508.
- Fix build for autoconf-2.63 - Fix build for autoconf-2.63