Fix for CVE-2018-10536, CVE-2018-10537, CVE-2018-10538, CVE-2018-10539, CVE-2018-10540

2018-05-22 12:01:14 +02:00 · 2018-05-22 12:01:14 +02:00 · 273e47cb1d
commit 273e47cb1d
parent be8d9f333f
3 changed files with 145 additions and 1 deletions
--- a/wavpack-0004-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch
+++ b/wavpack-0004-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch
@ -0,0 +1,75 @@
+From 6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Tue, 24 Apr 2018 17:27:01 -0700
+Subject: [PATCH 1/2] issue #33, sanitize size of unknown chunks before
+ malloc()
+
+---
+ cli/dsdiff.c | 9 ++++++++-
+ cli/riff.c   | 9 ++++++++-
+ cli/wave64.c | 9 ++++++++-
+ 3 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index c016df9..fa56bbb 100644
+--- a/cli/dsdiff.c
+++ b/cli/dsdiff.c
+@@ -279,7 +279,14 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+         else {          // just copy unknown chunks to output file
+ 
+             int bytes_to_copy = (int)(((dff_chunk_header.ckDataSize) + 1) & ~(int64_t)1);
+-            char *buff = malloc (bytes_to_copy);
+            char *buff;
+
+            if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
+                error_line ("%s is not a valid .DFF file!", infilename);
+                return WAVPACK_SOFT_ERROR;
+            }
+
+            buff = malloc (bytes_to_copy);
+ 
+             if (debug_logging_mode)
+                 error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
+diff --git a/cli/riff.c b/cli/riff.c
+index de98c1e..7bddf63 100644
+--- a/cli/riff.c
+++ b/cli/riff.c
+@@ -286,7 +286,14 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+         else {          // just copy unknown chunks to output file
+ 
+             int bytes_to_copy = (chunk_header.ckSize + 1) & ~1L;
+-            char *buff = malloc (bytes_to_copy);
+            char *buff;
+
+            if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
+                error_line ("%s is not a valid .WAV file!", infilename);
+                return WAVPACK_SOFT_ERROR;
+            }
+
+            buff = malloc (bytes_to_copy);
+ 
+             if (debug_logging_mode)
+                 error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
+diff --git a/cli/wave64.c b/cli/wave64.c
+index 591d640..fa928a0 100644
+--- a/cli/wave64.c
+++ b/cli/wave64.c
+@@ -241,7 +241,14 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+         }
+         else {          // just copy unknown chunks to output file
+             int bytes_to_copy = (chunk_header.ckSize + 7) & ~7L;
+-            char *buff = malloc (bytes_to_copy);
+            char *buff;
+
+            if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
+                error_line ("%s is not a valid .W64 file!", infilename);
+                return WAVPACK_SOFT_ERROR;
+            }
+
+            buff = malloc (bytes_to_copy);
+ 
+             if (debug_logging_mode)
+                 error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
+-- 
+2.14.3
+
--- a/wavpack-0005-issue-30-issue-31-issue-32-no-multiple-format-chunks.patch
+++ b/wavpack-0005-issue-30-issue-31-issue-32-no-multiple-format-chunks.patch
@ -0,0 +1,63 @@
+From 26cb47f99d481ad9b93eeff80d26e6b63bbd7e15 Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Tue, 24 Apr 2018 22:18:07 -0700
+Subject: [PATCH 2/2] issue #30 issue #31 issue #32: no multiple format chunks
+ in WAV or W64
+
+---
+ cli/riff.c   | 7 ++++++-
+ cli/wave64.c | 6 ++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/cli/riff.c b/cli/riff.c
+index 7bddf63..5d6452e 100644
+--- a/cli/riff.c
+++ b/cli/riff.c
+@@ -53,7 +53,7 @@ extern int debug_logging_mode;
+ 
+ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackContext *wpc, WavpackConfig *config)
+ {
+-    int is_rf64 = !strncmp (fourcc, "RF64", 4), got_ds64 = 0;
+    int is_rf64 = !strncmp (fourcc, "RF64", 4), got_ds64 = 0, format_chunk = 0;
+     int64_t total_samples = 0, infilesize;
+     RiffChunkHeader riff_chunk_header;
+     ChunkHeader chunk_header;
+@@ -140,6 +140,11 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+         else if (!strncmp (chunk_header.ckID, "fmt ", 4)) {     // if it's the format chunk, we want to get some info out of there and
+             int supported = TRUE, format;                        // make sure it's a .wav file we can handle
+ 
+            if (format_chunk++) {
+                error_line ("%s is not a valid .WAV file!", infilename);
+                return WAVPACK_SOFT_ERROR;
+            }
+
+             if (chunk_header.ckSize < 16 || chunk_header.ckSize > sizeof (WaveHeader) ||
+                 !DoReadFile (infile, &WaveHeader, chunk_header.ckSize, &bcount) ||
+                 bcount != chunk_header.ckSize) {
+diff --git a/cli/wave64.c b/cli/wave64.c
+index fa928a0..0388dc7 100644
+--- a/cli/wave64.c
+++ b/cli/wave64.c
+@@ -53,6 +53,7 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+     Wave64ChunkHeader chunk_header;
+     Wave64FileHeader filehdr;
+     WaveHeader WaveHeader;
+    int format_chunk = 0;
+     uint32_t bcount;
+ 
+     infilesize = DoGetFileSize (infile);
+@@ -104,6 +105,11 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+         if (!memcmp (chunk_header.ckID, fmt_guid, sizeof (fmt_guid))) {
+             int supported = TRUE, format;
+ 
+            if (format_chunk++) {
+                error_line ("%s is not a valid .W64 file!", infilename);
+                return WAVPACK_SOFT_ERROR;
+            }
+
+             chunk_header.ckSize = (chunk_header.ckSize + 7) & ~7L;
+ 
+             if (chunk_header.ckSize < 16 || chunk_header.ckSize > sizeof (WaveHeader) ||
+-- 
+2.14.3
+
--- a/wavpack.spec
+++ b/wavpack.spec
@ -1,7 +1,7 @@
 Name:		wavpack
 Summary:	A completely open audiocodec
 Version:	5.1.0
-Release:	7%{?dist}
+Release:	8%{?dist}
 License:	BSD
 Group:		Applications/Multimedia
 Url:		http://www.wavpack.com/
@ -9,6 +9,8 @@ Source:		http://www.wavpack.com/%{name}-%{version}.tar.bz2
 Patch1:		wavpack-0001-issue-27-do-not-overwrite-stack-on-corrupt-RF64-file.patch
 Patch2:		wavpack-0002-issue-28-do-not-overwrite-heap-on-corrupt-DSDIFF-fil.patch
 Patch3:		wavpack-0003-issue-28-fix-buffer-overflows-and-bad-allocs-on-corr.patch
+Patch4:		wavpack-0004-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch
+Patch5:		wavpack-0005-issue-30-issue-31-issue-32-no-multiple-format-chunks.patch
 # For autoreconf
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -69,6 +71,10 @@ rm -f %{buildroot}/%{_libdir}/*.la
 %doc ChangeLog README

 %changelog
+* Tue May 22 2018 Miroslav Lichvar <mlichvar@redhat.com> - 5.1.0-8
+- Fix for CVE-2018-10536, CVE-2018-10537, CVE-2018-10538, CVE-2018-10539,
+  CVE-2018-10540
+
 * Tue Feb 20 2018 Peter Lemenkov <lemenkov@gmail.com> - 5.1.0-7
 - Fix for CVE-2018-6767, CVE-2018-7253, and two more GH issues