]> code.ossystems Code Review - openembedded-core.git/commitdiff
Code Review / openembedded-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: e6b272b)
libsndfile1: fix CVE-2019-3832
authorRoss Burton <ross.burton@intel.com>
Mon, 25 Mar 2019 23:21:08 +0000 (23:21 +0000)
committerArmin Kuster <akuster808@gmail.com>
Sat, 13 Apr 2019 19:49:11 +0000 (12:49 -0700)
The previous fix for CVE-2018-19758 wasn't complete, so backport another patch
to solve it properly.

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch [new file with mode: 0644] patch | blob
meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb patch | blob | history

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
new file mode 100644 (file)
index 0000000..ab37211
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
@@ -0,0 +1,37 @@
+From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001
+From: Emilio Pozuelo Monfort <pochu27@gmail.com>
+Date: Tue, 5 Mar 2019 11:27:17 +0100
+Subject: [PATCH] wav_write_header: don't read past the array end
+
+CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder.
+
+CVE: CVE-2019-3832
+Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+If loop_count is bigger than the array, truncate it to the array
+length (and not to 32k).
+
+CVE-2019-3832
+
+---
+ src/wav.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/wav.c b/src/wav.c
+index daae3cc..8851549 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
+               psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
+               psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
+-              /* Loop count is signed 16 bit number so we limit it range to something sensible. */
+-              psf->instrument->loop_count &= 0x7fff ;
++              /* Make sure we don't read past the loops array end. */
++              if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
++                      psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
++
+               for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+               {       int type ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index eb2c719d8daf6f443ef2c654c938a907f3f5c5f7..77393db84705a129f96bac19b0419e1f738664a8 100644 (file)
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
            file://CVE-2018-19432.patch \
            file://CVE-2017-12562.patch \
            file://CVE-2018-19758.patch \
+           file://CVE-2019-3832.patch \
           "
 
 SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
Mirror of the official openembedded-core repository