jeans/motioneyeos
jeans/motioneyeos
1
0
Fork 0
mirror of https://github.com/motioneye-project/motioneyeos.git synced 2025-07-28 05:36:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

package/libsndfile: fix CVE-2018-19758

Browse Source 
There is a heap-based buffer over-read at wav.c in wav_write_header in
libsndfile 1.0.28 that will cause a denial of service.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Fabrice Fontaine 2020-03-04 23:21:02 +01:00 committed by Peter Korsgaard
parent 9e2128bf50
commit 27acdca7ee
2 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
package/libsndfile/0004-src-wav.c-Fix-heap-read-overflow.patch Normal file
View File

@ -0,0 +1,35 @@
From 42132c543358cee9f7c3e9e9b15bb6c1063a608e Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Tue, 1 Jan 2019 20:11:46 +1100
Subject: [PATCH] src/wav.c: Fix heap read overflow
This is CVE-2018-19758.
Closes: https://github.com/erikd/libsndfile/issues/435
[Retrieved (and backported) from:
https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
src/wav.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/wav.c b/src/wav.c
index 9d71aadb..5c825f2a 100644
--- a/src/wav.c
+++ b/src/wav.c
@@ -1,5 +1,5 @@
/*
-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 1999-2019 Erik de Castro Lopo <erikd@mega-nerd.com>
** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
**
** This program is free software; you can redistribute it and/or modify
@@ -1146,6 +1146,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
psf_binheader_writef (psf, "44", BHW4 (0), BHW4 (0)) ; /* SMTPE format */
psf_binheader_writef (psf, "44", BHW4 (psf->instrument->loop_count), BHW4 (0)) ;
+ /* Loop count is signed 16 bit number so we limit it range to something sensible. */
+ psf->instrument->loop_count &= 0x7fff ;
for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
{ int type ;

2
package/libsndfile/libsndfile.mk
View File

@ -20,6 +20,8 @@ LIBSNDFILE_IGNORE_CVES += \
CVE-2018-19661 CVE-2018-19662 CVE-2018-19661 CVE-2018-19662
# disputed, https://github.com/erikd/libsndfile/issues/398 # disputed, https://github.com/erikd/libsndfile/issues/398
LIBSNDFILE_IGNORE_CVES += CVE-2018-13419 LIBSNDFILE_IGNORE_CVES += CVE-2018-13419
# 0004-src-wav.c-Fix-heap-read-overflow.patch
LIBSNDFILE_IGNORE_CVES += CVE-2018-19758
LIBSNDFILE_CONF_OPTS = \ LIBSNDFILE_CONF_OPTS = \
--disable-sqlite \ --disable-sqlite \