meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

There is a heap-based buffer over-read at wav.c in wav_write_header in
libsndfile 1.0.28 that will cause a denial of service.

CVE: CVE-2018-19758
Upstream-Status: Backport [42132c543358cee9f7c3e9e9b15bb6c1063a608e]
Signed-off-by: Ross Burton <ross.burton@intel.com>

From c12173b0197dd0c5cfa2cd27977e982d2ae59486 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Tue, 1 Jan 2019 20:11:46 +1100
Subject: [PATCH] src/wav.c: Fix heap read overflow

This is CVE-2018-19758.

Closes: https://github.com/erikd/libsndfile/issues/435
---
 src/wav.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/wav.c b/src/wav.c
index e8405b55..6fb94ae8 100644
--- a/src/wav.c
+++ b/src/wav.c
@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
 		psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
 		psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
 
+		/* Loop count is signed 16 bit number so we limit it range to something sensible. */
+		psf->instrument->loop_count &= 0x7fff ;
 		for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
 		{	int type ;
 
-- 
2.11.0