1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
|
From c7ce5b0ebeeb58934825077d1324960aa0747718 Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Tue, 10 Oct 2023 16:10:34 -0400
Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
The clang sanitizer warns of a possible signed integer overflow when
calculating the `dataend` value in `mat4_read_header()`.
```
src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
```
Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
`dataend` before performing the calculation, to avoid the issue.
CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/789
Fixes: https://github.com/libsndfile/libsndfile/issues/833
Upstream-Status: Backport [9a829113c88a51e57c1e46473e90609e4b7df151]
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
---
src/mat4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mat4.c b/src/mat4.c
index 0b1b414b..575683ba 100644
--- a/src/mat4.c
+++ b/src/mat4.c
@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
}
else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
+ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
From 842303f984b2081481e74cb84a9a24ecbe3dec1a Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Wed, 11 Oct 2023 16:36:02 -0400
Subject: [PATCH] au: avoid int overflow while calculating data_end
At several points in au_read_header(), we calculate the functional end
of the data segment by adding the (int)au_fmt.dataoffset and the
(int)au_fmt.datasize. This can overflow the implicit int_32 return value
and cause undefined behavior.
Instead, precalculate the value and assign it to a 64-bit
(sf_count_t)data_end variable.
CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/833
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
---
src/au.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/au.c b/src/au.c
index 62bd691d..f68f2587 100644
--- a/src/au.c
+++ b/src/au.c
@@ -291,6 +291,7 @@ static int
au_read_header (SF_PRIVATE *psf)
{ AU_FMT au_fmt ;
int marker, dword ;
+ sf_count_t data_end ;
memset (&au_fmt, 0, sizeof (au_fmt)) ;
psf_binheader_readf (psf, "pm", 0, &marker) ;
@@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf)
return SFE_AU_EMBED_BAD_LEN ;
} ;
+ data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ;
if (psf->fileoffset > 0)
- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
+ { psf->filelength = data_end ;
psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
}
- else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength)
+ else if (au_fmt.datasize == -1 || data_end == psf->filelength)
psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
- else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength)
- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
+ else if (data_end < psf->filelength)
+ { psf->filelength = data_end ;
psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
}
else
From 0754d3380a54e3fbdde0f684b88955c80c79f58f Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Wed, 11 Oct 2023 16:46:29 -0400
Subject: [PATCH] avr: fix int overflow in avr_read_header()
Pre-cast hdr.frames to sf_count_t, to provide the calculation with
enough numeric space to avoid an int-overflow.
CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/833
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
---
src/avr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/avr.c b/src/avr.c
index 6c78ff69..1bc1ffc9 100644
--- a/src/avr.c
+++ b/src/avr.c
@@ -162,7 +162,7 @@ avr_read_header (SF_PRIVATE *psf)
psf->endian = SF_ENDIAN_BIG ;
psf->dataoffset = AVR_HDR_SIZE ;
- psf->datalength = hdr.frames * (hdr.rez / 8) ;
+ psf->datalength = (sf_count_t) hdr.frames * (hdr.rez / 8) ;
if (psf->fileoffset > 0)
psf->filelength = AVR_HDR_SIZE + psf->datalength ;
From 6ac31a68a614e2bba4a05b54e5558d6270c98376 Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Wed, 11 Oct 2023 16:54:21 -0400
Subject: [PATCH] sds: fix int overflow warning in sample calculations
The sds_*byte_read() functions compose their uint_32 sample buffers by
shifting 7bit samples into a 32bit wide buffer, and adding them
together. Because the 7bit samples are stored in 32bit ints, code
fuzzers become concerned that the addition operation can overflow and
cause undefined behavior.
Instead, bitwise-OR the bytes together - which should accomplish the
same arithmetic operation, without risking an int-overflow.
CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/833
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
Do the same for the 3byte and 4byte read functions.
---
src/sds.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/sds.c b/src/sds.c
index 6bc76171..2a0f164c 100644
--- a/src/sds.c
+++ b/src/sds.c
@@ -454,7 +454,7 @@ sds_2byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds)
ucptr = psds->read_data + 5 ;
for (k = 0 ; k < 120 ; k += 2)
- { sample = arith_shift_left (ucptr [k], 25) + arith_shift_left (ucptr [k + 1], 18) ;
+ { sample = arith_shift_left (ucptr [k], 25) | arith_shift_left (ucptr [k + 1], 18) ;
psds->read_samples [k / 2] = (int) (sample - 0x80000000) ;
} ;
@@ -498,7 +498,7 @@ sds_3byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds)
ucptr = psds->read_data + 5 ;
for (k = 0 ; k < 120 ; k += 3)
- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) ;
+ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) ;
psds->read_samples [k / 3] = (int) (sample - 0x80000000) ;
} ;
@@ -542,7 +542,7 @@ sds_4byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds)
ucptr = psds->read_data + 5 ;
for (k = 0 ; k < 120 ; k += 4)
- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) + (ucptr [k + 3] << 4) ;
+ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) | (ucptr [k + 3] << 4) ;
psds->read_samples [k / 4] = (int) (sample - 0x80000000) ;
} ;
From 96428e1dd4998f1cd47df24f8fe9b0da35d7b947 Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Wed, 11 Oct 2023 17:26:51 -0400
Subject: [PATCH] aiff: fix int overflow when counting header elements
aiff_read_basc_chunk() tries to count the AIFF header size by keeping
track of the bytes returned by psf_binheader_readf(). Though improbable,
it is technically possible for these added bytes to exceed the int-sized
`count` accumulator.
Use a 64-bit sf_count_t type for `count`, to ensure that it always has
enough numeric space.
CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/833
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
---
src/aiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/aiff.c b/src/aiff.c
index a2bda8f4..6b244302 100644
--- a/src/aiff.c
+++ b/src/aiff.c
@@ -1702,7 +1702,7 @@ static int
aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize)
{ const char * type_str ;
basc_CHUNK bc ;
- int count ;
+ sf_count_t count ;
count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ;
count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ;
From b352c350d35bf978e4d3a32e5d9df1f2284445f4 Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Wed, 11 Oct 2023 17:43:02 -0400
Subject: [PATCH] ircam: fix int overflow in ircam_read_header()
When reading the IRCAM header, it is possible for the calculated
blockwidth to exceed the bounds of a signed int32.
Use a 64bit sf_count_t to store the blockwidth.
CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/833
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
---
src/common.h | 2 +-
src/ircam.c | 10 +++++-----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/common.h b/src/common.h
index d92eabde..5369cb67 100644
--- a/src/common.h
+++ b/src/common.h
@@ -439,7 +439,7 @@ typedef struct sf_private_tag
sf_count_t datalength ; /* Length in bytes of the audio data. */
sf_count_t dataend ; /* Offset to file tailer. */
- int blockwidth ; /* Size in bytes of one set of interleaved samples. */
+ sf_count_t blockwidth ; /* Size in bytes of one set of interleaved samples. */
int bytewidth ; /* Size in bytes of one sample (one channel). */
void *dither ;
diff --git a/src/ircam.c b/src/ircam.c
index 8e7cdba8..3d73ba44 100644
--- a/src/ircam.c
+++ b/src/ircam.c
@@ -171,35 +171,35 @@ ircam_read_header (SF_PRIVATE *psf)
switch (encoding)
{ case IRCAM_PCM_16 :
psf->bytewidth = 2 ;
- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_16 ;
break ;
case IRCAM_PCM_32 :
psf->bytewidth = 4 ;
- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_32 ;
break ;
case IRCAM_FLOAT :
psf->bytewidth = 4 ;
- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_FLOAT ;
break ;
case IRCAM_ALAW :
psf->bytewidth = 1 ;
- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ALAW ;
break ;
case IRCAM_ULAW :
psf->bytewidth = 1 ;
- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ;
break ;
From 3bcd291e57867f88f558fa6f80990e84311df78c Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Wed, 11 Oct 2023 16:12:22 -0400
Subject: [PATCH] mat4/mat5: fix int overflow when calculating blockwidth
Pre-cast the components of the blockwidth calculation to sf_count_t to
avoid overflowing integers during calculation.
CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/833
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
---
src/mat4.c | 2 +-
src/mat5.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mat4.c b/src/mat4.c
index 575683ba..9f046f0c 100644
--- a/src/mat4.c
+++ b/src/mat4.c
@@ -104,7 +104,7 @@ mat4_open (SF_PRIVATE *psf)
psf->container_close = mat4_close ;
- psf->blockwidth = psf->bytewidth * psf->sf.channels ;
+ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
switch (subformat)
{ case SF_FORMAT_PCM_16 :
diff --git a/src/mat5.c b/src/mat5.c
index da5a6eca..20f0ea64 100644
--- a/src/mat5.c
+++ b/src/mat5.c
@@ -114,7 +114,7 @@ mat5_open (SF_PRIVATE *psf)
psf->container_close = mat5_close ;
- psf->blockwidth = psf->bytewidth * psf->sf.channels ;
+ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
switch (subformat)
{ case SF_FORMAT_PCM_U8 :
From c177e292d47ef73b1d3c1bb391320299a0ed2ff9 Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Mon, 16 Oct 2023 12:37:47 -0400
Subject: [PATCH] common: fix int overflow in psf_binheader_readf()
The psf_binheader_readf() function attempts to count and return the
number of bytes traversed in the header. During this accumulation, it is
possible to overflow the int-sized byte_count variable.
Avoid this overflow by checking that the accumulated bytes do not exceed
INT_MAX and throwing an error if they do. This implies that files with
multi-gigabyte headers threaten to produce this error, but I imagine
those files don't really exist - and this error is better than the
undefined behavior which would have resulted previously.
CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/833
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
---
src/common.c | 36 ++++++++++++++++++++++++------------
1 file changed, 24 insertions(+), 12 deletions(-)
diff --git a/src/common.c b/src/common.c
index 1c3d951d..7f6cceca 100644
--- a/src/common.c
+++ b/src/common.c
@@ -18,6 +18,7 @@
#include <config.h>
+#include <limits.h>
#include <stdarg.h>
#include <string.h>
#if HAVE_UNISTD_H
@@ -990,6 +991,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
double *doubleptr ;
char c ;
int byte_count = 0, count = 0 ;
+ int read_bytes = 0 ;
if (! format)
return psf_ftell (psf) ;
@@ -998,6 +1000,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
while ((c = *format++))
{
+ read_bytes = 0 ;
if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16))
break ;
@@ -1014,7 +1017,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
ucptr = (unsigned char*) intptr ;
- byte_count += header_read (psf, ucptr, sizeof (int)) ;
+ read_bytes = header_read (psf, ucptr, sizeof (int)) ;
*intptr = GET_MARKER (ucptr) ;
break ;
@@ -1022,7 +1025,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
ucptr = (unsigned char*) intptr ;
- byte_count += header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ;
+ read_bytes = header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ;
{ int k ;
intdata = 0 ;
for (k = 0 ; k < 16 ; k++)
@@ -1034,14 +1037,14 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
case '1' :
charptr = va_arg (argptr, char*) ;
*charptr = 0 ;
- byte_count += header_read (psf, charptr, sizeof (char)) ;
+ read_bytes = header_read (psf, charptr, sizeof (char)) ;
break ;
case '2' : /* 2 byte value with the current endian-ness */
shortptr = va_arg (argptr, unsigned short*) ;
*shortptr = 0 ;
ucptr = (unsigned char*) shortptr ;
- byte_count += header_read (psf, ucptr, sizeof (short)) ;
+ read_bytes = header_read (psf, ucptr, sizeof (short)) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
*shortptr = GET_BE_SHORT (ucptr) ;
else
@@ -1051,7 +1054,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
case '3' : /* 3 byte value with the current endian-ness */
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
- byte_count += header_read (psf, sixteen_bytes, 3) ;
+ read_bytes = header_read (psf, sixteen_bytes, 3) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
*intptr = GET_BE_3BYTE (sixteen_bytes) ;
else
@@ -1062,7 +1065,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
ucptr = (unsigned char*) intptr ;
- byte_count += header_read (psf, ucptr, sizeof (int)) ;
+ read_bytes = header_read (psf, ucptr, sizeof (int)) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
*intptr = psf_get_be32 (ucptr, 0) ;
else
@@ -1072,7 +1075,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
case '8' : /* 8 byte value with the current endian-ness */
countptr = va_arg (argptr, sf_count_t *) ;
*countptr = 0 ;
- byte_count += header_read (psf, sixteen_bytes, 8) ;
+ read_bytes = header_read (psf, sixteen_bytes, 8) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
countdata = psf_get_be64 (sixteen_bytes, 0) ;
else
@@ -1083,7 +1086,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
case 'f' : /* Float conversion */
floatptr = va_arg (argptr, float *) ;
*floatptr = 0.0 ;
- byte_count += header_read (psf, floatptr, sizeof (float)) ;
+ read_bytes = header_read (psf, floatptr, sizeof (float)) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
*floatptr = float32_be_read ((unsigned char*) floatptr) ;
else
@@ -1093,7 +1096,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
case 'd' : /* double conversion */
doubleptr = va_arg (argptr, double *) ;
*doubleptr = 0.0 ;
- byte_count += header_read (psf, doubleptr, sizeof (double)) ;
+ read_bytes = header_read (psf, doubleptr, sizeof (double)) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
*doubleptr = double64_be_read ((unsigned char*) doubleptr) ;
else
@@ -1117,7 +1120,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
charptr = va_arg (argptr, char*) ;
count = va_arg (argptr, size_t) ;
memset (charptr, 0, count) ;
- byte_count += header_read (psf, charptr, count) ;
+ read_bytes = header_read (psf, charptr, count) ;
break ;
case 'G' :
@@ -1128,7 +1131,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
if (psf->header.indx + count >= psf->header.len && psf_bump_header_allocation (psf, count))
break ;
- byte_count += header_gets (psf, charptr, count) ;
+ read_bytes = header_gets (psf, charptr, count) ;
break ;
case 'z' :
@@ -1152,7 +1155,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
case 'j' : /* Seek to position from current position. */
count = va_arg (argptr, size_t) ;
header_seek (psf, count, SEEK_CUR) ;
- byte_count += count ;
+ read_bytes = count ;
break ;
case '!' : /* Clear buffer, forcing re-read. */
@@ -1164,8 +1167,17 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
psf->error = SFE_INTERNAL ;
break ;
} ;
+
+ if (read_bytes > 0 && byte_count > (INT_MAX - read_bytes))
+ { psf_log_printf (psf, "Header size exceeds INT_MAX. Aborting.", c) ;
+ psf->error = SFE_INTERNAL ;
+ break ;
+ } else
+ { byte_count += read_bytes ;
} ;
+ } ; /*end while*/
+
va_end (argptr) ;
return byte_count ;
From a23d563386e7c8d93dcdbe7d5b1d63cad6009116 Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Thu, 19 Oct 2023 14:07:19 -0400
Subject: [PATCH] nms_adpcm: fix int overflow in signal estimate
It is possible (though functionally incorrect) for the signal estimate
calculation in nms_adpcm_update() to overflow the int value of s_e,
resulting in undefined behavior.
Since adpcm state signal values are never practically larger than
16 bits, use smaller numeric sizes throughout the file to avoid the
overflow.
CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/833
Authored-by: Arthur Taylor <art@ified.ca>
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
Rebased-by: Alex Stewart <alex.stewart@ni.com>
---
src/nms_adpcm.c | 85 ++++++++++++++++++++++++-------------------------
1 file changed, 42 insertions(+), 43 deletions(-)
diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c
index 96d6ad26..460ea077 100644
--- a/src/nms_adpcm.c
+++ b/src/nms_adpcm.c
@@ -48,36 +48,36 @@
/* Variable names from ITU G.726 spec */
struct nms_adpcm_state
{ /* Log of the step size multiplier. Operated on by codewords. */
- int yl ;
+ short yl ;
/* Quantizer step size multiplier. Generated from yl. */
- int y ;
+ short y ;
- /* Coefficents of the pole predictor */
- int a [2] ;
+ /* Coefficients of the pole predictor */
+ short a [2] ;
- /* Coefficents of the zero predictor */
- int b [6] ;
+ /* Coefficients of the zero predictor */
+ short b [6] ;
/* Previous quantized deltas (multiplied by 2^14) */
- int d_q [7] ;
+ short d_q [7] ;
/* d_q [x] + s_ez [x], used by the pole-predictor for signs only. */
- int p [3] ;
+ short p [3] ;
/* Previous reconstructed signal values. */
- int s_r [2] ;
+ short s_r [2] ;
/* Zero predictor components of the signal estimate. */
- int s_ez ;
+ short s_ez ;
/* Signal estimate, (including s_ez). */
- int s_e ;
+ short s_e ;
/* The most recent codeword (enc:generated, dec:inputted) */
- int Ik ;
+ char Ik ;
- int parity ;
+ char parity ;
/*
** Offset into code tables for the bitrate.
@@ -109,7 +109,7 @@ typedef struct
} NMS_ADPCM_PRIVATE ;
/* Pre-computed exponential interval used in the antilog approximation. */
-static unsigned int table_expn [] =
+static unsigned short table_expn [] =
{ 0x4000, 0x4167, 0x42d5, 0x444c, 0x45cb, 0x4752, 0x48e2, 0x4a7a,
0x4c1b, 0x4dc7, 0x4f7a, 0x5138, 0x52ff, 0x54d1, 0x56ac, 0x5892,
0x5a82, 0x5c7e, 0x5e84, 0x6096, 0x62b4, 0x64dd, 0x6712, 0x6954,
@@ -117,21 +117,21 @@ static unsigned int table_expn [] =
} ;
/* Table mapping codewords to scale factor deltas. */
-static int table_scale_factor_step [] =
+static short table_scale_factor_step [] =
{ 0x0, 0x0, 0x0, 0x0, 0x4b0, 0x0, 0x0, 0x0, /* 2-bit */
-0x3c, 0x0, 0x90, 0x0, 0x2ee, 0x0, 0x898, 0x0, /* 3-bit */
-0x30, 0x12, 0x6b, 0xc8, 0x188, 0x2e0, 0x551, 0x1150, /* 4-bit */
} ;
/* Table mapping codewords to quantized delta interval steps. */
-static unsigned int table_step [] =
+static unsigned short table_step [] =
{ 0x73F, 0, 0, 0, 0x1829, 0, 0, 0, /* 2-bit */
0x3EB, 0, 0xC18, 0, 0x1581, 0, 0x226E, 0, /* 3-bit */
0x20C, 0x635, 0xA83, 0xF12, 0x1418, 0x19E3, 0x211A, 0x2BBA, /* 4-bit */
} ;
/* Binary search lookup table for quantizing using table_step. */
-static int table_step_search [] =
+static short table_step_search [] =
{ 0, 0x1F6D, 0, -0x1F6D, 0, 0, 0, 0, /* 2-bit */
0x1008, 0x1192, 0, -0x219A, 0x1656, -0x1656, 0, 0, /* 3-bit */
0x872, 0x1277, -0x8E6, -0x232B, 0xD06, -0x17D7, -0x11D3, 0, /* 4-bit */
@@ -179,23 +179,23 @@ static sf_count_t nms_adpcm_seek (SF_PRIVATE *psf, int mode, sf_count_t offset)
** Maps [1,20480] to [1,1024] in an exponential relationship. This is
** approximately ret = b^exp where b = e^(ln(1024)/ln(20480)) ~= 1.0003385
*/
-static inline int
-nms_adpcm_antilog (int exp)
-{ int ret ;
+static inline short
+nms_adpcm_antilog (short exp)
+{ int_fast32_t r ;
- ret = 0x1000 ;
- ret += (((exp & 0x3f) * 0x166b) >> 12) ;
- ret *= table_expn [(exp & 0x7c0) >> 6] ;
- ret >>= (26 - (exp >> 11)) ;
+ r = 0x1000 ;
+ r += (((int_fast32_t) (exp & 0x3f) * 0x166b) >> 12) ;
+ r *= table_expn [(exp & 0x7c0) >> 6] ;
+ r >>= (26 - (exp >> 11)) ;
- return ret ;
+ return (short) r ;
} /* nms_adpcm_antilog */
static void
nms_adpcm_update (struct nms_adpcm_state *s)
{ /* Variable names from ITU G.726 spec */
- int a1ul ;
- int fa1 ;
+ short a1ul, fa1 ;
+ int_fast32_t se ;
int i ;
/* Decay and Modify the scale factor in the log domain based on the codeword. */
@@ -222,7 +222,7 @@ nms_adpcm_update (struct nms_adpcm_state *s)
else if (fa1 > 256)
fa1 = 256 ;
- s->a [0] = (0xff * s->a [0]) >> 8 ;
+ s->a [0] = (s->a [0] * 0xff) >> 8 ;
if (s->p [0] != 0 && s->p [1] != 0 && ((s->p [0] ^ s->p [1]) < 0))
s->a [0] -= 192 ;
else
@@ -230,7 +230,7 @@ nms_adpcm_update (struct nms_adpcm_state *s)
fa1 = -fa1 ;
}
- s->a [1] = fa1 + ((0xfe * s->a [1]) >> 8) ;
+ s->a [1] = fa1 + ((s->a [1] * 0xfe) >> 8) ;
if (s->p [0] != 0 && s->p [2] != 0 && ((s->p [0] ^ s->p [2]) < 0))
s->a [1] -= 128 ;
else
@@ -250,19 +250,18 @@ nms_adpcm_update (struct nms_adpcm_state *s)
s->a [0] = a1ul ;
} ;
- /* Compute the zero predictor estimate. Rotate past deltas too. */
- s->s_ez = 0 ;
+ /* Compute the zero predictor estimate and rotate past deltas. */
+ se = 0 ;
for (i = 5 ; i >= 0 ; i--)
- { s->s_ez += s->d_q [i] * s->b [i] ;
+ { se += (int_fast32_t) s->d_q [i] * s->b [i] ;
s->d_q [i + 1] = s->d_q [i] ;
} ;
+ s->s_ez = se >> 14 ;
- /* Compute the signal estimate. */
- s->s_e = s->a [0] * s->s_r [0] + s->a [1] * s->s_r [1] + s->s_ez ;
-
- /* Return to scale */
- s->s_ez >>= 14 ;
- s->s_e >>= 14 ;
+ /* Complete the signal estimate. */
+ se += (int_fast32_t) s->a [0] * s->s_r [0] ;
+ se += (int_fast32_t) s->a [1] * s->s_r [1] ;
+ s->s_e = se >> 14 ;
/* Rotate members to prepare for next iteration. */
s->s_r [1] = s->s_r [0] ;
@@ -274,7 +273,7 @@ nms_adpcm_update (struct nms_adpcm_state *s)
static int16_t
nms_adpcm_reconstruct_sample (struct nms_adpcm_state *s, uint8_t I)
{ /* Variable names from ITU G.726 spec */
- int dqx ;
+ int_fast32_t dqx ;
/*
** The ordering of the 12-bit right-shift is a precision loss. It agrees
@@ -308,17 +307,17 @@ nms_adpcm_codec_init (struct nms_adpcm_state *s, enum nms_enc_type type)
/*
** nms_adpcm_encode_sample()
**
-** Encode a linear 16-bit pcm sample into a 2,3, or 4 bit NMS-ADPCM codeword
+** Encode a linear 16-bit pcm sample into a 2, 3, or 4 bit NMS-ADPCM codeword
** using and updating the predictor state.
*/
static uint8_t
nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl)
{ /* Variable names from ITU G.726 spec */
- int d ;
+ int_fast32_t d ;
uint8_t I ;
/* Down scale the sample from 16 => ~14 bits. */
- sl = (sl * 0x1fdf) / 0x7fff ;
+ sl = ((int_fast32_t) sl * 0x1fdf) / 0x7fff ;
/* Compute estimate, and delta from actual value */
nms_adpcm_update (s) ;
@@ -407,7 +406,7 @@ nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl)
*/
static int16_t
nms_adpcm_decode_sample (struct nms_adpcm_state *s, uint8_t I)
-{ int sl ;
+{ int_fast32_t sl ;
nms_adpcm_update (s) ;
sl = nms_adpcm_reconstruct_sample (s, I) ;
|
