From 6f3266277bed16525f0ac2f0f03ff4626f1923e5 Mon Sep 17 00:00:00 2001 From: Erik de Castro Lopo Date: Thu, 8 Mar 2018 18:00:21 +1100 Subject: [PATCH] Fix max channel count bug The code was allowing files to be written with a channel count of exactly `SF_MAX_CHANNELS` but was failing to read some file formats with the same channel count. Upstream-Status: Backport [https://github.com/erikd/libsndfile/ commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5] CVE: CVE-2018-19432 Signed-off-by: Changqing Li --- src/aiff.c | 6 +++--- src/rf64.c | 4 ++-- src/w64.c | 4 ++-- src/wav.c | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/aiff.c b/src/aiff.c index fbd43cb..6386bce 100644 --- a/src/aiff.c +++ b/src/aiff.c @@ -1,5 +1,5 @@ /* -** Copyright (C) 1999-2016 Erik de Castro Lopo +** Copyright (C) 1999-2018 Erik de Castro Lopo ** Copyright (C) 2005 David Viens ** ** This program is free software; you can redistribute it and/or modify @@ -950,7 +950,7 @@ aiff_read_header (SF_PRIVATE *psf, COMM_ if (psf->sf.channels < 1) return SFE_CHANNEL_COUNT_ZERO ; - if (psf->sf.channels >= SF_MAX_CHANNELS) + if (psf->sf.channels > SF_MAX_CHANNELS) return SFE_CHANNEL_COUNT ; if (! (found_chunk & HAVE_FORM)) @@ -1030,7 +1030,7 @@ aiff_read_comm_chunk (SF_PRIVATE *psf, C psf_log_printf (psf, " Sample Rate : %d\n", samplerate) ; psf_log_printf (psf, " Frames : %u%s\n", comm_fmt->numSampleFrames, (comm_fmt->numSampleFrames == 0 && psf->filelength > 104) ? " (Should not be 0)" : "") ; - if (comm_fmt->numChannels < 1 || comm_fmt->numChannels >= SF_MAX_CHANNELS) + if (comm_fmt->numChannels < 1 || comm_fmt->numChannels > SF_MAX_CHANNELS) { psf_log_printf (psf, " Channels : %d (should be >= 1 and < %d)\n", comm_fmt->numChannels, SF_MAX_CHANNELS) ; return SFE_CHANNEL_COUNT_BAD ; } ; diff --git a/src/rf64.c b/src/rf64.c index d57f0f3..876cd45 100644 --- a/src/rf64.c +++ b/src/rf64.c @@ -1,5 +1,5 @@ /* -** Copyright (C) 2008-2017 Erik de Castro Lopo +** Copyright (C) 2008-2018 Erik de Castro Lopo ** Copyright (C) 2009 Uli Franke ** ** This program is free software; you can redistribute it and/or modify @@ -382,7 +382,7 @@ rf64_read_header (SF_PRIVATE *psf, int * if (psf->sf.channels < 1) return SFE_CHANNEL_COUNT_ZERO ; - if (psf->sf.channels >= SF_MAX_CHANNELS) + if (psf->sf.channels > SF_MAX_CHANNELS) return SFE_CHANNEL_COUNT ; /* WAVs can be little or big endian */ diff --git a/src/w64.c b/src/w64.c index 939b716..a37d2c5 100644 --- a/src/w64.c +++ b/src/w64.c @@ -1,5 +1,5 @@ /* -** Copyright (C) 1999-2016 Erik de Castro Lopo +** Copyright (C) 1999-2018 Erik de Castro Lopo ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU Lesser General Public License as published by @@ -383,7 +383,7 @@ w64_read_header (SF_PRIVATE *psf, int *b if (psf->sf.channels < 1) return SFE_CHANNEL_COUNT_ZERO ; - if (psf->sf.channels >= SF_MAX_CHANNELS) + if (psf->sf.channels > SF_MAX_CHANNELS) return SFE_CHANNEL_COUNT ; psf->endian = SF_ENDIAN_LITTLE ; /* All W64 files are little endian. */ diff --git a/src/wav.c b/src/wav.c index 7bd97bc..dc97545 100644 --- a/src/wav.c +++ b/src/wav.c @@ -1,5 +1,5 @@ /* -** Copyright (C) 1999-2016 Erik de Castro Lopo +** Copyright (C) 1999-2018 Erik de Castro Lopo ** Copyright (C) 2004-2005 David Viens ** ** This program is free software; you can redistribute it and/or modify @@ -627,7 +627,7 @@ wav_read_header (SF_PRIVATE *psf, int *b if (psf->sf.channels < 1) return SFE_CHANNEL_COUNT_ZERO ; - if (psf->sf.channels >= SF_MAX_CHANNELS) + if (psf->sf.channels > SF_MAX_CHANNELS) return SFE_CHANNEL_COUNT ; if (format != WAVE_FORMAT_PCM && (parsestage & HAVE_fact) == 0) -- 1.7.9.5