Brad Bishop | 1932369 | 2019-04-05 15:28:33 -0400 | [diff] [blame] | 1 | There is a heap-based buffer over-read at wav.c in wav_write_header in |
| 2 | libsndfile 1.0.28 that will cause a denial of service. |
| 3 | |
| 4 | CVE: CVE-2018-19758 |
| 5 | Upstream-Status: Backport [42132c543358cee9f7c3e9e9b15bb6c1063a608e] |
| 6 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 7 | |
| 8 | From c12173b0197dd0c5cfa2cd27977e982d2ae59486 Mon Sep 17 00:00:00 2001 |
| 9 | From: Erik de Castro Lopo <erikd@mega-nerd.com> |
| 10 | Date: Tue, 1 Jan 2019 20:11:46 +1100 |
| 11 | Subject: [PATCH] src/wav.c: Fix heap read overflow |
| 12 | |
| 13 | This is CVE-2018-19758. |
| 14 | |
| 15 | Closes: https://github.com/erikd/libsndfile/issues/435 |
| 16 | --- |
| 17 | src/wav.c | 2 ++ |
| 18 | 1 file changed, 2 insertions(+) |
| 19 | |
| 20 | diff --git a/src/wav.c b/src/wav.c |
| 21 | index e8405b55..6fb94ae8 100644 |
| 22 | --- a/src/wav.c |
| 23 | +++ b/src/wav.c |
| 24 | @@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) |
| 25 | psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ |
| 26 | psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; |
| 27 | |
| 28 | + /* Loop count is signed 16 bit number so we limit it range to something sensible. */ |
| 29 | + psf->instrument->loop_count &= 0x7fff ; |
| 30 | for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) |
| 31 | { int type ; |
| 32 | |
| 33 | -- |
| 34 | 2.11.0 |