Blame - poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch - mdmillerii/openbmc

blob: c3586f9dfc85629db2b44888322dc1f0f545ac11 [file] [log] [blame]

Brad Bishop	1932369	2019-04-05 15:28:33 -0400	[diff] [blame^]	1	There is a heap-based buffer over-read at wav.c in wav_write_header in
				2	libsndfile 1.0.28 that will cause a denial of service.
				3
				4	CVE: CVE-2018-19758
				5	Upstream-Status: Backport [42132c543358cee9f7c3e9e9b15bb6c1063a608e]
				6	Signed-off-by: Ross Burton <ross.burton@intel.com>
				7
				8	From c12173b0197dd0c5cfa2cd27977e982d2ae59486 Mon Sep 17 00:00:00 2001
				9	From: Erik de Castro Lopo <erikd@mega-nerd.com>
				10	Date: Tue, 1 Jan 2019 20:11:46 +1100
				11	Subject: [PATCH] src/wav.c: Fix heap read overflow
				12
				13	This is CVE-2018-19758.
				14
				15	Closes: https://github.com/erikd/libsndfile/issues/435
				16	---
				17	src/wav.c \| 2 ++
				18	1 file changed, 2 insertions(+)
				19
				20	diff --git a/src/wav.c b/src/wav.c
				21	index e8405b55..6fb94ae8 100644
				22	--- a/src/wav.c
				23	+++ b/src/wav.c
				24	@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
				25	psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
				26	psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
				27
				28	+ /* Loop count is signed 16 bit number so we limit it range to something sensible. */
				29	+ psf->instrument->loop_count &= 0x7fff ;
				30	for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
				31	{ int type ;
				32
				33	--
				34	2.11.0