| Brad Bishop | f8caae3 | 2019-03-25 13:13:56 -0400 | [diff] [blame] | 1 | From 6f3266277bed16525f0ac2f0f03ff4626f1923e5 Mon Sep 17 00:00:00 2001 |
| 2 | From: Erik de Castro Lopo <erikd@mega-nerd.com> |
| 3 | Date: Thu, 8 Mar 2018 18:00:21 +1100 |
| 4 | Subject: [PATCH] Fix max channel count bug |
| 5 | |
| 6 | The code was allowing files to be written with a channel count of exactly |
| 7 | `SF_MAX_CHANNELS` but was failing to read some file formats with the same |
| 8 | channel count. |
| 9 | |
| 10 | Upstream-Status: Backport [https://github.com/erikd/libsndfile/ |
| 11 | commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5] |
| 12 | |
| 13 | CVE: CVE-2018-19432 |
| 14 | |
| 15 | Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| 16 | |
| 17 | --- |
| 18 | src/aiff.c | 6 +++--- |
| 19 | src/rf64.c | 4 ++-- |
| 20 | src/w64.c | 4 ++-- |
| 21 | src/wav.c | 4 ++-- |
| 22 | 4 files changed, 9 insertions(+), 9 deletions(-) |
| 23 | |
| 24 | diff --git a/src/aiff.c b/src/aiff.c |
| 25 | index fbd43cb..6386bce 100644 |
| 26 | --- a/src/aiff.c |
| 27 | +++ b/src/aiff.c |
| 28 | @@ -1,5 +1,5 @@ |
| 29 | /* |
| 30 | -** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com> |
| 31 | +** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com> |
| 32 | ** Copyright (C) 2005 David Viens <davidv@plogue.com> |
| 33 | ** |
| 34 | ** This program is free software; you can redistribute it and/or modify |
| 35 | @@ -950,7 +950,7 @@ aiff_read_header (SF_PRIVATE *psf, COMM_ |
| 36 | if (psf->sf.channels < 1) |
| 37 | return SFE_CHANNEL_COUNT_ZERO ; |
| 38 | |
| 39 | - if (psf->sf.channels >= SF_MAX_CHANNELS) |
| 40 | + if (psf->sf.channels > SF_MAX_CHANNELS) |
| 41 | return SFE_CHANNEL_COUNT ; |
| 42 | |
| 43 | if (! (found_chunk & HAVE_FORM)) |
| 44 | @@ -1030,7 +1030,7 @@ aiff_read_comm_chunk (SF_PRIVATE *psf, C |
| 45 | psf_log_printf (psf, " Sample Rate : %d\n", samplerate) ; |
| 46 | psf_log_printf (psf, " Frames : %u%s\n", comm_fmt->numSampleFrames, (comm_fmt->numSampleFrames == 0 && psf->filelength > 104) ? " (Should not be 0)" : "") ; |
| 47 | |
| 48 | - if (comm_fmt->numChannels < 1 || comm_fmt->numChannels >= SF_MAX_CHANNELS) |
| 49 | + if (comm_fmt->numChannels < 1 || comm_fmt->numChannels > SF_MAX_CHANNELS) |
| 50 | { psf_log_printf (psf, " Channels : %d (should be >= 1 and < %d)\n", comm_fmt->numChannels, SF_MAX_CHANNELS) ; |
| 51 | return SFE_CHANNEL_COUNT_BAD ; |
| 52 | } ; |
| 53 | diff --git a/src/rf64.c b/src/rf64.c |
| 54 | index d57f0f3..876cd45 100644 |
| 55 | --- a/src/rf64.c |
| 56 | +++ b/src/rf64.c |
| 57 | @@ -1,5 +1,5 @@ |
| 58 | /* |
| 59 | -** Copyright (C) 2008-2017 Erik de Castro Lopo <erikd@mega-nerd.com> |
| 60 | +** Copyright (C) 2008-2018 Erik de Castro Lopo <erikd@mega-nerd.com> |
| 61 | ** Copyright (C) 2009 Uli Franke <cls@nebadje.org> |
| 62 | ** |
| 63 | ** This program is free software; you can redistribute it and/or modify |
| 64 | @@ -382,7 +382,7 @@ rf64_read_header (SF_PRIVATE *psf, int * |
| 65 | if (psf->sf.channels < 1) |
| 66 | return SFE_CHANNEL_COUNT_ZERO ; |
| 67 | |
| 68 | - if (psf->sf.channels >= SF_MAX_CHANNELS) |
| 69 | + if (psf->sf.channels > SF_MAX_CHANNELS) |
| 70 | return SFE_CHANNEL_COUNT ; |
| 71 | |
| 72 | /* WAVs can be little or big endian */ |
| 73 | diff --git a/src/w64.c b/src/w64.c |
| 74 | index 939b716..a37d2c5 100644 |
| 75 | --- a/src/w64.c |
| 76 | +++ b/src/w64.c |
| 77 | @@ -1,5 +1,5 @@ |
| 78 | /* |
| 79 | -** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com> |
| 80 | +** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com> |
| 81 | ** |
| 82 | ** This program is free software; you can redistribute it and/or modify |
| 83 | ** it under the terms of the GNU Lesser General Public License as published by |
| 84 | @@ -383,7 +383,7 @@ w64_read_header (SF_PRIVATE *psf, int *b |
| 85 | if (psf->sf.channels < 1) |
| 86 | return SFE_CHANNEL_COUNT_ZERO ; |
| 87 | |
| 88 | - if (psf->sf.channels >= SF_MAX_CHANNELS) |
| 89 | + if (psf->sf.channels > SF_MAX_CHANNELS) |
| 90 | return SFE_CHANNEL_COUNT ; |
| 91 | |
| 92 | psf->endian = SF_ENDIAN_LITTLE ; /* All W64 files are little endian. */ |
| 93 | diff --git a/src/wav.c b/src/wav.c |
| 94 | index 7bd97bc..dc97545 100644 |
| 95 | --- a/src/wav.c |
| 96 | +++ b/src/wav.c |
| 97 | @@ -1,5 +1,5 @@ |
| 98 | /* |
| 99 | -** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com> |
| 100 | +** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com> |
| 101 | ** Copyright (C) 2004-2005 David Viens <davidv@plogue.com> |
| 102 | ** |
| 103 | ** This program is free software; you can redistribute it and/or modify |
| 104 | @@ -627,7 +627,7 @@ wav_read_header (SF_PRIVATE *psf, int *b |
| 105 | if (psf->sf.channels < 1) |
| 106 | return SFE_CHANNEL_COUNT_ZERO ; |
| 107 | |
| 108 | - if (psf->sf.channels >= SF_MAX_CHANNELS) |
| 109 | + if (psf->sf.channels > SF_MAX_CHANNELS) |
| 110 | return SFE_CHANNEL_COUNT ; |
| 111 | |
| 112 | if (format != WAVE_FORMAT_PCM && (parsestage & HAVE_fact) == 0) |
| 113 | -- |
| 114 | 1.7.9.5 |
| 115 | |