| From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001 |
| From: Scott Gayou <github.scott@gmail.com> |
| Date: Mon, 4 Jun 2018 11:34:36 -0400 |
| Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868) |
| |
| This CVE is caused by a failure to check the minimum length |
| of a ogg flac header. This header is detailed in full at: |
| https://xiph.org/flac/ogg_mapping.html. Added more strict checking |
| for entire header. |
| |
| Upstream-Status: Backport |
| [https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278] |
| |
| CVE: CVE-2018-11439 |
| |
| Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| --- |
| taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++-- |
| 1 file changed, 12 insertions(+), 2 deletions(-) |
| |
| diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp |
| index 53d0450..07ea9dc 100644 |
| --- a/taglib/ogg/flac/oggflacfile.cpp |
| +++ b/taglib/ogg/flac/oggflacfile.cpp |
| @@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan() |
| |
| if(!metadataHeader.startsWith("fLaC")) { |
| // FLAC 1.1.2+ |
| + // See https://xiph.org/flac/ogg_mapping.html for the header specification. |
| + if(metadataHeader.size() < 13) |
| + return; |
| + |
| + if(metadataHeader[0] != 0x7f) |
| + return; |
| + |
| if(metadataHeader.mid(1, 4) != "FLAC") |
| return; |
| |
| - if(metadataHeader[5] != 1) |
| - return; // not version 1 |
| + if(metadataHeader[5] != 1 && metadataHeader[6] != 0) |
| + return; // not version 1.0 |
| + |
| + if(metadataHeader.mid(9, 4) != "fLaC") |
| + return; |
| |
| metadataHeader = metadataHeader.mid(13); |
| } |
| -- |
| 2.7.4 |
| |