Brad Bishop | bba38f3 | 2018-08-23 16:11:46 +0800 | [diff] [blame] | 1 | From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001 |
| 2 | From: Scott Gayou <github.scott@gmail.com> |
| 3 | Date: Mon, 4 Jun 2018 11:34:36 -0400 |
| 4 | Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868) |
| 5 | |
| 6 | This CVE is caused by a failure to check the minimum length |
| 7 | of a ogg flac header. This header is detailed in full at: |
| 8 | https://xiph.org/flac/ogg_mapping.html. Added more strict checking |
| 9 | for entire header. |
| 10 | |
| 11 | Upstream-Status: Backport |
| 12 | [https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278] |
| 13 | |
| 14 | CVE: CVE-2018-11439 |
| 15 | |
| 16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| 17 | --- |
| 18 | taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++-- |
| 19 | 1 file changed, 12 insertions(+), 2 deletions(-) |
| 20 | |
| 21 | diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp |
| 22 | index 53d0450..07ea9dc 100644 |
| 23 | --- a/taglib/ogg/flac/oggflacfile.cpp |
| 24 | +++ b/taglib/ogg/flac/oggflacfile.cpp |
| 25 | @@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan() |
| 26 | |
| 27 | if(!metadataHeader.startsWith("fLaC")) { |
| 28 | // FLAC 1.1.2+ |
| 29 | + // See https://xiph.org/flac/ogg_mapping.html for the header specification. |
| 30 | + if(metadataHeader.size() < 13) |
| 31 | + return; |
| 32 | + |
| 33 | + if(metadataHeader[0] != 0x7f) |
| 34 | + return; |
| 35 | + |
| 36 | if(metadataHeader.mid(1, 4) != "FLAC") |
| 37 | return; |
| 38 | |
| 39 | - if(metadataHeader[5] != 1) |
| 40 | - return; // not version 1 |
| 41 | + if(metadataHeader[5] != 1 && metadataHeader[6] != 0) |
| 42 | + return; // not version 1.0 |
| 43 | + |
| 44 | + if(metadataHeader.mid(9, 4) != "fLaC") |
| 45 | + return; |
| 46 | |
| 47 | metadataHeader = metadataHeader.mid(13); |
| 48 | } |
| 49 | -- |
| 50 | 2.7.4 |
| 51 | |