Brad Bishop | 316dfdd | 2018-06-25 12:45:53 -0400 | [diff] [blame] | 1 | From 39704ce16835e5c019bb03f6a94dc1f0677406c5 Mon Sep 17 00:00:00 2001 |
| 2 | From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> |
| 3 | Date: Wed, 15 Nov 2017 18:22:59 +0100 |
| 4 | Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb |
| 5 | if not initialized |
| 6 | |
| 7 | If the number of channels is not within the allowed range |
| 8 | we call oggback_writeclear altough it's not initialized yet. |
| 9 | |
| 10 | This fixes |
| 11 | |
| 12 | =23371== Invalid free() / delete / delete[] / realloc() |
| 13 | ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) |
| 14 | ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) |
| 15 | ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) |
| 16 | ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) |
| 17 | ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) |
| 18 | ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) |
| 19 | ==23371== by 0x10D82A: open_output_file (sox.c:1556) |
| 20 | ==23371== by 0x10D82A: process (sox.c:1753) |
| 21 | ==23371== by 0x10D82A: main (sox.c:3012) |
| 22 | ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd |
| 23 | ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) |
| 24 | ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) |
| 25 | ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) |
| 26 | ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) |
| 27 | ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) |
| 28 | ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) |
| 29 | ==23371== by 0x10D82A: open_output_file (sox.c:1556) |
| 30 | ==23371== by 0x10D82A: process (sox.c:1753) |
| 31 | ==23371== by 0x10D82A: main (sox.c:3012) |
| 32 | |
| 33 | as seen when using the testcase from CVE-2017-11333 with |
| 34 | 008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was |
| 35 | there before. |
| 36 | |
| 37 | Upstream-Status: Backport |
| 38 | CVE: CVE-2017-14632 |
| 39 | |
| 40 | Reference to upstream patch: |
| 41 | https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=c1c2831fc7306d5fbd7bc800324efd12b28d327f |
| 42 | |
| 43 | Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> |
| 44 | --- |
| 45 | lib/info.c | 1 + |
| 46 | 1 file changed, 1 insertion(+) |
| 47 | |
| 48 | diff --git a/lib/info.c b/lib/info.c |
| 49 | index 81b7557..4d82568 100644 |
| 50 | --- a/lib/info.c |
| 51 | +++ b/lib/info.c |
| 52 | @@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, |
| 53 | private_state *b=v->backend_state; |
| 54 | |
| 55 | if(!b||vi->channels<=0||vi->channels>256){ |
| 56 | + b = NULL; |
| 57 | ret=OV_EFAULT; |
| 58 | goto err_out; |
| 59 | } |
| 60 | -- |
| 61 | 2.16.2 |
| 62 | |