| From ef1dbb2df1c0e741486646de40bd638a9c4cd808 Mon Sep 17 00:00:00 2001 |
| From: Erik de Castro Lopo <erikd@mega-nerd.com> |
| Date: Fri, 14 Apr 2017 15:19:16 +1000 |
| Subject: [PATCH] src/flac.c: Fix a buffer read overflow |
| |
| A file (generated by a fuzzer) which increased the number of channels |
| from one frame to the next could cause a read beyond the end of the |
| buffer provided by libFLAC. Only option is to abort the read. |
| |
| Closes: https://github.com/erikd/libsndfile/issues/231 |
| |
| CVE: CVE-2017-8362 |
| |
| Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808] |
| |
| Signed-off-by: Jackie Huang <jackie.huang@windriver.com> |
| --- |
| src/flac.c | 11 +++++++++-- |
| 1 file changed, 9 insertions(+), 2 deletions(-) |
| |
| diff --git a/src/flac.c b/src/flac.c |
| index 5a4f8c2..e4f9aaa 100644 |
| --- a/src/flac.c |
| +++ b/src/flac.c |
| @@ -169,6 +169,14 @@ flac_buffer_copy (SF_PRIVATE *psf) |
| const int32_t* const *buffer = pflac->wbuffer ; |
| unsigned i = 0, j, offset, channels, len ; |
| |
| + if (psf->sf.channels != (int) frame->header.channels) |
| + { psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n" |
| + "Nothing to do but to error out.\n" , |
| + psf->sf.channels, frame->header.channels) ; |
| + psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; |
| + return 0 ; |
| + } ; |
| + |
| /* |
| ** frame->header.blocksize is variable and we're using a constant blocksize |
| ** of FLAC__MAX_BLOCK_SIZE. |
| @@ -202,7 +210,6 @@ flac_buffer_copy (SF_PRIVATE *psf) |
| return 0 ; |
| } ; |
| |
| - |
| len = SF_MIN (pflac->len, frame->header.blocksize) ; |
| |
| if (pflac->remain % channels != 0) |
| @@ -436,7 +443,7 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_ |
| { case FLAC__METADATA_TYPE_STREAMINFO : |
| if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) |
| { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" |
| - "Nothing to be but to error out.\n" , |
| + "Nothing to do but to error out.\n" , |
| psf->sf.channels, metadata->data.stream_info.channels) ; |
| psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; |
| return ; |
| -- |
| 2.7.4 |
| |