blob: ab37211399f75992e99fe31b0114dcac54de5ade [file] [log] [blame]
Brad Bishop19323692019-04-05 15:28:33 -04001From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001
2From: Emilio Pozuelo Monfort <pochu27@gmail.com>
3Date: Tue, 5 Mar 2019 11:27:17 +0100
4Subject: [PATCH] wav_write_header: don't read past the array end
5
6CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder.
7
8CVE: CVE-2019-3832
9Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e]
10Signed-off-by: Ross Burton <ross.burton@intel.com>
11
12If loop_count is bigger than the array, truncate it to the array
13length (and not to 32k).
14
15CVE-2019-3832
16
17---
18 src/wav.c | 6 ++++--
19 1 file changed, 4 insertions(+), 2 deletions(-)
20
21diff --git a/src/wav.c b/src/wav.c
22index daae3cc..8851549 100644
23--- a/src/wav.c
24+++ b/src/wav.c
25@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
26 psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
27 psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
28
29- /* Loop count is signed 16 bit number so we limit it range to something sensible. */
30- psf->instrument->loop_count &= 0x7fff ;
31+ /* Make sure we don't read past the loops array end. */
32+ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
33+ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
34+
35 for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
36 { int type ;
37