| Brad Bishop | 1932369 | 2019-04-05 15:28:33 -0400 | [diff] [blame] | 1 | From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001 |
| 2 | From: Emilio Pozuelo Monfort <pochu27@gmail.com> |
| 3 | Date: Tue, 5 Mar 2019 11:27:17 +0100 |
| 4 | Subject: [PATCH] wav_write_header: don't read past the array end |
| 5 | |
| 6 | CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder. |
| 7 | |
| 8 | CVE: CVE-2019-3832 |
| 9 | Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e] |
| 10 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 11 | |
| 12 | If loop_count is bigger than the array, truncate it to the array |
| 13 | length (and not to 32k). |
| 14 | |
| 15 | CVE-2019-3832 |
| 16 | |
| 17 | --- |
| 18 | src/wav.c | 6 ++++-- |
| 19 | 1 file changed, 4 insertions(+), 2 deletions(-) |
| 20 | |
| 21 | diff --git a/src/wav.c b/src/wav.c |
| 22 | index daae3cc..8851549 100644 |
| 23 | --- a/src/wav.c |
| 24 | +++ b/src/wav.c |
| 25 | @@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) |
| 26 | psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ |
| 27 | psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; |
| 28 | |
| 29 | - /* Loop count is signed 16 bit number so we limit it range to something sensible. */ |
| 30 | - psf->instrument->loop_count &= 0x7fff ; |
| 31 | + /* Make sure we don't read past the loops array end. */ |
| 32 | + if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops)) |
| 33 | + psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ; |
| 34 | + |
| 35 | for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) |
| 36 | { int type ; |
| 37 | |