Home Explore Help
Sign In
PUBLIC_REPOS
/
buildroot
mirror of git://git.buildroot.net/buildroot
2
1
Fork 0
Files
Browse Source

package/wavpack: fix CVE-2021-44269

An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV
files. This issue triggered in function WavpackPackSamples of file
src/pack_utils.c, tainted variable cnt is too large, that makes pointer
sptr read beyond heap bound.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a9bff8a0b0f68f070a5ae0e94cbffefb9b455b26)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine 3 years ago
parent
58c0ead172
commit
d24d77e3e1
2 changed files with 45 additions and 0 deletions
Unified View Show Diff Stats
  1. 42 0
      package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
  2. 3 0
      package/wavpack/wavpack.mk

+ 42 - 0
package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
View File 

@@ -0,0 +1,42 @@
 
+From 773f9d0803c6888ae7d5391878d7337f24216f4a Mon Sep 17 00:00:00 2001
 
+From: David Bryant <david@wavpack.com>
 
+Date: Tue, 23 Nov 2021 13:14:35 -0800
 
+Subject: [PATCH] issue #110: sanitize DSD file types for invalid lengths
 
+
 
+[Retrieved from:
 
+https://github.com/dbry/WavPack/commit/773f9d0803c6888ae7d5391878d7337f24216f4a]
 
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 
+---
 
+ cli/dsdiff.c | 6 ++++++
 
+ cli/dsf.c    | 1 +
 
+ 2 files changed, 7 insertions(+)
 
+
 
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
 
+index d7adb6a..5bdcae3 100644
 
+--- a/cli/dsdiff.c
 
++++ b/cli/dsdiff.c
 
+@@ -278,6 +278,12 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
 
+             }
 
+ 
+             total_samples = dff_chunk_header.ckDataSize / config->num_channels;
 
++
 
++            if (total_samples <= 0 || total_samples > MAX_WAVPACK_SAMPLES) {
 
++                error_line ("%s is not a valid .DFF file!", infilename);
 
++                return WAVPACK_SOFT_ERROR;
 
++            }
 
++
 
+             break;
 
+         }
 
+         else {          // just copy unknown chunks to output file
 
+diff --git a/cli/dsf.c b/cli/dsf.c
 
+index e1d7973..dddd488 100644
 
+--- a/cli/dsf.c
 
++++ b/cli/dsf.c
 
+@@ -113,6 +113,7 @@ int ParseDsfHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackC
 
+ 
+     if (format_chunk.ckSize != sizeof (DSFFormatChunk) || format_chunk.formatVersion != 1 ||
 
+         format_chunk.formatID != 0 || format_chunk.blockSize != DSF_BLOCKSIZE || format_chunk.reserved ||
 
++        format_chunk.sampleCount <= 0 || format_chunk.sampleCount > MAX_WAVPACK_SAMPLES * 8 ||
 
+         (format_chunk.bitsPerSample != 1 && format_chunk.bitsPerSample != 8) ||
 
+         format_chunk.numChannels < 1 || format_chunk.numChannels > 6 ||
 
+         format_chunk.chanType < 1 || format_chunk.chanType > NUM_CHAN_TYPES) {

+ 3 - 0
package/wavpack/wavpack.mk
View File 

@@ -14,6 +14,9 @@ WAVPACK_LICENSE = BSD-3-Clause
 
 WAVPACK_LICENSE_FILES = COPYING
 
 WAVPACK_LICENSE_FILES = COPYING
 
 WAVPACK_CPE_ID_VENDOR = wavpack
 
 WAVPACK_CPE_ID_VENDOR = wavpack
 
 
 
+# 0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
 
+WAVPACK_IGNORE_CVES += CVE-2021-44269
 
+
 
 ifeq ($(BR2_PACKAGE_LIBICONV),y)
 
 ifeq ($(BR2_PACKAGE_LIBICONV),y)
 
 WAVPACK_CONF_OPTS += LIBS=-liconv
 
 WAVPACK_CONF_OPTS += LIBS=-liconv
 
 endif
 
 endif