| 123456789101112131415161718192021222324252627282930313233343536373839404142434445 |
- From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001
- From: Alex Stewart <alex.stewart@ni.com>
- Date: Tue, 10 Oct 2023 16:10:34 -0400
- Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
- The clang sanitizer warns of a possible signed integer overflow when
- calculating the `dataend` value in `mat4_read_header()`.
- ```
- src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
- SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
- src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
- SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
- ```
- Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
- `dataend` before performing the calculation, to avoid the issue.
- CVE: CVE-2022-33065
- Fixes: https://github.com/libsndfile/libsndfile/issues/789
- Fixes: https://github.com/libsndfile/libsndfile/issues/833
- Signed-off-by: Alex Stewart <alex.stewart@ni.com>
- Upstream: https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c
- Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- ---
- src/mat4.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
- diff --git a/src/mat4.c b/src/mat4.c
- index 0b1b414b..575683ba 100644
- --- a/src/mat4.c
- +++ b/src/mat4.c
- @@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
- psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
- }
- else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
- - psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
- + psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
-
- psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
-
- --
- 2.39.5
|
