首頁 探索 說明
註冊 登入
PUBLIC_REPOS
/
buildroot
镜像来自 git://git.buildroot.net/buildroot
2
1
複刻 0
Files
目錄樹: e675ffd964
分支列表 標籤列表
buildroot
/
package
/
libsndfile
/
0002-au-avoid-int-overflow-while-calculating-data_end.patch

0002-au-avoid-int-overflow-while-calculating-data_end.patch 2.1 KB
文件歷史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758 
  1. From a5afea2e24080ddf5c7b8e26c29cdbd94ae8226b Mon Sep 17 00:00:00 2001
    2. 

  2. From: Alex Stewart <alex.stewart@ni.com>
    3. 

  3. Date: Wed, 11 Oct 2023 16:36:02 -0400
    4. 

  4. Subject: [PATCH] au: avoid int overflow while calculating data_end
    5. 

  5. 

  6. At several points in au_read_header(), we calculate the functional end
    7. 

  7. of the data segment by adding the (int)au_fmt.dataoffset and the
    8. 

  8. (int)au_fmt.datasize. This can overflow the implicit int_32 return value
    9. 

  9. and cause undefined behavior.
    10. 

  10. 

  11. Instead, precalculate the value and assign it to a 64-bit
    12. 

  12. (sf_count_t)data_end variable.
    13. 

  13. 

  14. CVE: CVE-2022-33065
    15. 

  15. Fixes: https://github.com/libsndfile/libsndfile/issues/833
    16. 

  16. 

  17. Signed-off-by: Alex Stewart <alex.stewart@ni.com>
    18. 

  18. Upstream: https://github.com/libsndfile/libsndfile/commit/a5afea2e24080ddf5c7b8e26c29cdbd94ae8226b
    19. 

  19. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
    20. 

  20. ---
    21. 

  21.  src/au.c | 10 ++++++----
    22. 

  22.  1 file changed, 6 insertions(+), 4 deletions(-)
    23. 

  23. 

  24. diff --git a/src/au.c b/src/au.c
    25. 

  25. index 62bd691d..f68f2587 100644
    26. 

  26. --- a/src/au.c
    27. 

  27. +++ b/src/au.c
    28. 

  28. @@ -291,6 +291,7 @@ static int
    29. 

  29.  au_read_header (SF_PRIVATE *psf)
    30. 

  30.  {	AU_FMT	au_fmt ;
    31. 

  31.  	int		marker, dword ;
    32. 

  32. +	sf_count_t data_end ;
    33. 

  33.  
    34. 

  34.  	memset (&au_fmt, 0, sizeof (au_fmt)) ;
    35. 

  35.  	psf_binheader_readf (psf, "pm", 0, &marker) ;
    36. 

  36. @@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf)
    37. 

  37.  		return SFE_AU_EMBED_BAD_LEN ;
    38. 

  38.  		} ;
    39. 

  39.  
    40. 

  40. +	data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ;
    41. 

  41.  	if (psf->fileoffset > 0)
    42. 

  42. -	{	psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
    43. 

  43. +	{	psf->filelength = data_end ;
    44. 

  44.  		psf_log_printf (psf, "  Data Size   : %d\n", au_fmt.datasize) ;
    45. 

  45.  		}
    46. 

  46. -	else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength)
    47. 

  47. +	else if (au_fmt.datasize == -1 || data_end == psf->filelength)
    48. 

  48.  		psf_log_printf (psf, "  Data Size   : %d\n", au_fmt.datasize) ;
    49. 

  49. -	else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength)
    50. 

  50. -	{	psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
    51. 

  51. +	else if (data_end < psf->filelength)
    52. 

  52. +	{	psf->filelength = data_end ;
    53. 

  53.  		psf_log_printf (psf, "  Data Size   : %d\n", au_fmt.datasize) ;
    54. 

  54.  		}
    55. 

  55.  	else
    56. 

  56. -- 
    57. 

  57. 2.39.5
    58. 

  58.