summaryrefslogblamecommitdiff
path: root/user/audiofile/CVE-2018-13440,17095.patch
blob: b35ce980e4d69da50c271703081da539ccabf88d (plain) (tree)












































































                                                                                          
From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 27 Sep 2018 10:48:45 +0200
Subject: [PATCH 1/3] ModuleState: handle compress/decompress init failure

When the unit initcompress or initdecompress function fails,
m_fileModule is NULL. Return AF_FAIL in that case instead of
causing NULL pointer dereferences later.

Fixes #49
---
 libaudiofile/modules/ModuleState.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp
index 0c29d7a..070fd9b 100644
--- a/libaudiofile/modules/ModuleState.cpp
+++ b/libaudiofile/modules/ModuleState.cpp
@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track)
 		m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok,
 			file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames);
 
+	if (!m_fileModule)
+		return AF_FAIL;
+
 	if (unit->needsRebuffer)
 	{
 		assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP);

From 941774c8c0e79007196d7f1e7afdc97689f869b3 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 27 Sep 2018 12:09:45 +0200
Subject: [PATCH 2/3] ALAC: set chunk frameCount to 0 on short read

---
 libaudiofile/modules/ALAC.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libaudiofile/modules/ALAC.cpp b/libaudiofile/modules/ALAC.cpp
index 7593c11..478e2af 100644
--- a/libaudiofile/modules/ALAC.cpp
+++ b/libaudiofile/modules/ALAC.cpp
@@ -240,6 +240,7 @@ void ALAC::runPull()
 	if (read(m_inChunk->buffer, bytesPerPacket) < bytesPerPacket)
 	{
 		reportReadError(0, m_track->f.framesPerPacket);
+		m_outChunk->frameCount = 0;
 		return;
 	}
 

From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 27 Sep 2018 12:11:12 +0200
Subject: [PATCH 3/3] SimpleModule: set output chunk framecount after pull

After pulling the data, set the output chunk to the amount of
frames we pulled so that the next module in the chain has the correct
frame count.

Fixes #50 and #51
---
 libaudiofile/modules/SimpleModule.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp
index 2bae1eb..e87932c 100644
--- a/libaudiofile/modules/SimpleModule.cpp
+++ b/libaudiofile/modules/SimpleModule.cpp
@@ -26,6 +26,7 @@
 void SimpleModule::runPull()
 {
 	pull(m_outChunk->frameCount);
+	m_outChunk->frameCount = m_inChunk->frameCount;
 	run(*m_inChunk, *m_outChunk);
 }