diff options
author | CyberLeo <cyberleo@cyberleo.net> | 2020-03-28 05:45:52 -0500 |
---|---|---|
committer | CyberLeo <cyberleo@cyberleo.net> | 2020-03-28 05:45:52 -0500 |
commit | 9297468fa579836e3a6a381b798feb6b78217c2d (patch) | |
tree | 53168212f427afbcf0693b534530a4af803152e9 /user/sox/CVE-2019-13590.patch | |
parent | a63cc05c53a6f4c22422dc8c69808b14d87a6f6e (diff) | |
parent | da5a69b65a8791fffa6e93366ee585f87eff136d (diff) | |
download | packages-9297468fa579836e3a6a381b798feb6b78217c2d.tar.gz packages-9297468fa579836e3a6a381b798feb6b78217c2d.tar.bz2 packages-9297468fa579836e3a6a381b798feb6b78217c2d.tar.xz packages-9297468fa579836e3a6a381b798feb6b78217c2d.zip |
Merge branch 'master' into zfs
Diffstat (limited to 'user/sox/CVE-2019-13590.patch')
-rw-r--r-- | user/sox/CVE-2019-13590.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/user/sox/CVE-2019-13590.patch b/user/sox/CVE-2019-13590.patch new file mode 100644 index 000000000..a09b11bae --- /dev/null +++ b/user/sox/CVE-2019-13590.patch @@ -0,0 +1,33 @@ +From 7b6a889217d62ed7e28188621403cc7542fd1f7e Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <mans@mansr.com> +Date: Tue, 4 Feb 2020 12:55:18 +0000 +Subject: [PATCH] sox-fmt: validate comments_bytes before use (CVE-2019-13590) + [bug #325] + +Cap the comments size to 1 GB to avoid overflows in subsequent +arithmetic. + +The missing null check mentioned in the bug report is bogus since +lsx_calloc() returns a valid pointer or aborts. +--- + src/sox-fmt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/sox-fmt.c b/src/sox-fmt.c +index aad965cd..11c88771 100644 +--- a/src/sox-fmt.c ++++ b/src/sox-fmt.c +@@ -46,7 +46,9 @@ static int startread(sox_format_t * ft) + lsx_readdw(ft, &comments_bytes)) + return SOX_EOF; + +- if (((headers_bytes + 4) & 7) || headers_bytes < FIXED_HDR + comments_bytes || ++ if (((headers_bytes + 4) & 7) || ++ comments_bytes > 0x40000000 || /* max 1 GB */ ++ headers_bytes < FIXED_HDR + comments_bytes || + (num_channels > 65535)) /* Reserve top 16 bits */ { + lsx_fail_errno(ft, SOX_EHDR, "invalid sox file format header"); + return SOX_EOF; +-- +2.25.0 + |