From 451e5cf47f3a45ebf46cad0940f07ef05324f4c5 Mon Sep 17 00:00:00 2001 From: Zach van Rijn Date: Fri, 11 Nov 2022 14:15:59 -0600 Subject: user/audiofile: multiple CVE patches. fixes #124. --- user/audiofile/CVE-2017-6829.patch | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 user/audiofile/CVE-2017-6829.patch (limited to 'user/audiofile/CVE-2017-6829.patch') diff --git a/user/audiofile/CVE-2017-6829.patch b/user/audiofile/CVE-2017-6829.patch new file mode 100644 index 000000000..c1047af06 --- /dev/null +++ b/user/audiofile/CVE-2017-6829.patch @@ -0,0 +1,33 @@ +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 18:02:31 +0100 +Subject: clamp index values to fix index overflow in IMA.cpp + +This fixes #33 +(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981 +and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/) +--- + libaudiofile/modules/IMA.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp +index 7476d44..df4aad6 100644 +--- a/libaudiofile/modules/IMA.cpp ++++ b/libaudiofile/modules/IMA.cpp +@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded) + if (encoded[1] & 0x80) + m_adpcmState[c].previousValue -= 0x10000; + +- m_adpcmState[c].index = encoded[2]; ++ m_adpcmState[c].index = clamp(encoded[2], 0, 88); + + *decoded++ = m_adpcmState[c].previousValue; + +@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded) + predictor -= 0x10000; + + state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16); +- state.index = encoded[1] & 0x7f; ++ state.index = clamp(encoded[1] & 0x7f, 0, 88); + encoded += 2; + + for (int n=0; n