From e410d00c4821726accfbe1f825f2def6376e181f Mon Sep 17 00:00:00 2001 From: Mans Rullgard <mans@mansr.com> Date: Sun, 5 Nov 2017 16:43:35 +0000 Subject: [PATCH] hcom: fix crash on input with corrupt dictionary (CVE-2017-11358) --- src/hcom.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/hcom.c b/src/hcom.c index e76820e9..be17d9d2 100644 --- a/src/hcom.c +++ b/src/hcom.c @@ -73,6 +73,14 @@ typedef struct { size_t pos; /* Where next byte goes */ } priv_t; +static int dictvalid(int n, int size, int left, int right) +{ + if (n > 0 && left < 0) + return 1; + + return (unsigned)left < size && (unsigned)right < size; +} + static int startread(sox_format_t * ft) { priv_t *p = (priv_t *) ft->priv; @@ -150,6 +158,11 @@ static int startread(sox_format_t * ft) lsx_debug("%d %d", p->dictionary[i].dict_leftson, p->dictionary[i].dict_rightson); + if (!dictvalid(i, dictsize, p->dictionary[i].dict_leftson, + p->dictionary[i].dict_rightson)) { + lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); + return SOX_EOF; + } } rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */ if (rc) -- 2.25.0