From 09d7388c8ad5701ed9c59d1d600ff6154b066397 Mon Sep 17 00:00:00 2001 From: Mans Rullgard <mans@mansr.com> Date: Thu, 9 Nov 2017 11:45:10 +0000 Subject: [PATCH] xa: validate channel count (CVE-2017-18189) A corrupt header specifying zero channels would send read_channels() into an infinite loop. Prevent this by sanity checking the channel count in open_read(). Also add an upper bound to prevent overflow in multiplication. --- src/xa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/xa.c b/src/xa.c index 81a76772..9fc086ec 100644 --- a/src/xa.c +++ b/src/xa.c @@ -143,6 +143,12 @@ static int startread(sox_format_t * ft) lsx_report("User options overriding rate read in .xa header"); } + if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) { + lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d", + ft->signal.channels); + return SOX_EOF; + } + /* Check for supported formats */ if (ft->encoding.bits_per_sample != 16) { lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.", -- 2.25.0