1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From e410d00c4821726accfbe1f825f2def6376e181f Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Sun, 5 Nov 2017 16:43:35 +0000
Subject: [PATCH] hcom: fix crash on input with corrupt dictionary
(CVE-2017-11358)
---
src/hcom.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/hcom.c b/src/hcom.c
index e76820e9..be17d9d2 100644
--- a/src/hcom.c
+++ b/src/hcom.c
@@ -73,6 +73,14 @@ typedef struct {
size_t pos; /* Where next byte goes */
} priv_t;
+static int dictvalid(int n, int size, int left, int right)
+{
+ if (n > 0 && left < 0)
+ return 1;
+
+ return (unsigned)left < size && (unsigned)right < size;
+}
+
static int startread(sox_format_t * ft)
{
priv_t *p = (priv_t *) ft->priv;
@@ -150,6 +158,11 @@ static int startread(sox_format_t * ft)
lsx_debug("%d %d",
p->dictionary[i].dict_leftson,
p->dictionary[i].dict_rightson);
+ if (!dictvalid(i, dictsize, p->dictionary[i].dict_leftson,
+ p->dictionary[i].dict_rightson)) {
+ lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary");
+ return SOX_EOF;
+ }
}
rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */
if (rc)
--
2.25.0
|
