author | Norm Jacobs <Norm.Jacobs@Oracle.COM> |
Fri, 09 Jan 2015 10:58:01 -0800 | |
changeset 3616 | 53afb71c2b98 |
permissions | -rw-r--r-- |
3616
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
1 |
# |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
2 |
# Fix CVE-2014-8145[0]: |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
3 |
# two heap-based buffer overflows |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
4 |
# Upstream changesets 7d3f38 and f39c57. |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
5 |
# http://sourceforge.net/p/sox/code/ci/7d3f38007a1eeaf5ab7669aba0d2a7e4d3def57e/ |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
6 |
# http://sourceforge.net/p/sox/code/ci/f39c574bc423fd5b12bd6510264512f5d5366183/ |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
7 |
# |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
8 |
|
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
9 |
--- a/src/sphere.c |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
10 |
+++ b/src/sphere.c |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
11 |
@@ -47,6 +47,11 @@ |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
12 |
|
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
13 |
/* Determine header size, and allocate a buffer large enough to hold it. */ |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
14 |
sscanf(fldsval, "%lu", &header_size_ul); |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
15 |
+ if (header_size_ul < 16) { |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
16 |
+ lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header"); |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
17 |
+ return (SOX_EOF); |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
18 |
+ } |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
19 |
+ |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
20 |
buf = lsx_malloc(header_size = header_size_ul); |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
21 |
|
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
22 |
/* Skip what we have read so far */ |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
23 |
|
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
24 |
|
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
25 |
--- a/src/wav.c |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
26 |
+++ b/src/wav.c |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
27 |
@@ -166,7 +166,7 @@ |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
28 |
/* work with partial blocks. Specs say it should be null */ |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
29 |
/* padded but I guess this is better than trailing quiet. */ |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
30 |
samplesThisBlock = lsx_ms_adpcm_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t)0); |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
31 |
- if (samplesThisBlock == 0) |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
32 |
+ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock) |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
33 |
{ |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
34 |
lsx_warn("Premature EOF on .wav input file"); |
53afb71c2b98
20332735 problem in UTILITY/SOX
Norm Jacobs <Norm.Jacobs@Oracle.COM>
parents:
diff
changeset
|
35 |
return 0; |