|
1 Fix four overflow/invalid memory access issues. |
|
2 |
|
3 * CVE-2017-8361 |
|
4 global buffer overflow in flac_buffer_copy |
|
5 https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-flac_buffer_copy-flac-c/ |
|
6 |
|
7 * CVE-2017-8362 |
|
8 invalid memory read in flac_buffer_copy |
|
9 https://blogs.gentoo.org/ago/2017/04/29/libsndfile-invalid-memory-read-in-flac_buffer_copy-flac-c/ |
|
10 |
|
11 * CVE-2017-8363 |
|
12 heap-based buffer overflow in flac_buffer_copy |
|
13 https://blogs.gentoo.org/ago/2017/04/29/libsndfile-heap-based-buffer-overflow-in-flac_buffer_copy-flac-c/ |
|
14 |
|
15 * CVE-2017-8365 |
|
16 global buffer overflow in i2les_array (pcm_c) |
|
17 https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-i2les_array-pcm-c/ |
|
18 |
|
19 Upstream commits at: |
|
20 |
|
21 https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 |
|
22 https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808 |
|
23 |
|
24 --- libsndfile-1.0.28/src/common.h.orig 2017-05-02 09:34:22.327230292 +0000 |
|
25 +++ libsndfile-1.0.28/src/common.h 2017-05-02 09:38:07.414347779 +0000 |
|
26 @@ -725,6 +725,7 @@ |
|
27 SFE_FLAC_INIT_DECODER, |
|
28 SFE_FLAC_LOST_SYNC, |
|
29 SFE_FLAC_BAD_SAMPLE_RATE, |
|
30 + SFE_FLAC_CHANNEL_COUNT_CHANGED, |
|
31 SFE_FLAC_UNKOWN_ERROR, |
|
32 |
|
33 SFE_WVE_NOT_WVE, |
|
34 --- libsndfile-1.0.28/src/flac.c.orig 2017-05-02 09:34:40.424371952 +0000 |
|
35 +++ libsndfile-1.0.28/src/flac.c 2017-05-02 09:43:43.952685131 +0000 |
|
36 @@ -169,6 +169,14 @@ |
|
37 const int32_t* const *buffer = pflac->wbuffer ; |
|
38 unsigned i = 0, j, offset, channels, len ; |
|
39 |
|
40 + if (psf->sf.channels != (int) frame->header.channels) |
|
41 + { psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n" |
|
42 + "Nothing to do but to error out.\n" , |
|
43 + psf->sf.channels, frame->header.channels) ; |
|
44 + psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; |
|
45 + return 0 ; |
|
46 + } ; |
|
47 + |
|
48 /* |
|
49 ** frame->header.blocksize is variable and we're using a constant blocksize |
|
50 ** of FLAC__MAX_BLOCK_SIZE. |
|
51 @@ -202,7 +210,6 @@ |
|
52 return 0 ; |
|
53 } ; |
|
54 |
|
55 - |
|
56 len = SF_MIN (pflac->len, frame->header.blocksize) ; |
|
57 |
|
58 if (pflac->remain % channels != 0) |
|
59 @@ -435,6 +442,19 @@ |
|
60 |
|
61 switch (metadata->type) |
|
62 { case FLAC__METADATA_TYPE_STREAMINFO : |
|
63 + if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) |
|
64 + { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" |
|
65 + "Nothing to do but to error out.\n" , |
|
66 + psf->sf.channels, metadata->data.stream_info.channels) ; |
|
67 + psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; |
|
68 + return ; |
|
69 + } ; |
|
70 + |
|
71 + if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate) |
|
72 + { psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n" |
|
73 + "Carrying on as if nothing happened.", |
|
74 + psf->sf.samplerate, metadata->data.stream_info.sample_rate) ; |
|
75 + } ; |
|
76 psf->sf.channels = metadata->data.stream_info.channels ; |
|
77 psf->sf.samplerate = metadata->data.stream_info.sample_rate ; |
|
78 psf->sf.frames = metadata->data.stream_info.total_samples ; |
|
79 --- libsndfile-1.0.28/src/sndfile.c.orig 2017-05-02 09:35:02.297609256 +0000 |
|
80 +++ libsndfile-1.0.28/src/sndfile.c 2017-05-02 09:41:54.139468824 +0000 |
|
81 @@ -245,6 +245,7 @@ |
|
82 { SFE_FLAC_INIT_DECODER , "Error : problem with initialization of the flac decoder." }, |
|
83 { SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." }, |
|
84 { SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." }, |
|
85 + { SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." }, |
|
86 { SFE_FLAC_UNKOWN_ERROR , "Error : unknown error in flac decoder." }, |
|
87 |
|
88 { SFE_WVE_NOT_WVE , "Error : not a WVE file." }, |