373a9fd4db
* gnu/packages/patches/soundtouch-CVE-2018-14044-14045.patch, gnu/packages/patches/soundtouch-CVE-2018-1000223.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/audio.scm (soundtouch)[source]: Use them.
143 lines
5.1 KiB
Diff
143 lines
5.1 KiB
Diff
Fix CVE-2018-1000223:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000223
|
|
https://gitlab.com/soundtouch/soundtouch/issues/6
|
|
|
|
Patches copied from upstream source repository:
|
|
|
|
https://gitlab.com/soundtouch/soundtouch/commit/9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e
|
|
https://gitlab.com/soundtouch/soundtouch/commit/e0240689056e4182fffdc2a16aa6e3425a15e275
|
|
https://gitlab.com/soundtouch/soundtouch/commit/46531e5b92dd80dd9a7947463d6224fc7cb21967
|
|
|
|
From 9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e Mon Sep 17 00:00:00 2001
|
|
From: oparviainen <oparviai@iki.fi>
|
|
Date: Sun, 12 Aug 2018 20:24:37 +0300
|
|
Subject: [PATCH] Added minimum size check for WAV header block lengh values
|
|
|
|
---
|
|
source/SoundStretch/WavFile.cpp | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
|
|
index 7e7ade2..68818c9 100644
|
|
--- a/source/SoundStretch/WavFile.cpp
|
|
+++ b/source/SoundStretch/WavFile.cpp
|
|
@@ -530,7 +530,11 @@ int WavInFile::readHeaderBlock()
|
|
// read length of the format field
|
|
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
|
|
// swap byte order if necessary
|
|
- _swap32(nLen); // int format_len;
|
|
+ _swap32(nLen);
|
|
+
|
|
+ // verify that header length isn't smaller than expected
|
|
+ if (nLen < sizeof(header.format) - 8) return -1;
|
|
+
|
|
header.format.format_len = nLen;
|
|
|
|
// calculate how much length differs from expected
|
|
@@ -572,6 +576,10 @@ int WavInFile::readHeaderBlock()
|
|
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
|
|
// swap byte order if necessary
|
|
_swap32(nLen); // int fact_len;
|
|
+
|
|
+ // verify that fact length isn't smaller than expected
|
|
+ if (nLen < sizeof(header.fact) - 8) return -1;
|
|
+
|
|
header.fact.fact_len = nLen;
|
|
|
|
// calculate how much length differs from expected
|
|
--
|
|
2.18.0
|
|
|
|
From e0240689056e4182fffdc2a16aa6e3425a15e275 Mon Sep 17 00:00:00 2001
|
|
From: oparviainen <oparviai@iki.fi>
|
|
Date: Mon, 13 Aug 2018 19:16:16 +0300
|
|
Subject: [PATCH] Fixed WavFile header/fact not-too-small check
|
|
|
|
---
|
|
source/SoundStretch/WavFile.cpp | 22 +++++++++++-----------
|
|
1 file changed, 11 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
|
|
index 4af7a4c..3421bca 100644
|
|
--- a/source/SoundStretch/WavFile.cpp
|
|
+++ b/source/SoundStretch/WavFile.cpp
|
|
@@ -518,13 +518,13 @@ int WavInFile::readHeaderBlock()
|
|
// swap byte order if necessary
|
|
_swap32(nLen);
|
|
|
|
- // verify that header length isn't smaller than expected
|
|
- if (nLen < sizeof(header.format) - 8) return -1;
|
|
+ // calculate how much length differs from expected
|
|
+ nDump = nLen - ((int)sizeof(header.format) - 8);
|
|
|
|
- header.format.format_len = nLen;
|
|
+ // verify that header length isn't smaller than expected structure
|
|
+ if (nDump < 0) return -1;
|
|
|
|
- // calculate how much length differs from expected
|
|
- nDump = nLen - ((int)sizeof(header.format) - 8);
|
|
+ header.format.format_len = nLen;
|
|
|
|
// if format_len is larger than expected, read only as much data as we've space for
|
|
if (nDump > 0)
|
|
@@ -561,16 +561,16 @@ int WavInFile::readHeaderBlock()
|
|
// read length of the fact field
|
|
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
|
|
// swap byte order if necessary
|
|
- _swap32(nLen); // int fact_len;
|
|
-
|
|
- // verify that fact length isn't smaller than expected
|
|
- if (nLen < sizeof(header.fact) - 8) return -1;
|
|
-
|
|
- header.fact.fact_len = nLen;
|
|
+ _swap32(nLen);
|
|
|
|
// calculate how much length differs from expected
|
|
nDump = nLen - ((int)sizeof(header.fact) - 8);
|
|
|
|
+ // verify that fact length isn't smaller than expected structure
|
|
+ if (nDump < 0) return -1;
|
|
+
|
|
+ header.fact.fact_len = nLen;
|
|
+
|
|
// if format_len is larger than expected, read only as much data as we've space for
|
|
if (nDump > 0)
|
|
{
|
|
--
|
|
2.18.0
|
|
|
|
From 46531e5b92dd80dd9a7947463d6224fc7cb21967 Mon Sep 17 00:00:00 2001
|
|
From: olli <oparviai@iki.fi>
|
|
Date: Mon, 13 Aug 2018 19:42:58 +0300
|
|
Subject: [PATCH] Improved WavFile header/fact not-too-small check
|
|
|
|
---
|
|
source/SoundStretch/WavFile.cpp | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
|
|
index 3421bca..9d90b8a 100644
|
|
--- a/source/SoundStretch/WavFile.cpp
|
|
+++ b/source/SoundStretch/WavFile.cpp
|
|
@@ -522,7 +522,7 @@ int WavInFile::readHeaderBlock()
|
|
nDump = nLen - ((int)sizeof(header.format) - 8);
|
|
|
|
// verify that header length isn't smaller than expected structure
|
|
- if (nDump < 0) return -1;
|
|
+ if ((nLen < 0) || (nDump < 0)) return -1;
|
|
|
|
header.format.format_len = nLen;
|
|
|
|
@@ -567,7 +567,7 @@ int WavInFile::readHeaderBlock()
|
|
nDump = nLen - ((int)sizeof(header.fact) - 8);
|
|
|
|
// verify that fact length isn't smaller than expected structure
|
|
- if (nDump < 0) return -1;
|
|
+ if ((nLen < 0) || (nDump < 0)) return -1;
|
|
|
|
header.fact.fact_len = nLen;
|
|
|
|
--
|
|
2.18.0
|
|
|