diff options
Diffstat (limited to 'meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch')
-rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch new file mode 100644 index 0000000000..6354f856cb --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001 | ||
2 | From: bobsayshilol <bobsayshilol@live.co.uk> | ||
3 | Date: Wed, 17 Feb 2021 23:21:48 +0000 | ||
4 | Subject: [PATCH 1/2] wavlike: Fix incorrect size check | ||
5 | |||
6 | The SF_CART_INFO_16K struct has an additional 4 byte field to hold | ||
7 | the size of 'tag_text' which the file header doesn't, so don't | ||
8 | include it as part of the check when looking for the max length. | ||
9 | |||
10 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026 | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2021-3246 patch 1 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | src/wavlike.c | 6 +++++- | ||
18 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
19 | |||
20 | Index: libsndfile-1.0.28/src/wavlike.c | ||
21 | =================================================================== | ||
22 | --- libsndfile-1.0.28.orig/src/wavlike.c | ||
23 | +++ libsndfile-1.0.28/src/wavlike.c | ||
24 | @@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf | ||
25 | return 0 ; | ||
26 | } ; | ||
27 | |||
28 | - if (chunksize >= sizeof (SF_CART_INFO_16K)) | ||
29 | + /* | ||
30 | + ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part | ||
31 | + ** of the chunk, so don't include it in the size check. | ||
32 | + */ | ||
33 | + if (chunksize >= sizeof (SF_CART_INFO_16K) - 4) | ||
34 | { psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ; | ||
35 | psf_binheader_readf (psf, "j", chunksize) ; | ||
36 | return 0 ; | ||