This patch fixes #429 (CVE-2018-19661 CVE-2018-19662) and #344 (CVE-2017-17456 CVE-2017-17457). As per https://github.com/erikd/libsndfile/issues/344#issuecomment-448504425 it also fixes #317 (CVE-2017-14245 CVE-2017-14246). CVE: CVE-2017-14245 CVE-2017-14246 CVE: CVE-2017-17456 CVE-2017-17457 CVE: CVE-2018-19661 CVE-2018-19662 Upstream-Status: Backport [8ddc442d539ca775d80cdbc7af17a718634a743f] Signed-off-by: Ross Burton From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Mon, 7 Jan 2019 15:55:03 +0800 Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432) i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN properly, leading to buffer underflow. INT_MIN is a special value since - INT_MIN cannot be represented as int. In this case round - INT_MIN to INT_MAX and proceed as usual. f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN properly, leading to null pointer dereference. In this case, arbitrarily set the buffer value to 0. This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and fixes #344 (CVE-2017-17456 and CVE-2017-17457). --- src/alaw.c | 9 +++++++-- src/ulaw.c | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/src/alaw.c b/src/alaw.c index 063fd1a..4220224 100644 --- a/src/alaw.c +++ b/src/alaw.c @@ -19,6 +19,7 @@ #include "sfconfig.h" #include +#include #include "sndfile.h" #include "common.h" @@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) static inline void i2alaw_array (const int *ptr, int count, unsigned char *buffer) { while (--count >= 0) - { if (ptr [count] >= 0) + { if (ptr [count] == INT_MIN) + buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; + else if (ptr [count] >= 0) buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; else buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; @@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact static inline void d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) { while (--count >= 0) - { if (ptr [count] >= 0) + { if (!isfinite (ptr [count])) + buffer [count] = 0 ; + else if (ptr [count] >= 0) buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; else buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; diff --git a/src/ulaw.c b/src/ulaw.c index e50b4cb..b6070ad 100644 --- a/src/ulaw.c +++ b/src/ulaw.c @@ -19,6 +19,7 @@ #include "sfconfig.h" #include +#include #include "sndfile.h" #include "common.h" @@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) static inline void i2ulaw_array (const int *ptr, int count, unsigned char *buffer) { while (--count >= 0) - { if (ptr [count] >= 0) + { if (ptr [count] == INT_MIN) + buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; + else if (ptr [count] >= 0) buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; else buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; @@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact static inline void d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) { while (--count >= 0) - { if (ptr [count] >= 0) + { if (!isfinite (ptr [count])) + buffer [count] = 0 ; + else if (ptr [count] >= 0) buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; else buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; -- 2.7.4