diff options
author | 2018-08-22 22:36:55 +0200 | |
---|---|---|
committer | 2018-08-22 22:42:47 +0200 | |
commit | 5e53d3522da5a2474983143001f72547b953666d (patch) | |
tree | 89e4e4b88baa8b99eac20406fc22d9e90e6e089c /media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch | |
parent | media-sound/wavpack: EAPI-7 bump (diff) | |
download | gentoo-5e53d3522da5a2474983143001f72547b953666d.tar.gz gentoo-5e53d3522da5a2474983143001f72547b953666d.tar.bz2 gentoo-5e53d3522da5a2474983143001f72547b953666d.zip |
media-sound/wavpack: Multiple security fixes
CVE-2018-7254,CVE-2018-7253, CVE-2018-6767, CVE-2018-10540,
CVE-2018-10539,CVE-2018-10538, CVE-2018-10537, CVE-2018-10536
Bug: https://bugs.gentoo.org/654532
Package-Manager: Portage-2.3.48, Repoman-2.3.10
Diffstat (limited to 'media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch')
-rw-r--r-- | media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch b/media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch new file mode 100644 index 000000000000..d924bb624bdc --- /dev/null +++ b/media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch @@ -0,0 +1,70 @@ +From: David Bryant <david@wavpack.com> +Date: Tue, 24 Apr 2018 17:27:01 -0700 +Subject: issue #33, sanitize size of unknown chunks before malloc() + +--- + cli/dsdiff.c | 9 ++++++++- + cli/riff.c | 9 ++++++++- + cli/wave64.c | 9 ++++++++- + 3 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/cli/dsdiff.c b/cli/dsdiff.c +index c016df9..fa56bbb 100644 +--- a/cli/dsdiff.c ++++ b/cli/dsdiff.c +@@ -279,7 +279,14 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + else { // just copy unknown chunks to output file + + int bytes_to_copy = (int)(((dff_chunk_header.ckDataSize) + 1) & ~(int64_t)1); +- char *buff = malloc (bytes_to_copy); ++ char *buff; ++ ++ if (bytes_to_copy < 0 || bytes_to_copy > 4194304) { ++ error_line ("%s is not a valid .DFF file!", infilename); ++ return WAVPACK_SOFT_ERROR; ++ } ++ ++ buff = malloc (bytes_to_copy); + + if (debug_logging_mode) + error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes", +diff --git a/cli/riff.c b/cli/riff.c +index de98c1e..7bddf63 100644 +--- a/cli/riff.c ++++ b/cli/riff.c +@@ -286,7 +286,14 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack + else { // just copy unknown chunks to output file + + int bytes_to_copy = (chunk_header.ckSize + 1) & ~1L; +- char *buff = malloc (bytes_to_copy); ++ char *buff; ++ ++ if (bytes_to_copy < 0 || bytes_to_copy > 4194304) { ++ error_line ("%s is not a valid .WAV file!", infilename); ++ return WAVPACK_SOFT_ERROR; ++ } ++ ++ buff = malloc (bytes_to_copy); + + if (debug_logging_mode) + error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes", +diff --git a/cli/wave64.c b/cli/wave64.c +index 591d640..fa928a0 100644 +--- a/cli/wave64.c ++++ b/cli/wave64.c +@@ -241,7 +241,14 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + } + else { // just copy unknown chunks to output file + int bytes_to_copy = (chunk_header.ckSize + 7) & ~7L; +- char *buff = malloc (bytes_to_copy); ++ char *buff; ++ ++ if (bytes_to_copy < 0 || bytes_to_copy > 4194304) { ++ error_line ("%s is not a valid .W64 file!", infilename); ++ return WAVPACK_SOFT_ERROR; ++ } ++ ++ buff = malloc (bytes_to_copy); + + if (debug_logging_mode) + error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes", |