Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch
diff options
context:
space:
mode:
Diffstat (limited to 'media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch')
-rw-r--r--media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch70
1 files changed, 70 insertions, 0 deletions
diff --git a/media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch b/media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch
new file mode 100644
index 000000000000..d924bb624bdc
--- /dev/null
+++ b/media-sound/wavpack/files/wavpack-5.1.0-CVE-2018-10538-CVE-2018-10539-CVE-2018-10540.patch
@@ -0,0 +1,70 @@
+From: David Bryant <david@wavpack.com>
+Date: Tue, 24 Apr 2018 17:27:01 -0700
+Subject: issue #33, sanitize size of unknown chunks before malloc()
+
+---
+ cli/dsdiff.c | 9 ++++++++-
+ cli/riff.c | 9 ++++++++-
+ cli/wave64.c | 9 ++++++++-
+ 3 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index c016df9..fa56bbb 100644
+--- a/cli/dsdiff.c
++++ b/cli/dsdiff.c
+@@ -279,7 +279,14 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+ else { // just copy unknown chunks to output file
+
+ int bytes_to_copy = (int)(((dff_chunk_header.ckDataSize) + 1) & ~(int64_t)1);
+- char *buff = malloc (bytes_to_copy);
++ char *buff;
++
++ if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
++ error_line ("%s is not a valid .DFF file!", infilename);
++ return WAVPACK_SOFT_ERROR;
++ }
++
++ buff = malloc (bytes_to_copy);
+
+ if (debug_logging_mode)
+ error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
+diff --git a/cli/riff.c b/cli/riff.c
+index de98c1e..7bddf63 100644
+--- a/cli/riff.c
++++ b/cli/riff.c
+@@ -286,7 +286,14 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+ else { // just copy unknown chunks to output file
+
+ int bytes_to_copy = (chunk_header.ckSize + 1) & ~1L;
+- char *buff = malloc (bytes_to_copy);
++ char *buff;
++
++ if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
++ error_line ("%s is not a valid .WAV file!", infilename);
++ return WAVPACK_SOFT_ERROR;
++ }
++
++ buff = malloc (bytes_to_copy);
+
+ if (debug_logging_mode)
+ error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
+diff --git a/cli/wave64.c b/cli/wave64.c
+index 591d640..fa928a0 100644
+--- a/cli/wave64.c
++++ b/cli/wave64.c
+@@ -241,7 +241,14 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+ }
+ else { // just copy unknown chunks to output file
+ int bytes_to_copy = (chunk_header.ckSize + 7) & ~7L;
+- char *buff = malloc (bytes_to_copy);
++ char *buff;
++
++ if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
++ error_line ("%s is not a valid .W64 file!", infilename);
++ return WAVPACK_SOFT_ERROR;
++ }
++
++ buff = malloc (bytes_to_copy);
+
+ if (debug_logging_mode)
+ error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",