mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-02 17:02:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

libsndfile1: fix CVE-2019-3832

Browse Source 
The previous fix for CVE-2018-19758 wasn't complete, so backport another patch
to solve it properly.

(From OE-Core rev: aeaca9bb1b1c8bf44818945dc4b2cbd6d4b5cef2)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ross Burton
2019-03-25 23:21:08 +00:00
committed by Richard Purdie
parent 496a4f924d
commit 49d6cd5000
2 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch Normal file
View File

@@ -0,0 +1,37 @@
From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001
From: Emilio Pozuelo Monfort <pochu27@gmail.com>
Date: Tue, 5 Mar 2019 11:27:17 +0100
Subject: [PATCH] wav_write_header: don't read past the array end
CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder.
CVE: CVE-2019-3832
Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e]
Signed-off-by: Ross Burton <ross.burton@intel.com>
If loop_count is bigger than the array, truncate it to the array
length (and not to 32k).
CVE-2019-3832
---
src/wav.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/wav.c b/src/wav.c
index daae3cc..8851549 100644
--- a/src/wav.c
+++ b/src/wav.c
@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
- /* Loop count is signed 16 bit number so we limit it range to something sensible. */
- psf->instrument->loop_count &= 0x7fff ;
+ /* Make sure we don't read past the loops array end. */
+ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
+ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
+
for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
{ int type ;

1
meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
View File

@@ -16,6 +16,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
file://CVE-2018-19432.patch \
file://CVE-2017-12562.patch \
file://CVE-2018-19758.patch \
file://CVE-2019-3832.patch \
"
SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"