mirror of
https://git.yoctoproject.org/poky
synced 2026-04-30 03:32:12 +02:00
284b56a2e2
Added missing commits for complete CVE fix Ref: https://github.com/libsndfile/libsndfile/issues/833 https://ubuntu.com/security/CVE-2022-33065 (From OE-Core rev: fc34dde58e8be19d703479c8e025e27294cdb579) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
59 lines
2.3 KiB
Diff
59 lines
2.3 KiB
Diff
From 56e6c5408f1ee6d476b234c105fb28b4998e811b Mon Sep 17 00:00:00 2001
|
|
From: Alex Stewart <alex.stewart@ni.com>
|
|
Date: Wed, 11 Oct 2023 16:36:02 -0400
|
|
Subject: [PATCH 06/17] au: avoid int overflow while calculating data_end
|
|
|
|
At several points in au_read_header(), we calculate the functional end
|
|
of the data segment by adding the (int)au_fmt.dataoffset and the
|
|
(int)au_fmt.datasize. This can overflow the implicit int_32 return value
|
|
and cause undefined behavior.
|
|
|
|
Instead, precalculate the value and assign it to a 64-bit
|
|
(sf_count_t)data_end variable.
|
|
|
|
CVE: CVE-2022-33065
|
|
Fixes: https://github.com/libsndfile/libsndfile/issues/833
|
|
|
|
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
|
|
|
|
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-2.patch?h=ubuntu/jammy-security
|
|
Upstream commit https://github.com/libsndfile/libsndfile/commit/56e6c5408f1ee6d476b234c105fb28b4998e811b]
|
|
CVE: CVE-2022-33065
|
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
|
---
|
|
src/au.c | 10 ++++++----
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/au.c b/src/au.c
|
|
index 62bd691d6..f68f25871 100644
|
|
--- a/src/au.c
|
|
+++ b/src/au.c
|
|
@@ -291,6 +291,7 @@ static int
|
|
au_read_header (SF_PRIVATE *psf)
|
|
{ AU_FMT au_fmt ;
|
|
int marker, dword ;
|
|
+ sf_count_t data_end ;
|
|
|
|
memset (&au_fmt, 0, sizeof (au_fmt)) ;
|
|
psf_binheader_readf (psf, "pm", 0, &marker) ;
|
|
@@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf)
|
|
return SFE_AU_EMBED_BAD_LEN ;
|
|
} ;
|
|
|
|
+ data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ;
|
|
if (psf->fileoffset > 0)
|
|
- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
|
|
+ { psf->filelength = data_end ;
|
|
psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
|
|
}
|
|
- else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength)
|
|
+ else if (au_fmt.datasize == -1 || data_end == psf->filelength)
|
|
psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
|
|
- else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength)
|
|
- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
|
|
+ else if (data_end < psf->filelength)
|
|
+ { psf->filelength = data_end ;
|
|
psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
|
|
}
|
|
else
|