Commit | Line | Data |
---|---|---|
65f704f3 MB |
1 | Fix CVE-2018-7253: |
2 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7253 | |
3 | ||
4 | Copied from upstream: | |
5 | https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec | |
6 | ||
7 | diff --git a/cli/dsdiff.c b/cli/dsdiff.c | |
8 | index 410dc1c..c016df9 100644 | |
9 | --- a/cli/dsdiff.c | |
10 | +++ b/cli/dsdiff.c | |
11 | @@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa | |
12 | error_line ("dsdiff file version = 0x%08x", version); | |
13 | } | |
14 | else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) { | |
15 | - char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize); | |
16 | + char *prop_chunk; | |
17 | + | |
18 | + if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) { | |
19 | + error_line ("%s is not a valid .DFF file!", infilename); | |
20 | + return WAVPACK_SOFT_ERROR; | |
21 | + } | |
22 | + | |
23 | + if (debug_logging_mode) | |
24 | + error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize); | |
25 | + | |
26 | + prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize); | |
27 | ||
28 | if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) || | |
29 | bcount != dff_chunk_header.ckDataSize) { |