[jackhill/guix/guix.git] / gnu / packages / patches / libsndfile-CVE-2017-12562.patch

Fix CVE-2017-12562:

https://github.com/erikd/libsndfile/issues/292
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12562

Patch copied from upstream source repository:

https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8

From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
Date: Wed, 14 Jun 2017 12:25:40 +0200
Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
 in binheader

Fixes the following problems:
 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
    big switch statement by an amount (16 bytes) which is enough for all cases
    where only a single value gets added. Cases 's', 'S', 'p' however
    additionally write an arbitrary length block of data and again enlarge the
    buffer to the required amount. However, the required space calculation does
    not take into account the size of the length field which gets output before
    the data.
 3. Buffer size requirement calculation in case 'S' does not account for the
    padding byte ("size += (size & 1) ;" happens after the calculation which
    uses "size").
 4. Case 'S' can overrun the header buffer by 1 byte when no padding is
    involved
    ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
    the buffer is only guaranteed to have "size" space available).
 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
    beyond the space which is guaranteed to be allocated in the header buffer.
 6. Case 's' can overrun the provided source string by 1 byte if padding is
    involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
    where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
    plus optionally another 1 which is padding and not guaranteed to be
    readable via the source string pointer).

Closes: https://github.com/erikd/libsndfile/issues/292
---
 src/common.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/common.c b/src/common.c
index 1a6204ca..6b2a2ee9 100644
--- a/src/common.c
+++ b/src/common.c
@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
 					/* Write a C string (guaranteed to have a zero terminator). */
 					strptr = va_arg (argptr, char *) ;
 					size = strlen (strptr) + 1 ;
-					size += (size & 1) ;
 
-					if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
+					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
 						return count ;
 
 					if (psf->rwf_endian == SF_ENDIAN_BIG)
-						header_put_be_int (psf, size) ;
+						header_put_be_int (psf, size + (size & 1)) ;
 					else
-						header_put_le_int (psf, size) ;
+						header_put_le_int (psf, size + (size & 1)) ;
 					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
+					size += (size & 1) ;
 					psf->header.indx += size ;
 					psf->header.ptr [psf->header.indx - 1] = 0 ;
 					count += 4 + size ;
@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
 					*/
 					strptr = va_arg (argptr, char *) ;
 					size = strlen (strptr) ;
-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
+					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
 						return count ;
 					if (psf->rwf_endian == SF_ENDIAN_BIG)
 						header_put_be_int (psf, size) ;
 					else
 						header_put_le_int (psf, size) ;
-					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
+					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
 					size += (size & 1) ;
 					psf->header.indx += size ;
-					psf->header.ptr [psf->header.indx] = 0 ;
 					count += 4 + size ;
 					break ;
 
@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
 					size = (size & 1) ? size : size + 1 ;
 					size = (size > 254) ? 254 : size ;
 
-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
+					if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
 						return count ;
 
 					header_put_byte (psf, size) ;
Commit	Line	Data
c73a00a3 LF	1	Fix CVE-2017-12562:
	2
	3	https://github.com/erikd/libsndfile/issues/292
	4	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12562
	5
	6	Patch copied from upstream source repository:
	7
	8	https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8
	9
	10	From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001
	11	From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
	12	Date: Wed, 14 Jun 2017 12:25:40 +0200
	13	Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
	14	in binheader
	15
	16	Fixes the following problems:
	17	1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
	18	2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
	19	big switch statement by an amount (16 bytes) which is enough for all cases
	20	where only a single value gets added. Cases 's', 'S', 'p' however
	21	additionally write an arbitrary length block of data and again enlarge the
	22	buffer to the required amount. However, the required space calculation does
	23	not take into account the size of the length field which gets output before
	24	the data.
	25	3. Buffer size requirement calculation in case 'S' does not account for the
	26	padding byte ("size += (size & 1) ;" happens after the calculation which
	27	uses "size").
	28	4. Case 'S' can overrun the header buffer by 1 byte when no padding is
	29	involved
	30	("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
	31	the buffer is only guaranteed to have "size" space available).
	32	5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
	33	beyond the space which is guaranteed to be allocated in the header buffer.
	34	6. Case 's' can overrun the provided source string by 1 byte if padding is
	35	involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
	36	where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
	37	plus optionally another 1 which is padding and not guaranteed to be
	38	readable via the source string pointer).
	39
	40	Closes: https://github.com/erikd/libsndfile/issues/292
	41	---
	42	src/common.c \| 15 +++++++--------
	43	1 file changed, 7 insertions(+), 8 deletions(-)
	44
	45	diff --git a/src/common.c b/src/common.c
	46	index 1a6204ca..6b2a2ee9 100644
	47	--- a/src/common.c
	48	+++ b/src/common.c
	49	@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE psf, const char format, ...)
	50	/* Write a C string (guaranteed to have a zero terminator). */
	51	strptr = va_arg (argptr, char *) ;
	52	size = strlen (strptr) + 1 ;
	53	- size += (size & 1) ;
	54
	55	- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
	56	+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
	57	return count ;
	58
	59	if (psf->rwf_endian == SF_ENDIAN_BIG)
	60	- header_put_be_int (psf, size) ;
	61	+ header_put_be_int (psf, size + (size & 1)) ;
	62	else
	63	- header_put_le_int (psf, size) ;
	64	+ header_put_le_int (psf, size + (size & 1)) ;
65	memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
66	+ size += (size & 1) ;
67	psf->header.indx += size ;
68	psf->header.ptr [psf->header.indx - 1] = 0 ;
69	count += 4 + size ;
70	@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE psf, const char format, ...)
71	*/
72	strptr = va_arg (argptr, char *) ;
73	size = strlen (strptr) ;
74	- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
75	+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
76	return count ;
77	if (psf->rwf_endian == SF_ENDIAN_BIG)
78	header_put_be_int (psf, size) ;
79	else
80	header_put_le_int (psf, size) ;
81	- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
82	+ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
83	size += (size & 1) ;
84	psf->header.indx += size ;
85	- psf->header.ptr [psf->header.indx] = 0 ;
86	count += 4 + size ;
87	break ;
88
89	@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE psf, const char format, ...)
90	size = (size & 1) ? size : size + 1 ;
91	size = (size > 254) ? 254 : size ;
92
93	- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
94	+ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
95	return count ;
96
97	header_put_byte (psf, size) ;