Commit | Line | Data |
---|---|---|
c73a00a3 LF |
1 | Fix CVE-2017-12562: |
2 | ||
3 | https://github.com/erikd/libsndfile/issues/292 | |
4 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12562 | |
5 | ||
6 | Patch copied from upstream source repository: | |
7 | ||
8 | https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 | |
9 | ||
10 | From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001 | |
11 | From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de> | |
12 | Date: Wed, 14 Jun 2017 12:25:40 +0200 | |
13 | Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings | |
14 | in binheader | |
15 | ||
16 | Fixes the following problems: | |
17 | 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes. | |
18 | 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the | |
19 | big switch statement by an amount (16 bytes) which is enough for all cases | |
20 | where only a single value gets added. Cases 's', 'S', 'p' however | |
21 | additionally write an arbitrary length block of data and again enlarge the | |
22 | buffer to the required amount. However, the required space calculation does | |
23 | not take into account the size of the length field which gets output before | |
24 | the data. | |
25 | 3. Buffer size requirement calculation in case 'S' does not account for the | |
26 | padding byte ("size += (size & 1) ;" happens after the calculation which | |
27 | uses "size"). | |
28 | 4. Case 'S' can overrun the header buffer by 1 byte when no padding is | |
29 | involved | |
30 | ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while | |
31 | the buffer is only guaranteed to have "size" space available). | |
32 | 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte | |
33 | beyond the space which is guaranteed to be allocated in the header buffer. | |
34 | 6. Case 's' can overrun the provided source string by 1 byte if padding is | |
35 | involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;" | |
36 | where "size" is "strlen (strptr) + 1" (which includes the 0 terminator, | |
37 | plus optionally another 1 which is padding and not guaranteed to be | |
38 | readable via the source string pointer). | |
39 | ||
40 | Closes: https://github.com/erikd/libsndfile/issues/292 | |
41 | --- | |
42 | src/common.c | 15 +++++++-------- | |
43 | 1 file changed, 7 insertions(+), 8 deletions(-) | |
44 | ||
45 | diff --git a/src/common.c b/src/common.c | |
46 | index 1a6204ca..6b2a2ee9 100644 | |
47 | --- a/src/common.c | |
48 | +++ b/src/common.c | |
49 | @@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) | |
50 | /* Write a C string (guaranteed to have a zero terminator). */ | |
51 | strptr = va_arg (argptr, char *) ; | |
52 | size = strlen (strptr) + 1 ; | |
53 | - size += (size & 1) ; | |
54 | ||
55 | - if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16)) | |
56 | + if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) | |
57 | return count ; | |
58 | ||
59 | if (psf->rwf_endian == SF_ENDIAN_BIG) | |
60 | - header_put_be_int (psf, size) ; | |
61 | + header_put_be_int (psf, size + (size & 1)) ; | |
62 | else | |
63 | - header_put_le_int (psf, size) ; | |
64 | + header_put_le_int (psf, size + (size & 1)) ; | |
65 | memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ; | |
66 | + size += (size & 1) ; | |
67 | psf->header.indx += size ; | |
68 | psf->header.ptr [psf->header.indx - 1] = 0 ; | |
69 | count += 4 + size ; | |
70 | @@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) | |
71 | */ | |
72 | strptr = va_arg (argptr, char *) ; | |
73 | size = strlen (strptr) ; | |
74 | - if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) | |
75 | + if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) | |
76 | return count ; | |
77 | if (psf->rwf_endian == SF_ENDIAN_BIG) | |
78 | header_put_be_int (psf, size) ; | |
79 | else | |
80 | header_put_le_int (psf, size) ; | |
81 | - memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ; | |
82 | + memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ; | |
83 | size += (size & 1) ; | |
84 | psf->header.indx += size ; | |
85 | - psf->header.ptr [psf->header.indx] = 0 ; | |
86 | count += 4 + size ; | |
87 | break ; | |
88 | ||
89 | @@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) | |
90 | size = (size & 1) ? size : size + 1 ; | |
91 | size = (size > 254) ? 254 : size ; | |
92 | ||
93 | - if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) | |
94 | + if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size)) | |
95 | return count ; | |
96 | ||
97 | header_put_byte (psf, size) ; |