package/wavpack/0003-issue-28-do-not-overwrite-heap-on-corrupt-DSDIFF-fil.patch - buildroot - Git at Google

 From 36a24c7881427d2e1e4dc1cef58f19eee0d13aec Mon Sep 17 00:00:00 2001
 From: David Bryant <david@wavpack.com>
 Date: Sat, 10 Feb 2018 16:01:39 -0800
 Subject: [PATCH] issue #28, do not overwrite heap on corrupt DSDIFF file

 Fixes CVE-2018-7253

 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
  cli/dsdiff.c | 12 +++++++++++-
  1 file changed, 11 insertions(+), 1 deletion(-)

 diff --git a/cli/dsdiff.c b/cli/dsdiff.c
 index 410dc1c..c016df9 100644
 --- a/cli/dsdiff.c
 +++ b/cli/dsdiff.c
 @@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
                  error_line ("dsdiff file version = 0x%08x", version);
          }
          else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
 -            char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
 +            char *prop_chunk;
 +
 +            if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) {
 +                error_line ("%s is not a valid .DFF file!", infilename);
 +                return WAVPACK_SOFT_ERROR;
 +            }
 +
 +            if (debug_logging_mode)
 +                error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
 +
 +            prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);

              if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) ||
                  bcount != dff_chunk_header.ckDataSize) {
 --
 2.11.0
	From 36a24c7881427d2e1e4dc1cef58f19eee0d13aec Mon Sep 17 00:00:00 2001
	From: David Bryant <david@wavpack.com>
	Date: Sat, 10 Feb 2018 16:01:39 -0800
	Subject: [PATCH] issue #28, do not overwrite heap on corrupt DSDIFF file

	Fixes CVE-2018-7253

	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
	---
	cli/dsdiff.c \| 12 +++++++++++-
	1 file changed, 11 insertions(+), 1 deletion(-)

	diff --git a/cli/dsdiff.c b/cli/dsdiff.c
	index 410dc1c..c016df9 100644
	--- a/cli/dsdiff.c
	+++ b/cli/dsdiff.c
	@@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE infile, char infilename, char *fourcc, Wavpa
	error_line ("dsdiff file version = 0x%08x", version);
	}
	else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
	- char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
	+ char *prop_chunk;
	+
	+ if (dff_chunk_header.ckDataSize < 4 \|\| dff_chunk_header.ckDataSize > 1024) {
	+ error_line ("%s is not a valid .DFF file!", infilename);
	+ return WAVPACK_SOFT_ERROR;
	+ }
	+
	+ if (debug_logging_mode)
	+ error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
	+
	+ prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);

	if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) \|\|
	bcount != dff_chunk_header.ckDataSize) {
	--
	2.11.0