Fix CVE-2018-1000223: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000223 https://gitlab.com/soundtouch/soundtouch/issues/6 Patches copied from upstream source repository: https://gitlab.com/soundtouch/soundtouch/commit/9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e https://gitlab.com/soundtouch/soundtouch/commit/e0240689056e4182fffdc2a16aa6e3425a15e275 https://gitlab.com/soundtouch/soundtouch/commit/46531e5b92dd80dd9a7947463d6224fc7cb21967 From 9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e Mon Sep 17 00:00:00 2001 From: oparviainen Date: Sun, 12 Aug 2018 20:24:37 +0300 Subject: [PATCH] Added minimum size check for WAV header block lengh values --- source/SoundStretch/WavFile.cpp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp index 7e7ade2..68818c9 100644 --- a/source/SoundStretch/WavFile.cpp +++ b/source/SoundStretch/WavFile.cpp @@ -530,7 +530,11 @@ int WavInFile::readHeaderBlock() // read length of the format field if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; // swap byte order if necessary - _swap32(nLen); // int format_len; + _swap32(nLen); + + // verify that header length isn't smaller than expected + if (nLen < sizeof(header.format) - 8) return -1; + header.format.format_len = nLen; // calculate how much length differs from expected @@ -572,6 +576,10 @@ int WavInFile::readHeaderBlock() if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; // swap byte order if necessary _swap32(nLen); // int fact_len; + + // verify that fact length isn't smaller than expected + if (nLen < sizeof(header.fact) - 8) return -1; + header.fact.fact_len = nLen; // calculate how much length differs from expected -- 2.18.0 From e0240689056e4182fffdc2a16aa6e3425a15e275 Mon Sep 17 00:00:00 2001 From: oparviainen Date: Mon, 13 Aug 2018 19:16:16 +0300 Subject: [PATCH] Fixed WavFile header/fact not-too-small check --- source/SoundStretch/WavFile.cpp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp index 4af7a4c..3421bca 100644 --- a/source/SoundStretch/WavFile.cpp +++ b/source/SoundStretch/WavFile.cpp @@ -518,13 +518,13 @@ int WavInFile::readHeaderBlock() // swap byte order if necessary _swap32(nLen); - // verify that header length isn't smaller than expected - if (nLen < sizeof(header.format) - 8) return -1; + // calculate how much length differs from expected + nDump = nLen - ((int)sizeof(header.format) - 8); - header.format.format_len = nLen; + // verify that header length isn't smaller than expected structure + if (nDump < 0) return -1; - // calculate how much length differs from expected - nDump = nLen - ((int)sizeof(header.format) - 8); + header.format.format_len = nLen; // if format_len is larger than expected, read only as much data as we've space for if (nDump > 0) @@ -561,16 +561,16 @@ int WavInFile::readHeaderBlock() // read length of the fact field if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; // swap byte order if necessary - _swap32(nLen); // int fact_len; - - // verify that fact length isn't smaller than expected - if (nLen < sizeof(header.fact) - 8) return -1; - - header.fact.fact_len = nLen; + _swap32(nLen); // calculate how much length differs from expected nDump = nLen - ((int)sizeof(header.fact) - 8); + // verify that fact length isn't smaller than expected structure + if (nDump < 0) return -1; + + header.fact.fact_len = nLen; + // if format_len is larger than expected, read only as much data as we've space for if (nDump > 0) { -- 2.18.0 From 46531e5b92dd80dd9a7947463d6224fc7cb21967 Mon Sep 17 00:00:00 2001 From: olli Date: Mon, 13 Aug 2018 19:42:58 +0300 Subject: [PATCH] Improved WavFile header/fact not-too-small check --- source/SoundStretch/WavFile.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp index 3421bca..9d90b8a 100644 --- a/source/SoundStretch/WavFile.cpp +++ b/source/SoundStretch/WavFile.cpp @@ -522,7 +522,7 @@ int WavInFile::readHeaderBlock() nDump = nLen - ((int)sizeof(header.format) - 8); // verify that header length isn't smaller than expected structure - if (nDump < 0) return -1; + if ((nLen < 0) || (nDump < 0)) return -1; header.format.format_len = nLen; @@ -567,7 +567,7 @@ int WavInFile::readHeaderBlock() nDump = nLen - ((int)sizeof(header.fact) - 8); // verify that fact length isn't smaller than expected structure - if (nDump < 0) return -1; + if ((nLen < 0) || (nDump < 0)) return -1; header.fact.fact_len = nLen; -- 2.18.0