Fix CVE-2018-14044 and CVE-2018-14045: https://gitlab.com/soundtouch/soundtouch/issues/7 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14044 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14045 Patch copied from upstream source repository: https://gitlab.com/soundtouch/soundtouch/commit/107f2c5d201a4dfea1b7f15c5957ff2ac9e5f260 From 107f2c5d201a4dfea1b7f15c5957ff2ac9e5f260 Mon Sep 17 00:00:00 2001 From: oparviainen Date: Sun, 12 Aug 2018 20:00:56 +0300 Subject: [PATCH] Replaced illegal-number-of-channel assertions with run-time exception --- include/FIFOSamplePipe.h | 12 ++++++++++++ include/STTypes.h | 3 +++ source/SoundTouch/FIFOSampleBuffer.cpp | 3 ++- source/SoundTouch/RateTransposer.cpp | 5 ++--- source/SoundTouch/SoundTouch.cpp | 8 ++------ source/SoundTouch/TDStretch.cpp | 5 ++--- 6 files changed, 23 insertions(+), 13 deletions(-) diff --git a/include/FIFOSamplePipe.h b/include/FIFOSamplePipe.h index 4ec9275..b08f836 100644 --- a/include/FIFOSamplePipe.h +++ b/include/FIFOSamplePipe.h @@ -51,6 +51,18 @@ namespace soundtouch /// Abstract base class for FIFO (first-in-first-out) sample processing classes. class FIFOSamplePipe { +protected: + + bool verifyNumberOfChannels(int nChannels) const + { + if ((nChannels > 0) && (nChannels <= SOUNDTOUCH_MAX_CHANNELS)) + { + return true; + } + ST_THROW_RT_ERROR("Error: Illegal number of channels"); + return false; + } + public: // virtual default destructor virtual ~FIFOSamplePipe() {} diff --git a/include/STTypes.h b/include/STTypes.h index 03e7e07..862505e 100644 --- a/include/STTypes.h +++ b/include/STTypes.h @@ -56,6 +56,9 @@ typedef unsigned long ulong; namespace soundtouch { + /// Max allowed number of channels + #define SOUNDTOUCH_MAX_CHANNELS 16 + /// Activate these undef's to overrule the possible sampletype /// setting inherited from some other header file: //#undef SOUNDTOUCH_INTEGER_SAMPLES diff --git a/source/SoundTouch/FIFOSampleBuffer.cpp b/source/SoundTouch/FIFOSampleBuffer.cpp index f0d5e42..706e869 100644 --- a/source/SoundTouch/FIFOSampleBuffer.cpp +++ b/source/SoundTouch/FIFOSampleBuffer.cpp @@ -73,7 +73,8 @@ void FIFOSampleBuffer::setChannels(int numChannels) { uint usedBytes; - assert(numChannels > 0); + if (!verifyNumberOfChannels(numChannels)) return; + usedBytes = channels * samplesInBuffer; channels = (uint)numChannels; samplesInBuffer = usedBytes / channels; diff --git a/source/SoundTouch/RateTransposer.cpp b/source/SoundTouch/RateTransposer.cpp index 8b66be3..d115a4c 100644 --- a/source/SoundTouch/RateTransposer.cpp +++ b/source/SoundTouch/RateTransposer.cpp @@ -179,11 +179,10 @@ void RateTransposer::processSamples(const SAMPLETYPE *src, uint nSamples) // Sets the number of channels, 1 = mono, 2 = stereo void RateTransposer::setChannels(int nChannels) { - assert(nChannels > 0); + if (!verifyNumberOfChannels(nChannels) || + (pTransposer->numChannels == nChannels)) return; - if (pTransposer->numChannels == nChannels) return; pTransposer->setChannels(nChannels); - inputBuffer.setChannels(nChannels); midBuffer.setChannels(nChannels); outputBuffer.setChannels(nChannels); diff --git a/source/SoundTouch/SoundTouch.cpp b/source/SoundTouch/SoundTouch.cpp index 7b6756b..06bdd56 100644 --- a/source/SoundTouch/SoundTouch.cpp +++ b/source/SoundTouch/SoundTouch.cpp @@ -139,18 +139,14 @@ uint SoundTouch::getVersionId() // Sets the number of channels, 1 = mono, 2 = stereo void SoundTouch::setChannels(uint numChannels) { - /*if (numChannels != 1 && numChannels != 2) - { - //ST_THROW_RT_ERROR("Illegal number of channels"); - return; - }*/ + if (!verifyNumberOfChannels(numChannels)) return; + channels = numChannels; pRateTransposer->setChannels((int)numChannels); pTDStretch->setChannels((int)numChannels); } - // Sets new rate control value. Normal rate = 1.0, smaller values // represent slower rate, larger faster rates. void SoundTouch::setRate(double newRate) diff --git a/source/SoundTouch/TDStretch.cpp b/source/SoundTouch/TDStretch.cpp index 149cdb9..be2dc88 100644 --- a/source/SoundTouch/TDStretch.cpp +++ b/source/SoundTouch/TDStretch.cpp @@ -588,9 +588,8 @@ void TDStretch::setTempo(double newTempo) // Sets the number of channels, 1 = mono, 2 = stereo void TDStretch::setChannels(int numChannels) { - assert(numChannels > 0); - if (channels == numChannels) return; -// assert(numChannels == 1 || numChannels == 2); + if (!verifyNumberOfChannels(numChannels) || + (channels == numChannels)) return; channels = numChannels; inputBuffer.setChannels(channels); -- 2.18.0