1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
Fix CVE-2018-1000223:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000223
https://gitlab.com/soundtouch/soundtouch/issues/6
Patches copied from upstream source repository:
https://gitlab.com/soundtouch/soundtouch/commit/9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e
https://gitlab.com/soundtouch/soundtouch/commit/e0240689056e4182fffdc2a16aa6e3425a15e275
https://gitlab.com/soundtouch/soundtouch/commit/46531e5b92dd80dd9a7947463d6224fc7cb21967
From 9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e Mon Sep 17 00:00:00 2001
From: oparviainen <oparviai@iki.fi>
Date: Sun, 12 Aug 2018 20:24:37 +0300
Subject: [PATCH] Added minimum size check for WAV header block lengh values
---
source/SoundStretch/WavFile.cpp | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
index 7e7ade2..68818c9 100644
--- a/source/SoundStretch/WavFile.cpp
+++ b/source/SoundStretch/WavFile.cpp
@@ -530,7 +530,11 @@ int WavInFile::readHeaderBlock()
// read length of the format field
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
// swap byte order if necessary
- _swap32(nLen); // int format_len;
+ _swap32(nLen);
+
+ // verify that header length isn't smaller than expected
+ if (nLen < sizeof(header.format) - 8) return -1;
+
header.format.format_len = nLen;
// calculate how much length differs from expected
@@ -572,6 +576,10 @@ int WavInFile::readHeaderBlock()
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
// swap byte order if necessary
_swap32(nLen); // int fact_len;
+
+ // verify that fact length isn't smaller than expected
+ if (nLen < sizeof(header.fact) - 8) return -1;
+
header.fact.fact_len = nLen;
// calculate how much length differs from expected
--
2.18.0
From e0240689056e4182fffdc2a16aa6e3425a15e275 Mon Sep 17 00:00:00 2001
From: oparviainen <oparviai@iki.fi>
Date: Mon, 13 Aug 2018 19:16:16 +0300
Subject: [PATCH] Fixed WavFile header/fact not-too-small check
---
source/SoundStretch/WavFile.cpp | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
index 4af7a4c..3421bca 100644
--- a/source/SoundStretch/WavFile.cpp
+++ b/source/SoundStretch/WavFile.cpp
@@ -518,13 +518,13 @@ int WavInFile::readHeaderBlock()
// swap byte order if necessary
_swap32(nLen);
- // verify that header length isn't smaller than expected
- if (nLen < sizeof(header.format) - 8) return -1;
+ // calculate how much length differs from expected
+ nDump = nLen - ((int)sizeof(header.format) - 8);
- header.format.format_len = nLen;
+ // verify that header length isn't smaller than expected structure
+ if (nDump < 0) return -1;
- // calculate how much length differs from expected
- nDump = nLen - ((int)sizeof(header.format) - 8);
+ header.format.format_len = nLen;
// if format_len is larger than expected, read only as much data as we've space for
if (nDump > 0)
@@ -561,16 +561,16 @@ int WavInFile::readHeaderBlock()
// read length of the fact field
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
// swap byte order if necessary
- _swap32(nLen); // int fact_len;
-
- // verify that fact length isn't smaller than expected
- if (nLen < sizeof(header.fact) - 8) return -1;
-
- header.fact.fact_len = nLen;
+ _swap32(nLen);
// calculate how much length differs from expected
nDump = nLen - ((int)sizeof(header.fact) - 8);
+ // verify that fact length isn't smaller than expected structure
+ if (nDump < 0) return -1;
+
+ header.fact.fact_len = nLen;
+
// if format_len is larger than expected, read only as much data as we've space for
if (nDump > 0)
{
--
2.18.0
From 46531e5b92dd80dd9a7947463d6224fc7cb21967 Mon Sep 17 00:00:00 2001
From: olli <oparviai@iki.fi>
Date: Mon, 13 Aug 2018 19:42:58 +0300
Subject: [PATCH] Improved WavFile header/fact not-too-small check
---
source/SoundStretch/WavFile.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
index 3421bca..9d90b8a 100644
--- a/source/SoundStretch/WavFile.cpp
+++ b/source/SoundStretch/WavFile.cpp
@@ -522,7 +522,7 @@ int WavInFile::readHeaderBlock()
nDump = nLen - ((int)sizeof(header.format) - 8);
// verify that header length isn't smaller than expected structure
- if (nDump < 0) return -1;
+ if ((nLen < 0) || (nDump < 0)) return -1;
header.format.format_len = nLen;
@@ -567,7 +567,7 @@ int WavInFile::readHeaderBlock()
nDump = nLen - ((int)sizeof(header.fact) - 8);
// verify that fact length isn't smaller than expected structure
- if (nDump < 0) return -1;
+ if ((nLen < 0) || (nDump < 0)) return -1;
header.fact.fact_len = nLen;
--
2.18.0
|