diff options
| author |   Ross Burton <ross.burton@intel.com> | 2019-03-25 23:21:08 +0000 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-25 23:26:57 +0000 |
| commit | aeaca9bb1b1c8bf44818945dc4b2cbd6d4b5cef2 (patch) | |
| tree | 0072b28a120de43dea184ccfd7f24bb314359480 /meta/recipes-multimedia | |
| parent | 7bdf9581e807b978b92f29e11ab2a9e69e08410f (diff) | |
| download | openembedded-core-aeaca9bb1b1c8bf44818945dc4b2cbd6d4b5cef2.tar.gz | |
libsndfile1: fix CVE-2019-3832
The previous fix for CVE-2018-19758 wasn't complete, so backport another patch
to solve it properly.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
| -rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch | 37 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch new file mode 100644 index 0000000000..ab37211399 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch @@ -0,0 +1,37 @@ +From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001 +From: Emilio Pozuelo Monfort <pochu27@gmail.com> +Date: Tue, 5 Mar 2019 11:27:17 +0100 +Subject: [PATCH] wav_write_header: don't read past the array end + +CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder. + +CVE: CVE-2019-3832 +Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e] +Signed-off-by: Ross Burton <ross.burton@intel.com> + +If loop_count is bigger than the array, truncate it to the array +length (and not to 32k). + +CVE-2019-3832 + +--- + src/wav.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/wav.c b/src/wav.c +index daae3cc..8851549 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) + psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ + psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; + +- /* Loop count is signed 16 bit number so we limit it range to something sensible. */ +- psf->instrument->loop_count &= 0x7fff ; ++ /* Make sure we don't read past the loops array end. */ ++ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops)) ++ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ; ++ + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index eb2c719d8d..77393db847 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -16,6 +16,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ file://CVE-2018-19432.patch \ file://CVE-2017-12562.patch \ file://CVE-2018-19758.patch \ + file://CVE-2019-3832.patch \ " SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" |