nixpkgs/pkgs/applications/misc/audio/sox/0002-More-checks-for-invalid-MS-ADPCM-blocks.patch
James Cook cf11e28599 sox: Patches for CVE-2014-8145
Found via RedHat bug 1174792.  It was not clear whether these address a
NULL dereference and a division by zero.
2015-02-15 00:12:29 -08:00

28 lines
1.1 KiB
Diff

From ebb64cddde59ecc9cedf3741ce2337c72148cc0c Mon Sep 17 00:00:00 2001
From: Chris Bagwell <chris@cnpbagwell.com>
Date: Sat, 13 Dec 2014 12:49:55 -0600
Subject: [PATCH 2/2] More checks for invalid MS ADPCM blocks.
If block doesn't exacty match blockAlign then do not allow
number of samples in invalid size block to ever be more than
what WAV header defined as samplesPerBlock.
---
src/wav.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/wav.c b/src/wav.c
index 61d5908..5202556 100644
--- a/src/wav.c
+++ b/src/wav.c
@@ -168,7 +168,7 @@ static unsigned short AdpcmReadBlock(sox_format_t * ft)
/* work with partial blocks. Specs say it should be null */
/* padded but I guess this is better than trailing quiet. */
samplesThisBlock = lsx_ms_adpcm_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t)0);
- if (samplesThisBlock == 0)
+ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock)
{
lsx_warn("Premature EOF on .wav input file");
return 0;
--
2.1.0