guix/gnu/packages/patches/wavpack-CVE-2018-7253.patch
Marius Bakke 65f704f373
gnu: wavpack: Fix CVE-2018-7253 and CVE-2018-7254.
* gnu/packages/patches/wavpack-CVE-2018-7253.patch,
gnu/packages/patches/wavpack-CVE-2018-7254.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
* gnu/packages/audio.scm (wavpack)[source](patches): Use them.
2018-02-23 20:40:51 +01:00

29 lines
1.2 KiB
Diff

Fix CVE-2018-7253:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7253
Copied from upstream:
https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec
diff --git a/cli/dsdiff.c b/cli/dsdiff.c
index 410dc1c..c016df9 100644
--- a/cli/dsdiff.c
+++ b/cli/dsdiff.c
@@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
error_line ("dsdiff file version = 0x%08x", version);
}
else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
- char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
+ char *prop_chunk;
+
+ if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) {
+ error_line ("%s is not a valid .DFF file!", infilename);
+ return WAVPACK_SOFT_ERROR;
+ }
+
+ if (debug_logging_mode)
+ error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
+
+ prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) ||
bcount != dff_chunk_header.ckDataSize) {