* [Buildroot] [PATCH] package/libsndfile: add security patch for CVE-2021-3246
@ 2021-09-22 11:31 Peter Korsgaard
2021-09-22 19:22 ` Arnout Vandecappelle
0 siblings, 1 reply; 2+ messages in thread
From: Peter Korsgaard @ 2021-09-22 11:31 UTC (permalink / raw)
To: buildroot; +Cc: Bernd Kuhls
A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile
1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
https://nvd.nist.gov/vuln/detail/CVE-2021-3246
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...-ms_adpcm-Fix-and-extend-size-checks.patch | 40 +++++++++++++++++++
package/libsndfile/libsndfile.mk | 3 ++
2 files changed, 43 insertions(+)
create mode 100644 package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch
diff --git a/package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch b/package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch
new file mode 100644
index 0000000000..edacbda01a
--- /dev/null
+++ b/package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch
@@ -0,0 +1,40 @@
+From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Thu, 18 Feb 2021 21:52:09 +0000
+Subject: [PATCH] ms_adpcm: Fix and extend size checks
+
+'blockalign' is the size of a block, and each block contains 7 samples
+per channel as part of the preamble, so check against 'samplesperblock'
+rather than 'blockalign'. Also add an additional check that the block
+is big enough to hold the samples it claims to hold.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/ms_adpcm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
+index 5e8f1a31..a21cb994 100644
+--- a/src/ms_adpcm.c
++++ b/src/ms_adpcm.c
+@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
+ if (psf->file.mode == SFM_WRITE)
+ samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
+
+- if (blockalign < 7 * psf->sf.channels)
+- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
++ /* There's 7 samples per channel in the preamble of each block */
++ if (samplesperblock < 7 * psf->sf.channels)
++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
++ return SFE_INTERNAL ;
++ } ;
++
++ if (2 * blockalign < samplesperblock * psf->sf.channels)
++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
+ return SFE_INTERNAL ;
+ } ;
+
+--
+2.20.1
+
diff --git a/package/libsndfile/libsndfile.mk b/package/libsndfile/libsndfile.mk
index c955b9d088..ed9e8e3d14 100644
--- a/package/libsndfile/libsndfile.mk
+++ b/package/libsndfile/libsndfile.mk
@@ -12,6 +12,9 @@ LIBSNDFILE_LICENSE = LGPL-2.1+
LIBSNDFILE_LICENSE_FILES = COPYING
LIBSNDFILE_CPE_ID_VENDOR = libsndfile_project
+# 0001-ms_adpcm-Fix-and-extend-size-checks.patch
+LIBSNDFILE_IGNORE_CVES += CVE-2021-3246
+
# disputed, https://github.com/erikd/libsndfile/issues/398
LIBSNDFILE_IGNORE_CVES += CVE-2018-13419
--
2.20.1
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH] package/libsndfile: add security patch for CVE-2021-3246
2021-09-22 11:31 [Buildroot] [PATCH] package/libsndfile: add security patch for CVE-2021-3246 Peter Korsgaard
@ 2021-09-22 19:22 ` Arnout Vandecappelle
0 siblings, 0 replies; 2+ messages in thread
From: Arnout Vandecappelle @ 2021-09-22 19:22 UTC (permalink / raw)
To: Peter Korsgaard, buildroot; +Cc: Bernd Kuhls
On 22/09/2021 13:31, Peter Korsgaard wrote:
> A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile
> 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
>
> https://nvd.nist.gov/vuln/detail/CVE-2021-3246
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> ...-ms_adpcm-Fix-and-extend-size-checks.patch | 40 +++++++++++++++++++
> package/libsndfile/libsndfile.mk | 3 ++
> 2 files changed, 43 insertions(+)
> create mode 100644 package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch
>
> diff --git a/package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch b/package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch
> new file mode 100644
> index 0000000000..edacbda01a
> --- /dev/null
> +++ b/package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch
> @@ -0,0 +1,40 @@
> +From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001
> +From: bobsayshilol <bobsayshilol@live.co.uk>
> +Date: Thu, 18 Feb 2021 21:52:09 +0000
> +Subject: [PATCH] ms_adpcm: Fix and extend size checks
> +
> +'blockalign' is the size of a block, and each block contains 7 samples
> +per channel as part of the preamble, so check against 'samplesperblock'
> +rather than 'blockalign'. Also add an additional check that the block
> +is big enough to hold the samples it claims to hold.
> +
> +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> +---
> + src/ms_adpcm.c | 10 ++++++++--
> + 1 file changed, 8 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
> +index 5e8f1a31..a21cb994 100644
> +--- a/src/ms_adpcm.c
> ++++ b/src/ms_adpcm.c
> +@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
> + if (psf->file.mode == SFM_WRITE)
> + samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
> +
> +- if (blockalign < 7 * psf->sf.channels)
> +- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
> ++ /* There's 7 samples per channel in the preamble of each block */
> ++ if (samplesperblock < 7 * psf->sf.channels)
> ++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
> ++ return SFE_INTERNAL ;
> ++ } ;
> ++
> ++ if (2 * blockalign < samplesperblock * psf->sf.channels)
> ++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
> + return SFE_INTERNAL ;
> + } ;
> +
> +--
> +2.20.1
> +
> diff --git a/package/libsndfile/libsndfile.mk b/package/libsndfile/libsndfile.mk
> index c955b9d088..ed9e8e3d14 100644
> --- a/package/libsndfile/libsndfile.mk
> +++ b/package/libsndfile/libsndfile.mk
> @@ -12,6 +12,9 @@ LIBSNDFILE_LICENSE = LGPL-2.1+
> LIBSNDFILE_LICENSE_FILES = COPYING
> LIBSNDFILE_CPE_ID_VENDOR = libsndfile_project
>
> +# 0001-ms_adpcm-Fix-and-extend-size-checks.patch
> +LIBSNDFILE_IGNORE_CVES += CVE-2021-3246
> +
> # disputed, https://github.com/erikd/libsndfile/issues/398
> LIBSNDFILE_IGNORE_CVES += CVE-2018-13419
>
>
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-22 19:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-22 11:31 [Buildroot] [PATCH] package/libsndfile: add security patch for CVE-2021-3246 Peter Korsgaard
2021-09-22 19:22 ` Arnout Vandecappelle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.