* [Buildroot] [git commit] package/wavpack: fix CVE-2021-44269
@ 2022-03-18 21:38 Yann E. MORIN
0 siblings, 0 replies; only message in thread
From: Yann E. MORIN @ 2022-03-18 21:38 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=a9bff8a0b0f68f070a5ae0e94cbffefb9b455b26
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV
files. This issue triggered in function WavpackPackSamples of file
src/pack_utils.c, tainted variable cnt is too large, that makes pointer
sptr read beyond heap bound.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
...nitize-DSD-file-types-for-invalid-lengths.patch | 42 ++++++++++++++++++++++
package/wavpack/wavpack.mk | 3 ++
2 files changed, 45 insertions(+)
diff --git a/package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch b/package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
new file mode 100644
index 0000000000..76c1e81674
--- /dev/null
+++ b/package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
@@ -0,0 +1,42 @@
+From 773f9d0803c6888ae7d5391878d7337f24216f4a Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Tue, 23 Nov 2021 13:14:35 -0800
+Subject: [PATCH] issue #110: sanitize DSD file types for invalid lengths
+
+[Retrieved from:
+https://github.com/dbry/WavPack/commit/773f9d0803c6888ae7d5391878d7337f24216f4a]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ cli/dsdiff.c | 6 ++++++
+ cli/dsf.c | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index d7adb6a..5bdcae3 100644
+--- a/cli/dsdiff.c
++++ b/cli/dsdiff.c
+@@ -278,6 +278,12 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+ }
+
+ total_samples = dff_chunk_header.ckDataSize / config->num_channels;
++
++ if (total_samples <= 0 || total_samples > MAX_WAVPACK_SAMPLES) {
++ error_line ("%s is not a valid .DFF file!", infilename);
++ return WAVPACK_SOFT_ERROR;
++ }
++
+ break;
+ }
+ else { // just copy unknown chunks to output file
+diff --git a/cli/dsf.c b/cli/dsf.c
+index e1d7973..dddd488 100644
+--- a/cli/dsf.c
++++ b/cli/dsf.c
+@@ -113,6 +113,7 @@ int ParseDsfHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackC
+
+ if (format_chunk.ckSize != sizeof (DSFFormatChunk) || format_chunk.formatVersion != 1 ||
+ format_chunk.formatID != 0 || format_chunk.blockSize != DSF_BLOCKSIZE || format_chunk.reserved ||
++ format_chunk.sampleCount <= 0 || format_chunk.sampleCount > MAX_WAVPACK_SAMPLES * 8 ||
+ (format_chunk.bitsPerSample != 1 && format_chunk.bitsPerSample != 8) ||
+ format_chunk.numChannels < 1 || format_chunk.numChannels > 6 ||
+ format_chunk.chanType < 1 || format_chunk.chanType > NUM_CHAN_TYPES) {
diff --git a/package/wavpack/wavpack.mk b/package/wavpack/wavpack.mk
index 485ab9b2ae..2e0438ac80 100644
--- a/package/wavpack/wavpack.mk
+++ b/package/wavpack/wavpack.mk
@@ -14,6 +14,9 @@ WAVPACK_LICENSE = BSD-3-Clause
WAVPACK_LICENSE_FILES = COPYING
WAVPACK_CPE_ID_VENDOR = wavpack
+# 0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
+WAVPACK_IGNORE_CVES += CVE-2021-44269
+
ifeq ($(BR2_PACKAGE_LIBICONV),y)
WAVPACK_CONF_OPTS += LIBS=-liconv
endif
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-03-18 21:38 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-18 21:38 [Buildroot] [git commit] package/wavpack: fix CVE-2021-44269 Yann E. MORIN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.