* [Buildroot] [PATCH 1/1] package/wavpack: fix CVE-2021-44269
@ 2022-03-18 19:40 Fabrice Fontaine
2022-03-18 21:38 ` Yann E. MORIN
2022-03-21 13:09 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-03-18 19:40 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV
files. This issue triggered in function WavpackPackSamples of file
src/pack_utils.c, tainted variable cnt is too large, that makes pointer
sptr read beyond heap bound.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...e-DSD-file-types-for-invalid-lengths.patch | 42 +++++++++++++++++++
package/wavpack/wavpack.mk | 3 ++
2 files changed, 45 insertions(+)
create mode 100644 package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
diff --git a/package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch b/package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
new file mode 100644
index 0000000000..76c1e81674
--- /dev/null
+++ b/package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
@@ -0,0 +1,42 @@
+From 773f9d0803c6888ae7d5391878d7337f24216f4a Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Tue, 23 Nov 2021 13:14:35 -0800
+Subject: [PATCH] issue #110: sanitize DSD file types for invalid lengths
+
+[Retrieved from:
+https://github.com/dbry/WavPack/commit/773f9d0803c6888ae7d5391878d7337f24216f4a]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ cli/dsdiff.c | 6 ++++++
+ cli/dsf.c | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index d7adb6a..5bdcae3 100644
+--- a/cli/dsdiff.c
++++ b/cli/dsdiff.c
+@@ -278,6 +278,12 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+ }
+
+ total_samples = dff_chunk_header.ckDataSize / config->num_channels;
++
++ if (total_samples <= 0 || total_samples > MAX_WAVPACK_SAMPLES) {
++ error_line ("%s is not a valid .DFF file!", infilename);
++ return WAVPACK_SOFT_ERROR;
++ }
++
+ break;
+ }
+ else { // just copy unknown chunks to output file
+diff --git a/cli/dsf.c b/cli/dsf.c
+index e1d7973..dddd488 100644
+--- a/cli/dsf.c
++++ b/cli/dsf.c
+@@ -113,6 +113,7 @@ int ParseDsfHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackC
+
+ if (format_chunk.ckSize != sizeof (DSFFormatChunk) || format_chunk.formatVersion != 1 ||
+ format_chunk.formatID != 0 || format_chunk.blockSize != DSF_BLOCKSIZE || format_chunk.reserved ||
++ format_chunk.sampleCount <= 0 || format_chunk.sampleCount > MAX_WAVPACK_SAMPLES * 8 ||
+ (format_chunk.bitsPerSample != 1 && format_chunk.bitsPerSample != 8) ||
+ format_chunk.numChannels < 1 || format_chunk.numChannels > 6 ||
+ format_chunk.chanType < 1 || format_chunk.chanType > NUM_CHAN_TYPES) {
diff --git a/package/wavpack/wavpack.mk b/package/wavpack/wavpack.mk
index 485ab9b2ae..2e0438ac80 100644
--- a/package/wavpack/wavpack.mk
+++ b/package/wavpack/wavpack.mk
@@ -14,6 +14,9 @@ WAVPACK_LICENSE = BSD-3-Clause
WAVPACK_LICENSE_FILES = COPYING
WAVPACK_CPE_ID_VENDOR = wavpack
+# 0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
+WAVPACK_IGNORE_CVES += CVE-2021-44269
+
ifeq ($(BR2_PACKAGE_LIBICONV),y)
WAVPACK_CONF_OPTS += LIBS=-liconv
endif
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/wavpack: fix CVE-2021-44269
2022-03-18 19:40 [Buildroot] [PATCH 1/1] package/wavpack: fix CVE-2021-44269 Fabrice Fontaine
@ 2022-03-18 21:38 ` Yann E. MORIN
2022-03-21 13:09 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2022-03-18 21:38 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
Fabrice, All,
On 2022-03-18 20:40 +0100, Fabrice Fontaine spake thusly:
> An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV
> files. This issue triggered in function WavpackPackSamples of file
> src/pack_utils.c, tainted variable cnt is too large, that makes pointer
> sptr read beyond heap bound.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...e-DSD-file-types-for-invalid-lengths.patch | 42 +++++++++++++++++++
> package/wavpack/wavpack.mk | 3 ++
> 2 files changed, 45 insertions(+)
> create mode 100644 package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
>
> diff --git a/package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch b/package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
> new file mode 100644
> index 0000000000..76c1e81674
> --- /dev/null
> +++ b/package/wavpack/0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
> @@ -0,0 +1,42 @@
> +From 773f9d0803c6888ae7d5391878d7337f24216f4a Mon Sep 17 00:00:00 2001
> +From: David Bryant <david@wavpack.com>
> +Date: Tue, 23 Nov 2021 13:14:35 -0800
> +Subject: [PATCH] issue #110: sanitize DSD file types for invalid lengths
> +
> +[Retrieved from:
> +https://github.com/dbry/WavPack/commit/773f9d0803c6888ae7d5391878d7337f24216f4a]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + cli/dsdiff.c | 6 ++++++
> + cli/dsf.c | 1 +
> + 2 files changed, 7 insertions(+)
> +
> +diff --git a/cli/dsdiff.c b/cli/dsdiff.c
> +index d7adb6a..5bdcae3 100644
> +--- a/cli/dsdiff.c
> ++++ b/cli/dsdiff.c
> +@@ -278,6 +278,12 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
> + }
> +
> + total_samples = dff_chunk_header.ckDataSize / config->num_channels;
> ++
> ++ if (total_samples <= 0 || total_samples > MAX_WAVPACK_SAMPLES) {
> ++ error_line ("%s is not a valid .DFF file!", infilename);
> ++ return WAVPACK_SOFT_ERROR;
> ++ }
> ++
> + break;
> + }
> + else { // just copy unknown chunks to output file
> +diff --git a/cli/dsf.c b/cli/dsf.c
> +index e1d7973..dddd488 100644
> +--- a/cli/dsf.c
> ++++ b/cli/dsf.c
> +@@ -113,6 +113,7 @@ int ParseDsfHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackC
> +
> + if (format_chunk.ckSize != sizeof (DSFFormatChunk) || format_chunk.formatVersion != 1 ||
> + format_chunk.formatID != 0 || format_chunk.blockSize != DSF_BLOCKSIZE || format_chunk.reserved ||
> ++ format_chunk.sampleCount <= 0 || format_chunk.sampleCount > MAX_WAVPACK_SAMPLES * 8 ||
> + (format_chunk.bitsPerSample != 1 && format_chunk.bitsPerSample != 8) ||
> + format_chunk.numChannels < 1 || format_chunk.numChannels > 6 ||
> + format_chunk.chanType < 1 || format_chunk.chanType > NUM_CHAN_TYPES) {
> diff --git a/package/wavpack/wavpack.mk b/package/wavpack/wavpack.mk
> index 485ab9b2ae..2e0438ac80 100644
> --- a/package/wavpack/wavpack.mk
> +++ b/package/wavpack/wavpack.mk
> @@ -14,6 +14,9 @@ WAVPACK_LICENSE = BSD-3-Clause
> WAVPACK_LICENSE_FILES = COPYING
> WAVPACK_CPE_ID_VENDOR = wavpack
>
> +# 0001-issue-110-sanitize-DSD-file-types-for-invalid-lengths.patch
> +WAVPACK_IGNORE_CVES += CVE-2021-44269
> +
> ifeq ($(BR2_PACKAGE_LIBICONV),y)
> WAVPACK_CONF_OPTS += LIBS=-liconv
> endif
> --
> 2.35.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/wavpack: fix CVE-2021-44269
2022-03-18 19:40 [Buildroot] [PATCH 1/1] package/wavpack: fix CVE-2021-44269 Fabrice Fontaine
2022-03-18 21:38 ` Yann E. MORIN
@ 2022-03-21 13:09 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-03-21 13:09 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV
> files. This issue triggered in function WavpackPackSamples of file
> src/pack_utils.c, tainted variable cnt is too large, that makes pointer
> sptr read beyond heap bound.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x, 2021.11.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-03-21 13:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-18 19:40 [Buildroot] [PATCH 1/1] package/wavpack: fix CVE-2021-44269 Fabrice Fontaine
2022-03-18 21:38 ` Yann E. MORIN
2022-03-21 13:09 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.