LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12672 Commits
1 Branch
46 MiB
Tree: c0154044a0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c0154044a0'
${ noResults }
openwrt-packages-dist/libs/libaudiofile/patches/130-Check-for-multiplicatio...

70 lines
2.0 KiB
Raw Normal View History

libaudiofile: Multiple bug fixes, CVE-2017-6837, CVE-2017-6838, CVE-2017-6839, CVE-2015-7747 & GCC6 patches Signed-off-by: Ted Hess <thess@kitschensync.net>
7 years ago
 
  1. From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
  2. From: Antonio Larrosa <larrosa@kde.org>
  3. Date: Mon, 6 Mar 2017 13:54:52 +0100
  4. Subject: [PATCH] Check for multiplication overflow in sfconvert
  5. 

  6. Checks that a multiplication doesn't overflow when
  7. calculating the buffer size, and if it overflows,
  8. reduce the buffer size instead of failing.
  9. 

  10. This fixes the 00192-audiofile-signintoverflow-sfconvert case
  11. in #41
  12. ---

  13.  sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
  14.  1 file changed, 32 insertions(+), 2 deletions(-)
  15. 

  16. diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c

  17. index 80a1bc4..970a3e4 100644

  18. --- a/sfcommands/sfconvert.c

  19. +++ b/sfcommands/sfconvert.c

  20. @@ -45,6 +45,33 @@ void printusage (void);

  21.  void usageerror (void);
  22.  bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
  23.  
  24. +int firstBitSet(int x)

  25. +{

  26. +        int position=0;

  27. +        while (x!=0)

  28. +        {

  29. +                x>>=1;

  30. +                ++position;

  31. +        }

  32. +        return position;

  33. +}

  34. +

  35. +#ifndef __has_builtin

  36. +#define __has_builtin(x) 0

  37. +#endif

  38. +

  39. +int multiplyCheckOverflow(int a, int b, int *result)

  40. +{

  41. +#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))

  42. +	return __builtin_mul_overflow(a, b, result);

  43. +#else

  44. +	if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits

  45. +		return true;

  46. +	*result = a * b;

  47. +	return false;

  48. +#endif

  49. +}

  50. +

  51.  int main (int argc, char **argv)
  52.  {
  53.  	if (argc == 2)
  54. @@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)

  55.  {
  56.  	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
  57.  
  58. -	const int kBufferFrameCount = 65536;

  59. -	void *buffer = malloc(kBufferFrameCount * frameSize);

  60. +	int kBufferFrameCount = 65536;

  61. +	int bufferSize;

  62. +	while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))

  63. +		kBufferFrameCount /= 2;

  64. +	void *buffer = malloc(bufferSize);

  65.  
  66.  	AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
  67.  	AFframecount totalFramesWritten = 0;
  68. -- 

  69. 2.11.0
  70.