aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
blob: 99debf2104f07f8a472b6637b75ac03626cf5a26 (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Fix CVE-2017-14632:

https://gitlab.xiph.org/xiph/vorbis/issues/2328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632

Patch copied from upstream source repository:

https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f

From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 15 Nov 2017 18:22:59 +0100
Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
 if not initialized

If the number of channels is not within the allowed range
we call oggback_writeclear altough it's not initialized yet.

This fixes

    =23371== Invalid free() / delete / delete[] / realloc()
    ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
    ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
    ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
    ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
    ==23371==    by 0x10D82A: process (sox.c:1753)
    ==23371==    by 0x10D82A: main (sox.c:3012)
    ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
    ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
    ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
    ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
    ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
    ==23371==    by 0x10D82A: process (sox.c:1753)
    ==23371==    by 0x10D82A: main (sox.c:3012)

as seen when using the testcase from CVE-2017-11333 with
008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
there before.
---
 lib/info.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/info.c b/lib/info.c
index 7bc4ea4..8d0b2ed 100644
--- a/lib/info.c
+++ b/lib/info.c
@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
   private_state *b=v->backend_state;
 
   if(!b||vi->channels<=0||vi->channels>256){
+    b = NULL;
     ret=OV_EFAULT;
     goto err_out;
   }
-- 
2.15.1