From cb18218ad125c1e4c13010c8ee946057ee07103c Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Wed, 22 Sep 2021 13:31:09 +0200 Subject: [PATCH] package/libsndfile: add security patch for CVE-2021-3246 A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file. https://nvd.nist.gov/vuln/detail/CVE-2021-3246 Signed-off-by: Peter Korsgaard Signed-off-by: Arnout Vandecappelle (Essensium/Mind) --- ...-ms_adpcm-Fix-and-extend-size-checks.patch | 40 +++++++++++++++++++ package/libsndfile/libsndfile.mk | 3 ++ 2 files changed, 43 insertions(+) create mode 100644 package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch diff --git a/package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch b/package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch new file mode 100644 index 0000000000..edacbda01a --- /dev/null +++ b/package/libsndfile/0001-ms_adpcm-Fix-and-extend-size-checks.patch @@ -0,0 +1,40 @@ +From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001 +From: bobsayshilol +Date: Thu, 18 Feb 2021 21:52:09 +0000 +Subject: [PATCH] ms_adpcm: Fix and extend size checks + +'blockalign' is the size of a block, and each block contains 7 samples +per channel as part of the preamble, so check against 'samplesperblock' +rather than 'blockalign'. Also add an additional check that the block +is big enough to hold the samples it claims to hold. + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803 +Signed-off-by: Peter Korsgaard +--- + src/ms_adpcm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c +index 5e8f1a31..a21cb994 100644 +--- a/src/ms_adpcm.c ++++ b/src/ms_adpcm.c +@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) + if (psf->file.mode == SFM_WRITE) + samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ; + +- if (blockalign < 7 * psf->sf.channels) +- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ; ++ /* There's 7 samples per channel in the preamble of each block */ ++ if (samplesperblock < 7 * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; ++ return SFE_INTERNAL ; ++ } ; ++ ++ if (2 * blockalign < samplesperblock * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; + return SFE_INTERNAL ; + } ; + +-- +2.20.1 + diff --git a/package/libsndfile/libsndfile.mk b/package/libsndfile/libsndfile.mk index c955b9d088..ed9e8e3d14 100644 --- a/package/libsndfile/libsndfile.mk +++ b/package/libsndfile/libsndfile.mk @@ -12,6 +12,9 @@ LIBSNDFILE_LICENSE = LGPL-2.1+ LIBSNDFILE_LICENSE_FILES = COPYING LIBSNDFILE_CPE_ID_VENDOR = libsndfile_project +# 0001-ms_adpcm-Fix-and-extend-size-checks.patch +LIBSNDFILE_IGNORE_CVES += CVE-2021-3246 + # disputed, https://github.com/erikd/libsndfile/issues/398 LIBSNDFILE_IGNORE_CVES += CVE-2018-13419 -- 2.30.2