Menu
▾
▴
Re: [SoX-devel] [PATCH] adpcm: fix stack overflow (CVE-2017-15372)
|
From: Måns R. <ma...@ma...> - 2017-11-07 09:26:45
|
Eric Wong <nor...@yh...> writes: > Måns Rullgård <ma...@ma...> wrote: >> All but one fixed here: https://github.com/mansr/sox > > I think this should fix the last one. I didn't check too > closely, just verified it's no longer segfaulting. > > (But lsx_valloc doesn't check for multiplication overflow) > > -----------8<--------- > From: Eric Wong <e...@80...> > Subject: [PATCH] adpcm: fix stack overflow (CVE-2017-15372) > > --- > src/adpcm.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/src/adpcm.c b/src/adpcm.c > index 2e13867e..e921eaba 100644 > --- a/src/adpcm.c > +++ b/src/adpcm.c > @@ -113,7 +113,10 @@ const char *lsx_ms_adpcm_block_expand_i( > const unsigned char *ip; > unsigned ch; > const char *errmsg = NULL; > - MsState_t state[4]; /* One decompressor state for each channel */ > + MsState_t *state; > + > + /* One decompressor state for each channel */ > + lsx_valloc(state, chans); > > /* Read the four-byte header for each channel */ > ip = ibuff; This will leak memory like crazy. I'd prefer not to do a malloc/free for each block, but rather do it just once. This will require a little more work, of course. -- Måns Rullgård |
