Menu
▾
▴
Re: [SoX-devel] [PATCH] adpcm: fix stack overflow (CVE-2017-15372)
|
From: Jaromír M. <mir...@gm...> - 2017-11-07 09:42:07
|
2017-11-07 10:26 GMT+01:00 Måns Rullgård <ma...@ma...>: > Eric Wong <nor...@yh...> writes: > > > Måns Rullgård <ma...@ma...> wrote: > >> All but one fixed here: https://github.com/mansr/sox > > > > I think this should fix the last one. I didn't check too > > closely, just verified it's no longer segfaulting. > > > > (But lsx_valloc doesn't check for multiplication overflow) > > > > -----------8<--------- > > From: Eric Wong <e...@80...> > > Subject: [PATCH] adpcm: fix stack overflow (CVE-2017-15372) > > > > --- > > src/adpcm.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/src/adpcm.c b/src/adpcm.c > > index 2e13867e..e921eaba 100644 > > --- a/src/adpcm.c > > +++ b/src/adpcm.c > > @@ -113,7 +113,10 @@ const char *lsx_ms_adpcm_block_expand_i( > > const unsigned char *ip; > > unsigned ch; > > const char *errmsg = NULL; > > - MsState_t state[4]; /* One decompressor state for each channel */ > > + MsState_t *state; > > + > > + /* One decompressor state for each channel */ > > + lsx_valloc(state, chans); > > > > /* Read the four-byte header for each channel */ > > ip = ibuff; > > This will leak memory like crazy. > > I'd prefer not to do a malloc/free for each block, but rather do it just > once. This will require a little more work, of course. > Hi, good to know I will wait for better fix then. BTW I moved debian packaging here if you are interested: https://anonscm.debian.org/git/pkg-multimedia/sox.git I think it is better than do it in sourceforge upstream repo. best regrads mira |
