From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3561 216.34.176.0/20 X-Spam-Status: No, score=-3.1 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,T_DKIM_INVALID shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id C65131F42B for ; Wed, 8 Nov 2017 00:29:47 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eCEFR-00077J-Fi; Wed, 08 Nov 2017 00:29:41 +0000 Received: from sfi-mx-3.v28.ch3.sourceforge.com ([172.29.28.193] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eCEFP-00077D-QC for sox-devel@lists.sourceforge.net; Wed, 08 Nov 2017 00:29:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZWfQN/KciDfRpeGIaaJyILcvnxq9n42OuBIyy9JgTS8=; b=I+NfNjYac/Za/4rrv0yFrL5CSB M/jWlWAiAxAVw4sCi9GgWMVKTzzgnIwtR/So4saT9z0RULUVKJFfIyjZ7oHM3vbKGzXMsFFh+XhuH HOSIRFNLC1xzlk3c/zF39uI9GEn0deLntQmPnuLJfRiFs9tX54K7B+OrY/RhpjqhNVzo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ZWfQN/KciDfRpeGIaaJyILcvnxq9n42OuBIyy9JgTS8=; b=cCPYoFCJzZB92ncx5098rxZFe6 N7+LAorAjqiZKLw3fzaEjX61i/ZGZfuYSg5s7v4x5eAnQdRT9gleHSOf2+knGMKg+XGYy6KaHCnRi azzp4h/aFVwWG/yyZD3kYcxwVH0wmZM/Jdd2507ybPv4jJ0Hr6b5nuo+GwebZhs0+qj4=; Received: from unicorn.mansr.com ([81.2.72.234]) by sfi-mx-3.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1eCEFO-0006H3-PM for sox-devel@lists.sourceforge.net; Wed, 08 Nov 2017 00:29:39 +0000 Received: by unicorn.mansr.com (Postfix, from userid 51770) id 1593815603; Wed, 8 Nov 2017 00:29:32 +0000 (GMT) From: Mans Rullgard To: sox-devel@lists.sourceforge.net Date: Wed, 8 Nov 2017 00:29:14 +0000 Message-Id: <20171108002914.782-1-mans@mansr.com> X-Mailer: git-send-email 2.15.0 In-Reply-To: References: X-Headers-End: 1eCEFO-0006H3-PM Subject: [PATCH] adpcm: fix stack overflow with >4 channels (CVE-2017-15372) X-BeenThere: sox-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: sox-devel@lists.sourceforge.net MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: sox-devel-bounces@lists.sourceforge.net --- src/adpcm.c | 8 +++++++- src/adpcm.h | 3 +++ src/wav.c | 5 ++++- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/adpcm.c b/src/adpcm.c index 2e13867e94b0..f64b7d5c2787 100644 --- a/src/adpcm.c +++ b/src/adpcm.c @@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] = { { 392,-232} }; +extern void *lsx_ms_adpcm_alloc(unsigned chans) +{ + return lsx_malloc(chans * sizeof(MsState_t)); +} + static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state, sox_sample_t sample1, sox_sample_t sample2) { @@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state, /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ const char *lsx_ms_adpcm_block_expand_i( + void *priv, unsigned chans, /* total channels */ int nCoef, const short *coef, @@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i( const unsigned char *ip; unsigned ch; const char *errmsg = NULL; - MsState_t state[4]; /* One decompressor state for each channel */ + MsState_t *state = priv; /* One decompressor state for each channel */ /* Read the four-byte header for each channel */ ip = ibuff; diff --git a/src/adpcm.h b/src/adpcm.h index af4d6f08117d..db5cc6152196 100644 --- a/src/adpcm.h +++ b/src/adpcm.h @@ -29,8 +29,11 @@ /* default coef sets */ extern const short lsx_ms_adpcm_i_coef[7][2]; +extern void *lsx_ms_adpcm_alloc(unsigned chans); + /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ extern const char *lsx_ms_adpcm_block_expand_i( + void *priv, unsigned chans, /* total channels */ int nCoef, const short *coef, diff --git a/src/wav.c b/src/wav.c index fad334cf56e9..066be6d7732d 100644 --- a/src/wav.c +++ b/src/wav.c @@ -82,6 +82,7 @@ typedef struct { /* following used by *ADPCM wav files */ unsigned short nCoefs; /* ADPCM: number of coef sets */ short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */ + void *ms_adpcm_data; /* Private data of adpcm decoder */ unsigned char *packet; /* Temporary buffer for packets */ short *samples; /* interleaved samples buffer */ short *samplePtr; /* Pointer to current sample */ @@ -175,7 +176,7 @@ static unsigned short AdpcmReadBlock(sox_format_t * ft) } } - errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); + errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); if (errmsg) lsx_warn("%s", errmsg); @@ -791,6 +792,7 @@ static int startread(sox_format_t * ft) /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */ wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short)); + wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels); { int i, errct=0; for (i=0; len>=2 && i < 2*wav->nCoefs; i++) { @@ -1216,6 +1218,7 @@ static int stopread(sox_format_t * ft) free(wav->packet); free(wav->samples); free(wav->lsx_ms_adpcm_i_coefs); + free(wav->ms_adpcm_data); free(wav->comment); wav->comment = NULL; -- 2.15.0 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ SoX-devel mailing list SoX-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sox-devel