From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3561 216.34.176.0/20 X-Spam-Status: No, score=-2.8 required=3.0 tests=AWL,BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,T_DKIM_INVALID,T_RP_MATCHES_RCVD shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 2DD0420A40 for ; Mon, 20 Nov 2017 12:23:10 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eGl6N-0007YE-IM; Mon, 20 Nov 2017 12:23:03 +0000 Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.194] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eGl6M-0007Xz-DJ for sox-devel@lists.sourceforge.net; Mon, 20 Nov 2017 12:23:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:To:Subject:Message-ID:Date:From: References:In-Reply-To:MIME-Version:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=RjBloQTy61wNVr/dwSI9qccsyH01bHi1niao6tbCtAM=; b=HhoKjGw3fo9yjel4DZMtPufkH JT93emkSu1O/ByFZenHqsDX5TLl8POAcutKuo0Lf74QiFc4Nb+OLShfbTTIenECFqG8odXwTSPYvG df2RDxnxF+kdKdjYt9lcU7bYcJ3t0gumc7U06APHJb+H+lpHCJFA8XIiXdut9/CysJ/C8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:To:Subject:Message-ID:Date:From:References:In-Reply-To: MIME-Version:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=RjBloQTy61wNVr/dwSI9qccsyH01bHi1niao6tbCtAM=; b=Kr8Q+4hlzXSgFF7a5zVke/SheJ T9PEO5rKsKcR9rj25tmzAKiZYva6EHIuFhKP2aTEXyJCDi9EzBGLqZ7dAaYayihQ/L32m8rwgTARR tAHNpba9VRUsQ1mVIu7riaXKxMVBX+P7XwfCNabdql3rEO76fOR7xv3hf50AszyP8qXE=; Received: from mail-it0-f42.google.com ([209.85.214.42]) by sfi-mx-4.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eGl6L-00010u-8a for sox-devel@lists.sourceforge.net; Mon, 20 Nov 2017 12:23:02 +0000 Received: by mail-it0-f42.google.com with SMTP id m191so11718721itg.2 for ; Mon, 20 Nov 2017 04:23:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=RjBloQTy61wNVr/dwSI9qccsyH01bHi1niao6tbCtAM=; b=Y1gmSU97ed3A3P06tCJOaUJlmry8E6eO4hbhCf2TaCaE88rknfgLGRttQdUrQbSiGK Zlv01Lu+L46D5uyYmZ8aEEjJFzjid14fmSJY3CAqTEIxv9wVtKW5mE8tEglLpUI3nsXs YRLVizMtIGwXA5bow7UsjUJUDbKKyrY0vvTn2KeDwO+pQjO/BgjyD7HuZpaP+6AEQ334 ixY/fL5MA4MRWm2z+qvEd2MSzeHX1Ql24qEuEokLneI5niROMUtHzLUp9StTLh5r6QI3 uLZN3ZZGDzCA4YkALDgwA/xnTQ6xBFjx+h1CuXVzpng9CTaFQjpesG0D8w+iZNZf6rRL Ptlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=RjBloQTy61wNVr/dwSI9qccsyH01bHi1niao6tbCtAM=; b=SdLc72qDRIO21SOsfqjx7sFDokF8cGu4mvXGRK3gK+CjCP80v2OPVkCgmw1cNSncUp DOwOvApVeeB/Z5wJc3rd8WD0iAV34lZwlK9SD+Ey7r432Addts58zi3vdMZekOlR77f7 ftVw4+8hafGTfTmV9yEsa6DOpEXOJxBDr6dHfa2vNdRBCxefkHxh6MiHDzB8/1N5F7P8 Mzi3z12M7zkr43obw3owDPwI1FoKYeA8UNc8eSf3UzB/XGpEx7SlmjZBanBMOf8XpBIl M0+Aqf86+YxpowwD79G4S94Pb5uQ/FlN6UC6maI/QDLSNHgmQg+iGbzVcwTrmLANTBSV ud4w== X-Gm-Message-State: AJaThX4FCUd+p/SEQVx8FcBN/NgpUTBPPL6MAfeRw0ccDrZ8XxXs0azo fN+3ENlWmsdiwNjGpdHOt2GdCPxqgfF4dGPbzzQDSw== X-Google-Smtp-Source: AGs4zMYSt/8trRPAX4CHE3WL3wM3seely0XWx/aspNPIlqAWrAWLwno83NQfAe8Ee0HumyMpmeNlIcFTs4zjLhho5tI= X-Received: by 10.36.95.2 with SMTP id r2mr19074885itb.25.1511180575819; Mon, 20 Nov 2017 04:22:55 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.51.82 with HTTP; Mon, 20 Nov 2017 04:22:55 -0800 (PST) In-Reply-To: <20171120110535.14410-1-mans@mansr.com> References: <20171120110535.14410-1-mans@mansr.com> From: =?UTF-8?B?SmFyb23DrXIgTWlrZcWh?= Date: Mon, 20 Nov 2017 13:22:55 +0100 Message-ID: To: sox-devel@lists.sourceforge.net X-Headers-End: 1eGl6L-00010u-8a Subject: Re: [PATCH] aiff: fix crash on empty comment chunk (CVE-2017-15642) X-BeenThere: sox-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: sox-devel@lists.sourceforge.net Content-Type: multipart/mixed; boundary="===============1394358187994739014==" Errors-To: sox-devel-bounces@lists.sourceforge.net --===============1394358187994739014== Content-Type: multipart/alternative; boundary="001a11448ce069cf5c055e6925c9" --001a11448ce069cf5c055e6925c9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable 2017-11-20 12:05 GMT+01:00 Mans Rullgard : > This fixes a use after free and double free if an empty comment > chunk follows a non-empty one. > --- > src/aiff.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/aiff.c b/src/aiff.c > index e34286be0a97..197ccd4e5d20 100644 > --- a/src/aiff.c > +++ b/src/aiff.c > @@ -63,7 +63,6 @@ int lsx_aiffstartread(sox_format_t * ft) > size_t ssndsize =3D 0; > char *annotation; > char *author; > - char *comment =3D NULL; > char *copyright; > char *nametext; > > @@ -271,6 +270,7 @@ int lsx_aiffstartread(sox_format_t * ft) > free(annotation); > } > else if (strncmp(buf, "COMT", (size_t)4) =3D=3D 0) { > + char *comment =3D NULL; > rc =3D commentChunk(&comment, "Comment:", ft); > if (rc) { >> >> 2.15.0 > > >> >> >> ------------------------------------------------------------------------= ------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > SoX-devel mailing list > > SoX-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/sox-devel > > /* Fail already called in function */ > -- > =E2=80=8BThank you! Applied in debian repo. best regards mira=E2=80=8B --001a11448ce069cf5c055e6925c9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

2017-11-20= 12:05 GMT+01:00 Mans Rullgard <mans@mansr.com>:
This fixes a use after free and doub= le free if an empty comment
chunk follows a non-empty one.
---
=C2=A0src/aiff.c | 2 +-
=C2=A01 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/aiff.c b/src/aiff.c
index e34286be0a97..197ccd4e5d20 100644
--- a/src/aiff.c
+++ b/src/aiff.c
@@ -63,7 +63,6 @@ int lsx_aiffstartread(sox_format_t * ft)
=C2=A0 =C2=A0size_t ssndsize =3D 0;
=C2=A0 =C2=A0char *annotation;
=C2=A0 =C2=A0char *author;
-=C2=A0 char *comment =3D NULL;
=C2=A0 =C2=A0char *copyright;
=C2=A0 =C2=A0char *nametext;

@@ -271,6 +270,7 @@ int lsx_aiffstartread(sox_format_t * ft)
=C2=A0 =C2=A0 =C2=A0 =C2=A0free(annotation);
=C2=A0 =C2=A0 =C2=A0}
=C2=A0 =C2=A0 =C2=A0else if (strncmp(buf, "COMT", (size_t)4) =3D= =3D 0) {
+=C2=A0 =C2=A0 =C2=A0 char *comment =3D NULL;
=C2=A0 =C2=A0 =C2=A0 =C2=A0rc =3D commentChunk(&comment, "Comment:= ", ft);
=C2=A0 =C2=A0 =C2=A0 =C2=A0if (rc) {
2.15.0

-----------= -------------------------------------------------------------------
Check out the vibran= t tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___________________________= ____________________
SoX-devel mailing list
SoX-de= vel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sox-devel =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/* Fail already called in function */
--

=E2=80=8BThank you! Applied in debian repo.

best regards

mira=E2=80=8B

--001a11448ce069cf5c055e6925c9-- --===============1394358187994739014== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot --===============1394358187994739014== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ SoX-devel mailing list SoX-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sox-devel --===============1394358187994739014==--