From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: ** X-Spam-ASN: X-Spam-Status: No, score=2.1 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,NO_RECEIVED,NO_RELAYS,T_DKIM_INVALID shortcircuit=no autolearn=no autolearn_force=no version=3.4.0 Path: news.gmane.org!.POSTED!not-for-mail From: =?iso-8859-1?Q?M=E5ns_Rullg=E5rd?= Newsgroups: gmane.comp.audio.sox.devel Subject: Re: [PATCH] adpcm: fix stack overflow (CVE-2017-15372) Date: Tue, 07 Nov 2017 09:26:37 +0000 Message-ID: References: <20171107011423.GA26133@starla> Reply-To: sox-devel@lists.sourceforge.net NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1510046808 17883 195.159.176.226 (7 Nov 2017 09:26:48 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Tue, 7 Nov 2017 09:26:48 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) Cc: sox-devel@lists.sourceforge.net To: Eric Wong Original-X-From: sox-devel-bounces@lists.sourceforge.net Tue Nov 07 10:26:40 2017 Return-path: Envelope-to: gcasd-sox-devel@m.gmane.org Original-Received: from lists.sourceforge.net ([216.34.181.88]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eC09Y-0004JT-8x for gcasd-sox-devel@m.gmane.org; Tue, 07 Nov 2017 10:26:40 +0100 Original-Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eC09d-0000Wg-Ur; Tue, 07 Nov 2017 09:26:45 +0000 Original-Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eC09d-0000Wa-Mm for sox-devel@lists.sourceforge.net; Tue, 07 Nov 2017 09:26:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version :Message-ID:In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rOJHK9pbgoxtFvG8A53AyimbqE6ieEeEerKyCpk63to=; b=dwAVkO2DMUfa9HgwMe9P+J3J0U EsxHgV9dqsl4x9+LukYRzrELeWWOEQ9eAINNV6h39oLDct30rotYayqVIbi9IfLoam6Zye1w352vt tXAQmrpDFJwn9wW2QdKmPF5/PsfhzoVDLQq6O/EA2UbMppm2Zt52Re9z6tdI2tZvXrts=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=rOJHK9pbgoxtFvG8A53AyimbqE6ieEeEerKyCpk63to=; b=SsXNRgwsgPdeNO73YpQ9eAd72c KI7ZhQTuey/r85Of2RNax7k3CeYHz5PPlQR09qt7tpqJjSkU4W5FuWO4cHbBCQdIqNv7j937aeIs3 8aKUbe9AVhI36d14fYgq18lCdoX2oO3kvJDZdhuPoeUi2rVQkoXI4VfT2/9Wkr+BClLk=; Original-Received: from unicorn.mansr.com ([81.2.72.234]) by sfi-mx-4.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1eC09c-0004Gh-3E for sox-devel@lists.sourceforge.net; Tue, 07 Nov 2017 09:26:45 +0000 Original-Received: by unicorn.mansr.com (Postfix, from userid 51770) id 6004417C5C; Tue, 7 Nov 2017 09:26:37 +0000 (GMT) In-Reply-To: <20171107011423.GA26133@starla> (Eric Wong's message of "Tue, 7 Nov 2017 01:14:23 +0000") X-Headers-End: 1eC09c-0004Gh-3E X-BeenThere: sox-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: sox-devel-bounces@lists.sourceforge.net Xref: news.gmane.org gmane.comp.audio.sox.devel:530 Archived-At: Eric Wong writes: > M=E5ns Rullg=E5rd wrote: >> All but one fixed here: https://github.com/mansr/sox > > I think this should fix the last one. I didn't check too > closely, just verified it's no longer segfaulting. > > (But lsx_valloc doesn't check for multiplication overflow) > > -----------8<--------- > From: Eric Wong > Subject: [PATCH] adpcm: fix stack overflow (CVE-2017-15372) > > --- > src/adpcm.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/src/adpcm.c b/src/adpcm.c > index 2e13867e..e921eaba 100644 > --- a/src/adpcm.c > +++ b/src/adpcm.c > @@ -113,7 +113,10 @@ const char *lsx_ms_adpcm_block_expand_i( > const unsigned char *ip; > unsigned ch; > const char *errmsg =3D NULL; > - MsState_t state[4]; /* One decompressor state for each channel */ > + MsState_t *state; > + > + /* One decompressor state for each channel */ > + lsx_valloc(state, chans); > > /* Read the four-byte header for each channel */ > ip =3D ibuff; This will leak memory like crazy. I'd prefer not to do a malloc/free for each block, but rather do it just once. This will require a little more work, of course. -- = M=E5ns Rullg=E5rd ---------------------------------------------------------------------------= --- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot