packages/wavpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
wavpack/CVE-2020-35738.patch
wangxiao65 b7490345db fix CVE-2020-35738
2021-03-04 11:11:48 +08:00

53 lines
2.0 KiB
Diff
Raw Blame History

From 89df160596132e3bd666322e1c20b2ebd4b92cd0 Mon Sep 17 00:00:00 2001
From: David Bryant <david@wavpack.com>
Date: Tue, 29 Dec 2020 20:47:19 -0800
Subject: [PATCH] issue #91: fix integer overflows resulting in buffer overruns
and sanitize a few more encoding parameters for clarity
---
src/pack_utils.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/pack_utils.c b/src/pack_utils.c
index 17d9381..480ab90 100644
--- a/src/pack_utils.c
+++ b/src/pack_utils.c
@@ -200,8 +200,13 @@ int WavpackSetConfiguration64 (WavpackContext *wpc, WavpackConfig *config, int64
return FALSE;
}
- if (!num_chans) {
- strcpy (wpc->error_message, "channel count cannot be zero!");
+ if (num_chans <= 0 || num_chans > NEW_MAX_STREAMS * 2) {
+ strcpy (wpc->error_message, "invalid channel count!");
+ return FALSE;
+ }
+
+ if (config->block_samples && (config->block_samples < 16 || config->block_samples > 131072)) {
+ strcpy (wpc->error_message, "invalid custom block samples!");
return FALSE;
}
@@ -523,7 +528,7 @@ int WavpackPackInit (WavpackContext *wpc)
if (wpc->config.num_channels == 1)
wpc->block_samples *= 2;
- while (wpc->block_samples > 12000 && wpc->block_samples * wpc->config.num_channels > 300000)
+ while (wpc->block_samples > 12000 && (int64_t) wpc->block_samples * wpc->config.num_channels > 300000)
wpc->block_samples /= 2;
}
else {
@@ -534,10 +539,10 @@ int WavpackPackInit (WavpackContext *wpc)
wpc->block_samples = wpc->config.sample_rate / divisor;
- while (wpc->block_samples > 12000 && wpc->block_samples * wpc->config.num_channels > 75000)
+ while (wpc->block_samples > 12000 && (int64_t) wpc->block_samples * wpc->config.num_channels > 75000)
wpc->block_samples /= 2;
- while (wpc->block_samples * wpc->config.num_channels < 20000)
+ while ((int64_t) wpc->block_samples * wpc->config.num_channels < 20000)
wpc->block_samples *= 2;
}
Reference in New Issue View Git Blame Copy Permalink