Eric Wong <normalper...@yhbt.net> writes: > Måns Rullgård <m...@mansr.com> wrote: >> All but one fixed here: https://github.com/mansr/sox > > I think this should fix the last one. I didn't check too > closely, just verified it's no longer segfaulting. > > (But lsx_valloc doesn't check for multiplication overflow) > > -----------8<--------- > From: Eric Wong <e...@80x24.org> > Subject: [PATCH] adpcm: fix stack overflow (CVE-2017-15372) > > --- > src/adpcm.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/src/adpcm.c b/src/adpcm.c > index 2e13867e..e921eaba 100644 > --- a/src/adpcm.c > +++ b/src/adpcm.c > @@ -113,7 +113,10 @@ const char *lsx_ms_adpcm_block_expand_i( > const unsigned char *ip; > unsigned ch; > const char *errmsg = NULL; > - MsState_t state[4]; /* One decompressor state for each channel */ > + MsState_t *state; > + > + /* One decompressor state for each channel */ > + lsx_valloc(state, chans); > > /* Read the four-byte header for each channel */ > ip = ibuff;
This will leak memory like crazy. I'd prefer not to do a malloc/free for each block, but rather do it just once. This will require a little more work, of course. -- Måns Rullgård ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ SoX-devel mailing list SoX-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sox-devel
