2017-11-07 10:26 GMT+01:00 Måns Rullgård <m...@mansr.com>:
> Eric Wong <normalper...@yhbt.net> writes:
>
> > Måns Rullgård <m...@mansr.com> wrote:
> >> All but one fixed here: https://github.com/mansr/sox
> >
> > I think this should fix the last one. I didn't check too
> > closely, just verified it's no longer segfaulting.
> >
> > (But lsx_valloc doesn't check for multiplication overflow)
> >
> > -----------8<---------
> > From: Eric Wong <e...@80x24.org>
> > Subject: [PATCH] adpcm: fix stack overflow (CVE-2017-15372)
> >
> > ---
> > src/adpcm.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/adpcm.c b/src/adpcm.c
> > index 2e13867e..e921eaba 100644
> > --- a/src/adpcm.c
> > +++ b/src/adpcm.c
> > @@ -113,7 +113,10 @@ const char *lsx_ms_adpcm_block_expand_i(
> > const unsigned char *ip;
> > unsigned ch;
> > const char *errmsg = NULL;
> > - MsState_t state[4]; /* One decompressor state for each channel */
> > + MsState_t *state;
> > +
> > + /* One decompressor state for each channel */
> > + lsx_valloc(state, chans);
> >
> > /* Read the four-byte header for each channel */
> > ip = ibuff;
>
> This will leak memory like crazy.
>
> I'd prefer not to do a malloc/free for each block, but rather do it just
> once. This will require a little more work, of course.
>
Hi,
good to know I will wait for better fix then.
BTW I moved debian packaging here if you are interested:
https://anonscm.debian.org/git/pkg-multimedia/sox.git
I think it is better than do it in sourceforge upstream repo.
best regrads
mira
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
SoX-devel mailing list
SoX-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sox-devel
