These patches fix all current CVEs in Sox. They have been posted here before, but some were buried in other threads. I'd appreciate a final review before putting them in the master branch (now that I can that).
Mans Rullgard (8): wav: fix crash if channel count is zero (CVE-2017-11332) hcom: fix crash on input with corrupt dictionary (CVE-2017-11358) wav: fix crash writing header when channel count >64k (CVE-2017-11359) wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370) flac: fix crash on corrupt metadata (CVE-2017-15371) adpcm: fix stack overflow with >4 channels (CVE-2017-15372) aiff: fix crash on empty comment chunk (CVE-2017-15642) xa: validate channel count (CVE-2017-18189) src/adpcm.c | 8 +++++++- src/adpcm.h | 3 +++ src/aiff.c | 2 +- src/flac.c | 8 +++++--- src/hcom.c | 5 +++++ src/wav.c | 18 ++++++++++++++++-- src/xa.c | 6 ++++++ 7 files changed, 43 insertions(+), 7 deletions(-) -- 2.17.0 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ SoX-devel mailing list SoX-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sox-devel
