mirror of
https://codeberg.org/guix/guix.git
synced 2025-10-02 02:15:12 +00:00
f2c3ff8cba
* gnu/packages/audio.scm (audiofile): Update to 0.3.6. Change-Id: I2dda621f60c27e02b1513e2d89a138136a1633ca Signed-off-by: Ludovic Courtès <ludo@gnu.org>
83 lines
2.7 KiB
Diff
83 lines
2.7 KiB
Diff
commit 4d3238843385b9929d7a1ab9034a6fc13949c7b4
|
|
Author: Bastien Roucariès <rouca@debian.org>
|
|
Date: Sat Nov 11 15:58:50 2023 +0000
|
|
|
|
Fix CVE-2022-24599
|
|
|
|
Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer
|
|
with a user declared string.
|
|
|
|
Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0'
|
|
for printf
|
|
|
|
Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1.
|
|
|
|
Before under valgrind:
|
|
libtool --mode=execute valgrind --track-origins=yes ./sfinfo heapleak_poc.aiff
|
|
|
|
Duration -inf seconds
|
|
==896222== Invalid read of size 1
|
|
==896222== at 0x4846794: strlen (vg_replace_strmem.c:494)
|
|
==896222== by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435)
|
|
==896222== by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459)
|
|
==896222== by 0x49DE986: __printf_chk (printf_chk.c:33)
|
|
==896222== by 0x10985C: printf (stdio2.h:86)
|
|
==896222== by 0x10985C: printfileinfo (printinfo.c:134)
|
|
==896222== by 0x10930A: main (sfinfo.c:113)
|
|
==896222== Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd
|
|
==896222== at 0x48407B4: malloc (vg_replace_malloc.c:381)
|
|
==896222== by 0x109825: copyrightstring (printinfo.c:163)
|
|
==896222== by 0x109825: printfileinfo (printinfo.c:131)
|
|
==896222== by 0x10930A: main (sfinfo.c:113)
|
|
==896222==
|
|
Copyright C
|
|
|
|
After:
|
|
Duration -inf seconds
|
|
Copyright C
|
|
|
|
diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c
|
|
index 60e6947..f5cf925 100644
|
|
--- a/sfcommands/printinfo.c
|
|
+++ b/sfcommands/printinfo.c
|
|
@@ -37,6 +37,7 @@
|
|
#include <stdint.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
+#include <limits.h>
|
|
|
|
static char *copyrightstring (AFfilehandle file);
|
|
|
|
@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file)
|
|
int i, misccount;
|
|
|
|
misccount = afGetMiscIDs(file, NULL);
|
|
- miscids = (int *) malloc(sizeof (int) * misccount);
|
|
+ if(!misccount)
|
|
+ return NULL;
|
|
+ miscids = (int *) calloc(misccount, sizeof(int));
|
|
+ if(!miscids)
|
|
+ return NULL;
|
|
afGetMiscIDs(file, miscids);
|
|
|
|
for (i=0; i<misccount; i++)
|
|
@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file)
|
|
If this code executes, the miscellaneous chunk is a
|
|
copyright chunk.
|
|
*/
|
|
- int datasize = afGetMiscSize(file, miscids[i]);
|
|
- char *data = (char *) malloc(datasize);
|
|
+ size_t datasize = afGetMiscSize(file, miscids[i]);
|
|
+ if(datasize >= INT_MAX -1 ) {
|
|
+ goto error;
|
|
+ }
|
|
+ char *data = (char *) calloc(datasize + 1, 1);
|
|
afReadMisc(file, miscids[i], data, datasize);
|
|
copyright = data;
|
|
break;
|
|
}
|
|
-
|
|
+error:
|
|
free(miscids);
|
|
|
|
return copyright;
|