diff --git a/backport-CVE-2021-3246.patch b/backport-CVE-2021-3246.patch new file mode 100644 index 0000000000000000000000000000000000000000..1fa7a6b0cf10f51ce3c6264115d7082f5c553b02 --- /dev/null +++ b/backport-CVE-2021-3246.patch @@ -0,0 +1,38 @@ +From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001 +From: bobsayshilol +Date: Thu, 18 Feb 2021 21:52:09 +0000 +Subject: [PATCH] ms_adpcm: Fix and extend size checks + +'blockalign' is the size of a block, and each block contains 7 samples +per channel as part of the preamble, so check against 'samplesperblock' +rather than 'blockalign'. Also add an additional check that the block +is big enough to hold the samples it claims to hold. + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803 +--- + src/ms_adpcm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + + +diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c +index 5e8f1a316..a21cb9941 100644 +--- a/src/ms_adpcm.c ++++ b/src/ms_adpcm.c +@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) + if (psf->file.mode == SFM_WRITE) + samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ; + +- if (blockalign < 7 * psf->sf.channels) +- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ; ++ /* There's 7 samples per channel in the preamble of each block */ ++ if (samplesperblock < 7 * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; ++ return SFE_INTERNAL ; ++ } ; ++ ++ if (2 * blockalign < samplesperblock * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; + return SFE_INTERNAL ; + } ; + + diff --git a/libsndfile.spec b/libsndfile.spec index 757dfde8a39b0916a2b3e0487c23cbf0784d8416..b24ae7208559bf6bcecca6abd1b916a8d739fc05 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,6 +1,6 @@ Name: libsndfile Version: 1.0.28 -Release: 18 +Release: 19 Summary: Library for reading and writing sound files License: LGPLv2+ and GPLv2+ and BSD URL: http://www.mega-nerd.com/libsndfile/ @@ -21,6 +21,7 @@ Patch6003: libsndfile-1.0.28-CVE-2019-3832.patch Patch6004: libsndfile-1.0.28-CVE-2017-17456-CVE-2017-17457-CVE-2018-19661-CVE-2018-19662.patch Patch6005: libsndfile-1.0.28-CVE-2017-14634.patch Patch6006: libsndfile-1.0.28-CVE-2017-8362.patch +Patch6007: backport-CVE-2021-3246.patch %description Libsndfile is a C library for reading and writing files containing @@ -127,6 +128,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %{_mandir}/man1/sndfile-salvage.1* %changelog +* Thu Sep 23 2021 zhouwenpei - 1.0.28-19 +- fix CVE-2021-3246 + * Mon Feb 03 2020 chenmaodong - 1.0.28-18 - Type:cves - ID:CVE-2017-8362