diff --git a/0001-mat4-mat5-fix-int-overflow-in-dataend-calculation.patch b/0001-mat4-mat5-fix-int-overflow-in-dataend-calculation.patch new file mode 100644 index 0000000000000000000000000000000000000000..665cb42f691d8bd93e7df632a97a99a89946b70c --- /dev/null +++ b/0001-mat4-mat5-fix-int-overflow-in-dataend-calculation.patch @@ -0,0 +1,43 @@ +From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Tue, 10 Oct 2023 16:10:34 -0400 +Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation + +The clang sanitizer warns of a possible signed integer overflow when +calculating the `dataend` value in `mat4_read_header()`. + +``` +src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in +src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in +``` + +Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of +`dataend` before performing the calculation, to avoid the issue. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/789 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart +--- + src/mat4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mat4.c b/src/mat4.c +index 0b1b414b..575683ba 100644 +--- a/src/mat4.c ++++ b/src/mat4.c +@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf) + psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ; + } + else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth) +- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ; ++ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ; + + psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ; + +-- +2.25.1 + diff --git a/ChangeLog b/ChangeLog index 62576177c6d10ff1608bf0d73aca5b4e9309016e..32a2cb7af084089a0bdc8b46b714887ff0769199 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2023-12-04 Erik de Castro Lopo + + * src/mat4.c + 修复了编号为CVE-2022-33065的漏洞,该漏洞位于src/mat4.c,存在符号整数溢出. + --lizihhao <2665233825@qq.com> Mon, 04 Dec 2023 20:44:12 +0800 + 2013-04-05 Erik de Castro Lopo * Makefile.am diff --git a/src/mat4.c b/src/mat4.c index 3c73680e8a788c76e44dd774e4486358d3c543dd..e2f98b7d23c2c95dff2ffe52bd8904815d393e70 100644 --- a/src/mat4.c +++ b/src/mat4.c @@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf) psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ; } else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth) - psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ; + psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ; psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;