diff options
Diffstat (limited to 'gnu/packages/patches/audiofile-CVE-2022-24599.patch')
| -rw-r--r-- | gnu/packages/patches/audiofile-CVE-2022-24599.patch | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/gnu/packages/patches/audiofile-CVE-2022-24599.patch b/gnu/packages/patches/audiofile-CVE-2022-24599.patch new file mode 100644 index 0000000000..9299f6ea82 --- /dev/null +++ b/gnu/packages/patches/audiofile-CVE-2022-24599.patch @@ -0,0 +1,83 @@ +commit 4d3238843385b9929d7a1ab9034a6fc13949c7b4 +Author: Bastien Roucariès <rouca@debian.org> +Date: Sat Nov 11 15:58:50 2023 +0000 + + Fix CVE-2022-24599 + + Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer + with a user declared string. + + Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0' + for printf + + Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1. + + Before under valgrind: + libtool --mode=execute valgrind --track-origins=yes ./sfinfo heapleak_poc.aiff + + Duration -inf seconds + ==896222== Invalid read of size 1 + ==896222== at 0x4846794: strlen (vg_replace_strmem.c:494) + ==896222== by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435) + ==896222== by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459) + ==896222== by 0x49DE986: __printf_chk (printf_chk.c:33) + ==896222== by 0x10985C: printf (stdio2.h:86) + ==896222== by 0x10985C: printfileinfo (printinfo.c:134) + ==896222== by 0x10930A: main (sfinfo.c:113) + ==896222== Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd + ==896222== at 0x48407B4: malloc (vg_replace_malloc.c:381) + ==896222== by 0x109825: copyrightstring (printinfo.c:163) + ==896222== by 0x109825: printfileinfo (printinfo.c:131) + ==896222== by 0x10930A: main (sfinfo.c:113) + ==896222== + Copyright C + + After: + Duration -inf seconds + Copyright C + +diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c +index 60e6947..f5cf925 100644 +--- a/sfcommands/printinfo.c ++++ b/sfcommands/printinfo.c +@@ -37,6 +37,7 @@ + #include <stdint.h> + #include <stdio.h> + #include <stdlib.h> ++#include <limits.h> + + static char *copyrightstring (AFfilehandle file); + +@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file) + int i, misccount; + + misccount = afGetMiscIDs(file, NULL); +- miscids = (int *) malloc(sizeof (int) * misccount); ++ if(!misccount) ++ return NULL; ++ miscids = (int *) calloc(misccount, sizeof(int)); ++ if(!miscids) ++ return NULL; + afGetMiscIDs(file, miscids); + + for (i=0; i<misccount; i++) +@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file) + If this code executes, the miscellaneous chunk is a + copyright chunk. + */ +- int datasize = afGetMiscSize(file, miscids[i]); +- char *data = (char *) malloc(datasize); ++ size_t datasize = afGetMiscSize(file, miscids[i]); ++ if(datasize >= INT_MAX -1 ) { ++ goto error; ++ } ++ char *data = (char *) calloc(datasize + 1, 1); + afReadMisc(file, miscids[i], data, datasize); + copyright = data; + break; + } +- ++error: + free(miscids); + + return copyright; |