community/sox/CVE-2019-8355.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

From f8587e2d50dad72d40453ac1191c539ee9e50381 Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Wed, 24 Apr 2019 17:39:45 +0100
Subject: [PATCH] fix possible overflow in lsx_(re)valloc() size calculation
 (CVE-2019-8355)

---
 src/Makefile.am |  2 +-
 src/xmalloc.c   | 10 ++++++++++
 src/xmalloc.h   |  5 +++--
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 42573ec5..d5f6d125 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -95,7 +95,7 @@ libsox_la_LIBADD += @GOMP_LIBS@
 
 libsox_la_CFLAGS = @WARN_CFLAGS@
 libsox_la_LDFLAGS = @APP_LDFLAGS@ -version-info @SHLIB_VERSION@ \
-  -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$'
+  -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc.*|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$'
 
 if HAVE_WIN32_LTDL
   libsox_la_SOURCES += win32-ltdl.c win32-ltdl.h
diff --git a/src/xmalloc.c b/src/xmalloc.c
index 56fe6944..72c9ea4d 100644
--- a/src/xmalloc.c
+++ b/src/xmalloc.c
@@ -57,6 +57,16 @@ void *lsx_calloc(size_t n, size_t size)
   return lsx_checkptr(calloc(n + !n, size + !size));
 }
 
+void *lsx_realloc_array(void *p, size_t n, size_t size)
+{
+  if (n > (size_t)-1 / size) {
+    lsx_fail("malloc size overflow");
+    exit(2);
+  }
+
+  return lsx_realloc(p, n * size);
+}
+
 char *lsx_strdup(const char *s)
 {
   return lsx_checkptr(strdup(s));
diff --git a/src/xmalloc.h b/src/xmalloc.h
index 92ac64d9..21ff6630 100644
--- a/src/xmalloc.h
+++ b/src/xmalloc.h
@@ -25,11 +25,12 @@
 
 LSX_RETURN_VALID void *lsx_malloc(size_t size);
 LSX_RETURN_VALID void *lsx_calloc(size_t n, size_t size);
+LSX_RETURN_VALID void *lsx_realloc_array(void *p, size_t n, size_t size);
 LSX_RETURN_VALID char *lsx_strdup(const char *s);
 
 #define lsx_Calloc(v,n)  v = lsx_calloc(n,sizeof(*(v)))
 #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL)
-#define lsx_valloc(v,n)  v = lsx_malloc((n)*sizeof(*(v)))
-#define lsx_revalloc(v,n)  v = lsx_realloc(v, (n)*sizeof(*(v)))
+#define lsx_valloc(v,n)  v = lsx_realloc_array(NULL, n, sizeof(*(v)))
+#define lsx_revalloc(v,n)  v = lsx_realloc_array(v, n, sizeof(*(v)))
 
 #endif
-- 
2.22.0