diff options
Diffstat (limited to 'poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch')
-rw-r--r-- | poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch new file mode 100644 index 0000000000..6354f856cb --- /dev/null +++ b/poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch @@ -0,0 +1,36 @@ +From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001 +From: bobsayshilol <bobsayshilol@live.co.uk> +Date: Wed, 17 Feb 2021 23:21:48 +0000 +Subject: [PATCH 1/2] wavlike: Fix incorrect size check + +The SF_CART_INFO_16K struct has an additional 4 byte field to hold +the size of 'tag_text' which the file header doesn't, so don't +include it as part of the check when looking for the max length. + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026 + +Upstream-Status: Backport +CVE: CVE-2021-3246 patch 1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/wavlike.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: libsndfile-1.0.28/src/wavlike.c +=================================================================== +--- libsndfile-1.0.28.orig/src/wavlike.c ++++ libsndfile-1.0.28/src/wavlike.c +@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf + return 0 ; + } ; + +- if (chunksize >= sizeof (SF_CART_INFO_16K)) ++ /* ++ ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part ++ ** of the chunk, so don't include it in the size check. ++ */ ++ if (chunksize >= sizeof (SF_CART_INFO_16K) - 4) + { psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ; + psf_binheader_readf (psf, "j", chunksize) ; + return 0 ; |