Skip to content
Permalink
Browse files

a/ulaw: fix multiple buffer overflows (#432)

i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
properly, leading to buffer underflow. INT_MIN is a special value
since - INT_MIN cannot be represented as int.

In this case round - INT_MIN to INT_MAX and proceed as usual.

f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
properly, leading to null pointer dereference.

In this case, arbitrarily set the buffer value to 0.

This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
fixes #344 (CVE-2017-17456 and CVE-2017-17457).
  • Loading branch information...
hlef authored and erikd committed Dec 24, 2018
1 parent ba8a757 commit 8ddc442d539ca775d80cdbc7af17a718634a743f
Showing with 14 additions and 4 deletions.
  1. +7 −2 src/alaw.c
  2. +7 −2 src/ulaw.c
@@ -19,6 +19,7 @@
#include "sfconfig.h"

#include <math.h>
#include <limits.h>

#include "sndfile.h"
#include "common.h"
@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
static inline void
i2alaw_array (const int *ptr, int count, unsigned char *buffer)
{ while (--count >= 0)
{ if (ptr [count] >= 0)
{ if (ptr [count] == INT_MIN)
buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
else if (ptr [count] >= 0)
buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
else
buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
static inline void
d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
{ while (--count >= 0)
{ if (ptr [count] >= 0)
{ if (!isfinite (ptr [count]))
buffer [count] = 0 ;
else if (ptr [count] >= 0)
buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
else
buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
@@ -19,6 +19,7 @@
#include "sfconfig.h"

#include <math.h>
#include <limits.h>

#include "sndfile.h"
#include "common.h"
@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
static inline void
i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
{ while (--count >= 0)
{ if (ptr [count] >= 0)
{ if (ptr [count] == INT_MIN)
buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
else if (ptr [count] >= 0)
buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
else
buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
static inline void
d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
{ while (--count >= 0)
{ if (ptr [count] >= 0)
{ if (!isfinite (ptr [count]))
buffer [count] = 0 ;
else if (ptr [count] >= 0)
buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
else
buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;

2 comments on commit 8ddc442

@hlef

This comment has been minimized.

Copy link
Contributor Author

replied Dec 24, 2018

Typo in commit message: "f2ulaw_array() and f2alaw_array()" should be "d2ulaw_array() and d2alaw_array()".

That being said, f2ulaw_array() and f2alaw_array() might actually need a similar fix. I will prepare a PR.

@erikd

This comment has been minimized.

Copy link
Owner

replied Dec 26, 2018

It is possible to edit commit messages. Its documented the Git book: https://git-scm.com/book/en/v2

Feel free to add related fixes to this PR.

Please sign in to comment.
You can’t perform that action at this time.