32 lines
1.1 KiB
Plaintext
32 lines
1.1 KiB
Plaintext
From: Erik de Castro Lopo <erikd@mega-nerd.com>
|
|
Date: Tue, 1 Jan 2019 20:11:46 +1100
|
|
Subject: src/wav.c: Fix heap read overflow
|
|
|
|
This is CVE-2018-19758.
|
|
|
|
Closes: https://github.com/erikd/libsndfile/issues/435
|
|
---
|
|
src/wav.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/wav.c b/src/wav.c
|
|
index 4b943dc..59015a1 100644
|
|
--- src/wav.c
|
|
+++ src/wav.c
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
|
|
+** Copyright (C) 1999-2019 Erik de Castro Lopo <erikd@mega-nerd.com>
|
|
** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
|
|
**
|
|
** This program is free software; you can redistribute it and/or modify
|
|
@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
|
|
psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
|
|
psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
|
|
|
|
+ /* Loop count is signed 16 bit number so we limit it range to something sensible. */
|
|
+ psf->instrument->loop_count &= 0x7fff ;
|
|
for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
|
|
{ int type ;
|
|
|