blob: cdd66e67f725e9389864b756a798311d39f9f471 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
From: Scott Gayou <github.scott@gmail.com>
Date: Mon, 4 Jun 2018 11:34:36 -0400
Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
This CVE is caused by a failure to check the minimum length
of a ogg flac header. This header is detailed in full at:
https://xiph.org/flac/ogg_mapping.html. Added more strict checking
for entire header.
Upstream-Status: Backport
[https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278]
CVE: CVE-2018-11439
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
index 53d0450..07ea9dc 100644
--- a/taglib/ogg/flac/oggflacfile.cpp
+++ b/taglib/ogg/flac/oggflacfile.cpp
@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
if(!metadataHeader.startsWith("fLaC")) {
// FLAC 1.1.2+
+ // See https://xiph.org/flac/ogg_mapping.html for the header specification.
+ if(metadataHeader.size() < 13)
+ return;
+
+ if(metadataHeader[0] != 0x7f)
+ return;
+
if(metadataHeader.mid(1, 4) != "FLAC")
return;
- if(metadataHeader[5] != 1)
- return; // not version 1
+ if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
+ return; // not version 1.0
+
+ if(metadataHeader.mid(9, 4) != "fLaC")
+ return;
metadataHeader = metadataHeader.mid(13);
}
--
2.7.4
|
