Attachment 14204 Details for Bug 32608 – 0014-Partial-fix-of-CVE-2019-13147.patch

[patch] 0014-Partial-fix-of-CVE-2019-13147.patch

0014-Partial-fix-of-CVE-2019-13147.patch (text/plain), 2.23 KB, created by Philippe Didier on 2023-12-09 15:39:48 CET

(hide)

Description:

Filename:

MIME Type:

Creator: Philippe Didier

Created: 2023-12-09 15:39:48 CET

Size: 2.23 KB

patch

obsolete

>From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
>Date: Sat, 11 Nov 2023 17:42:03 +0000
>Subject: Partial fix of CVE-2019-13147
>
>This fix the symptom do not allow to allocate negative memory:
>==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes
>==129695==AddressSanitizer's allocator is terminating the process instead of returning 0
>==129695==If you don't like this behavior set allocator_may_return_null=1
>==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
>    #0 0x7f48c8503c02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
>    #1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
>    #2 0x7f48c8509342  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342)
>    #3 0x7f48c8441e46  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
>    #4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
>    #5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327
>    #6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
>    #7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
>    #8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)
>
>If negative bail out
>
>bug: https://github.com/mpruett/audiofile/issues/54
>forwarded: https://github.com/mpruett/audiofile/issues/54
>bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147
>bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343
>---
> sfcommands/sfconvert.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
>index 367f7a5..400d485 100644
>--- a/sfcommands/sfconvert.c
>+++ b/sfcommands/sfconvert.c
>@@ -349,7 +349,8 @@ void printversion (void)
> bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
> {
> 	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
>-
>+	if(frameSize <= 0)
>+		return false;
> 	int kBufferFrameCount = 65536;
> 	int bufferSize;
> 	while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))

From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
Date: Sat, 11 Nov 2023 17:42:03 +0000
Subject: Partial fix of CVE-2019-13147

This fix the symptom do not allow to allocate negative memory:
==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes
==129695==AddressSanitizer's allocator is terminating the process instead of returning 0
==129695==If you don't like this behavior set allocator_may_return_null=1
==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f48c8503c02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
    #1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
    #2 0x7f48c8509342  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342)
    #3 0x7f48c8441e46  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
    #4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
    #5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327
    #6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
    #7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)

If negative bail out

bug: https://github.com/mpruett/audiofile/issues/54
forwarded: https://github.com/mpruett/audiofile/issues/54
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343
---
 sfcommands/sfconvert.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
index 367f7a5..400d485 100644
--- a/sfcommands/sfconvert.c
+++ b/sfcommands/sfconvert.c
@@ -349,7 +349,8 @@ void printversion (void)
 bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
 {
 	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
-
+	if(frameSize <= 0)
+		return false;
 	int kBufferFrameCount = 65536;
 	int bufferSize;
 	while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))

Actions: View | Diff

Attachments on bug 32608: 14203 | 14204