24 lines
811 B
Diff
24 lines
811 B
Diff
commit 42132c543358cee9f7c3e9e9b15bb6c1063a608e
|
|
Author: Erik de Castro Lopo <erikd@mega-nerd.com>
|
|
Date: Tue Jan 1 20:11:46 2019 +1100
|
|
|
|
src/wav.c: Fix heap read overflow
|
|
|
|
This is CVE-2018-19758.
|
|
|
|
Closes: https://github.com/erikd/libsndfile/issues/435
|
|
|
|
diff --git src/wav.c src/wav.c
|
|
index 9d71aadb..5c825f2a 100644
|
|
--- src/wav.c
|
|
+++ src/wav.c
|
|
@@ -1146,6 +1146,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
|
|
psf_binheader_writef (psf, "44", BHW4 (0), BHW4 (0)) ; /* SMTPE format */
|
|
psf_binheader_writef (psf, "44", BHW4 (psf->instrument->loop_count), BHW4 (0)) ;
|
|
|
|
+ /* Loop count is signed 16 bit number so we limit it range to something sensible. */
|
|
+ psf->instrument->loop_count &= 0x7fff ;
|
|
for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
|
|
{ int type ;
|
|
|