[CVE-2018-10393] heap buffer overflow

author Sejun Park <sejun79.park@samsung.com>

Tue, 29 May 2018 00:49:33 +0000 (09:49 +0900)

committer Sejun Park <sejun79.park@samsung.com>

Tue, 29 May 2018 00:49:33 +0000 (09:49 +0900)
author Sejun Park <sejun79.park@samsung.com>
Tue, 29 May 2018 00:49:33 +0000 (09:49 +0900)
committer Sejun Park <sejun79.park@samsung.com>
Tue, 29 May 2018 00:49:33 +0000 (09:49 +0900)
diff --git a/lib/codec_internal.h b/lib/codec_internal.h

index de1bcca..fab58d5 100644 (file)
--- a/lib/codec_internal.h
+++ b/lib/codec_internal.h
@@ -27,6 +27,7 @@
  #define BLOCKTYPE_LONG       1
  
  #define PACKETBLOBS 15
+#define MAX_CHANNEL 8
  
  typedef struct vorbis_block_internal{
    float  **pcmdelay;  /* this is a pointer into local storage */
diff --git a/lib/mapping0.c b/lib/mapping0.c

index 7d279a8..a4c0f6d 100644 (file)
--- a/lib/mapping0.c
+++ b/lib/mapping0.c
@@ -244,6 +244,8 @@ static int mapping0_forward(vorbis_block *vb){
    int                    n=vb->pcmend;
    int i,j,k;
  
+  if (vi->channels > MAX_CHANNEL || vi->channels < 0) return -1;
+
    int    *nonzero    = alloca(sizeof(*nonzero)*vi->channels);
    float  **gmdct     = _vorbis_block_alloc(vb,vi->channels*sizeof(*gmdct));
    int    **iwork      = _vorbis_block_alloc(vb,vi->channels*sizeof(*iwork));
author	Sejun Park <sejun79.park@samsung.com>
	Tue, 29 May 2018 00:49:33 +0000 (09:49 +0900)
committer	Sejun Park <sejun79.park@samsung.com>
	Tue, 29 May 2018 00:49:33 +0000 (09:49 +0900)
lib/codec_internal.h		patch \| blob \| history
lib/mapping0.c		patch \| blob \| history