| /[pkg-src]/trunk/audiofile/patches/audiofile-0.3.6-Check-for-multiplication-overflow-in-sfconvert.patch |
Annotation of /trunk/audiofile/patches/audiofile-0.3.6-Check-for-multiplication-overflow-in-sfconvert.patch
Parent Directory
| 
Revision Log
Revision 3077 -
(hide annotations)
(download)
Mon Jan 22 12:38:50 2018 UTC (6 years, 4 months ago) by niro
File size: 1975 byte(s)
Mon Jan 22 12:38:50 2018 UTC (6 years, 4 months ago) by niro
File size: 1975 byte(s)
-added several security and build fixes
| 1 | niro | 3077 | From: Antonio Larrosa <larrosa@kde.org> |
| 2 | Date: Mon, 6 Mar 2017 13:54:52 +0100 | ||
| 3 | Subject: Check for multiplication overflow in sfconvert | ||
| 4 | |||
| 5 | Checks that a multiplication doesn't overflow when | ||
| 6 | calculating the buffer size, and if it overflows, | ||
| 7 | reduce the buffer size instead of failing. | ||
| 8 | |||
| 9 | This fixes the 00192-audiofile-signintoverflow-sfconvert case | ||
| 10 | in #41 | ||
| 11 | --- | ||
| 12 | sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++-- | ||
| 13 | 1 file changed, 32 insertions(+), 2 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c | ||
| 16 | index 80a1bc4..970a3e4 100644 | ||
| 17 | --- a/sfcommands/sfconvert.c | ||
| 18 | +++ b/sfcommands/sfconvert.c | ||
| 19 | @@ -45,6 +45,33 @@ void printusage (void); | ||
| 20 | void usageerror (void); | ||
| 21 | bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid); | ||
| 22 | |||
| 23 | +int firstBitSet(int x) | ||
| 24 | +{ | ||
| 25 | + int position=0; | ||
| 26 | + while (x!=0) | ||
| 27 | + { | ||
| 28 | + x>>=1; | ||
| 29 | + ++position; | ||
| 30 | + } | ||
| 31 | + return position; | ||
| 32 | +} | ||
| 33 | + | ||
| 34 | +#ifndef __has_builtin | ||
| 35 | +#define __has_builtin(x) 0 | ||
| 36 | +#endif | ||
| 37 | + | ||
| 38 | +int multiplyCheckOverflow(int a, int b, int *result) | ||
| 39 | +{ | ||
| 40 | +#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) | ||
| 41 | + return __builtin_mul_overflow(a, b, result); | ||
| 42 | +#else | ||
| 43 | + if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits | ||
| 44 | + return true; | ||
| 45 | + *result = a * b; | ||
| 46 | + return false; | ||
| 47 | +#endif | ||
| 48 | +} | ||
| 49 | + | ||
| 50 | int main (int argc, char **argv) | ||
| 51 | { | ||
| 52 | if (argc == 2) | ||
| 53 | @@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid) | ||
| 54 | { | ||
| 55 | int frameSize = afGetVirtualFrameSize(infile, trackid, 1); | ||
| 56 | |||
| 57 | - const int kBufferFrameCount = 65536; | ||
| 58 | - void *buffer = malloc(kBufferFrameCount * frameSize); | ||
| 59 | + int kBufferFrameCount = 65536; | ||
| 60 | + int bufferSize; | ||
| 61 | + while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) | ||
| 62 | + kBufferFrameCount /= 2; | ||
| 63 | + void *buffer = malloc(bufferSize); | ||
| 64 | |||
| 65 | AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK); | ||
| 66 | AFframecount totalFramesWritten = 0; |