Closed utkarsh2102 closed 3 years ago
Here's the entire diff that I've backported (fixing CVE-2016-10169, CVE-2018-19840, CVE-2019-1010319, and CVE-2020-35738).
--- a/src/words.c
+++ b/src/words.c
@@ -1146,6 +1146,10 @@
low &= 0x7fffffff;
high &= 0x7fffffff;
+
+ if (low > high) // make sure high and low make sense
+ high = low;
+
mid = (high + low + 1) >> 1;
if (!c->error_limit)
--- a/src/wputils.c
+++ b/src/wputils.c
@@ -947,6 +947,21 @@
int num_chans = config->num_channels;
int i;
+ if (config->sample_rate <= 0) {
+ strcpy (wpc->error_message, "sample rate cannot be zero or negative!");
+ return FALSE;
+ }
+
+ if (num_chans <= 0 || num_chans > NEW_MAX_STREAMS * 2) {
+ strcpy (wpc->error_message, "invalid channel count!");
+ return FALSE;
+ }
+
+ if (config->block_samples && (config->block_samples < 16 || config->block_samples > 131072)) {
+ strcpy (wpc->error_message, "invalid custom block samples!");
+ return FALSE;
+ }
+
wpc->total_samples = total_samples;
wpc->config.sample_rate = config->sample_rate;
wpc->config.num_channels = config->num_channels;
@@ -1096,10 +1111,10 @@
else
wpc->block_samples = wpc->config.sample_rate;
- while (wpc->block_samples * wpc->config.num_channels > 150000)
+ while ((int64_t) wpc->block_samples * wpc->config.num_channels > 150000)
wpc->block_samples /= 2;
- while (wpc->block_samples * wpc->config.num_channels < 40000)
+ while ((int64_t) wpc->block_samples * wpc->config.num_channels < 40000)
wpc->block_samples *= 2;
if (wpc->config.block_samples) {
Oops, I guess I should have looked at this issue first. But some of my comments on the other issue still apply. This patch is fine.
As to CVE-2018-19841, yes, that code is checking the block checksums that were added with version 5.0.0, so no equivalent code existed before that.
Oops, I guess I should have looked at this issue first.
Woah, this is my bad. There was a glitch while I was opening this issue and it now seems like it got opened twice by me. Apologies for this and the noise! 😞
As to CVE-2018-19841, yes, that code is checking the block checksums that were added with version 5.0.0, so no equivalent code existed before that.
Perfect, thank you so much for all your help again! I've fixed all the vulnerabilities in both Debian Jessie (v4.70.0) and Debian Stretch (v5.0.0).
The vulnerabilities in the later versions which are in the Debian archive are already fixed!
Hello @dbry,
I am incredibly thankful for your help for CVE-2020-35738 wrt 4.70.0. As mentioned there already, I am fixing all the pending security vulnerabilities for Debian ELTS which is at version 4.70.0.
I have carefully reviewed and backported all that I could find. Here's my take on this:
src/read_words.c
of the fixing commit. The initial hunk wasn't a part of the older version.CLEAR (WaveHeader);
was already in v4.70.0. So I guess this is not affecting that version. Right?If you have some time (and can take a quick look at this), could you help me verify that this is indeed correct? Based on this, I'll also backport to v5.0.0, where some of these are already fixed.