Package: sox / 14.4.2+git20190427-5

0018-CVE-2019-13590.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 
From: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Date: Sat, 11 Nov 2023 18:18:40 +0100
Subject: CVE-2019-13590

---
 src/sox-fmt.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/sox-fmt.c b/src/sox-fmt.c
index aad965c..11c8877 100644
--- a/src/sox-fmt.c
+++ b/src/sox-fmt.c
@@ -46,7 +46,9 @@ static int startread(sox_format_t * ft)
       lsx_readdw(ft, &comments_bytes))
     return SOX_EOF;
 
-  if (((headers_bytes + 4) & 7) || headers_bytes < FIXED_HDR + comments_bytes ||
+  if (((headers_bytes + 4) & 7) ||
+      comments_bytes > 0x40000000 || /* max 1 GB */
+      headers_bytes < FIXED_HDR + comments_bytes ||
       (num_channels > 65535)) /* Reserve top 16 bits */ {
     lsx_fail_errno(ft, SOX_EHDR, "invalid sox file format header");
     return SOX_EOF;