shithub: sox

Info  •  Files  •  Log  •  Branches

xa: validate channel count (CVE-2017-18189)

A corrupt header specifying zero channels would send read_channels()
into an infinite loop.  Prevent this by sanity checking the channel
count in open_read().  Also add an upper bound to prevent overflow
in multiplication.

--- a/src/xa.c

+++ b/src/xa.c

@@ -143,6 +143,12 @@

         lsx_report("User options overriding rate read in .xa header");

     }

+    if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) {

+        lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d",

+                       ft->signal.channels);

+        return SOX_EOF;

+    }

+

     /* Check for supported formats */

     if (ft->encoding.bits_per_sample != 16) {

         lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.",