shithub: sox

Download patch

ref: b7883ae1398499daaa926ae6621f088f0f531ed8
parent: f8587e2d50dad72d40453ac1191c539ee9e50381
author: Mans Rullgard <mans@mansr.com>
date: Wed Apr 24 12:56:42 EDT 2019

fft4g: bail if size too large (CVE-2019-8356)

Prevent overflowing of fixed-size buffers in bitrv2() and bitrv2conj()
if the transform size is too large.

--- a/src/fft4g.c
+++ b/src/fft4g.c
@@ -322,6 +322,9 @@
 
 void cdft(int n, int isgn, double *a, int *ip, double *w)
 {
+    if (n > FFT4G_MAX_SIZE)
+        return;
+
     if (n > (ip[0] << 2)) {
         makewt(n >> 2, ip, w);
     }
@@ -344,6 +347,9 @@
     int nw, nc;
     double xi;
     
+    if (n > FFT4G_MAX_SIZE)
+        return;
+
     nw = ip[0];
     if (n > (nw << 2)) {
         nw = n >> 2;
@@ -384,6 +390,9 @@
     int j, nw, nc;
     double xr;
     
+    if (n > FFT4G_MAX_SIZE)
+        return;
+
     nw = ip[0];
     if (n > (nw << 2)) {
         nw = n >> 2;
@@ -435,6 +444,9 @@
     int j, nw, nc;
     double xr;
     
+    if (n > FFT4G_MAX_SIZE)
+        return;
+
     nw = ip[0];
     if (n > (nw << 2)) {
         nw = n >> 2;
@@ -486,6 +498,9 @@
     int j, k, l, m, mh, nw, nc;
     double xr, xi, yr, yi;
     
+    if (n > FFT4G_MAX_SIZE)
+        return;
+
     nw = ip[0];
     if (n > (nw << 3)) {
         nw = n >> 3;
@@ -576,6 +591,9 @@
     int j, k, l, m, mh, nw, nc;
     double xr, xi, yr, yi;
     
+    if (n > FFT4G_MAX_SIZE)
+        return;
+
     nw = ip[0];
     if (n > (nw << 3)) {
         nw = n >> 3;
--- a/src/fft4g.h
+++ b/src/fft4g.h
@@ -13,6 +13,8 @@
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
  */
 
+#define FFT4G_MAX_SIZE 262144
+
 void lsx_cdft(int, int, double *, int *, double *);
 void lsx_rdft(int, int, double *, int *, double *);
 void lsx_ddct(int, int, double *, int *, double *);