From cd44bfaf3708e778c8670cb7f707a597c3334376 Mon Sep 17 00:00:00 2001 From: Alex Stewart Date: Tue, 17 Oct 2023 11:50:53 -0400 Subject: [PATCH 14/17] nms_adpcm: fix int overflow in sf.frames calc When calculating sf.frames from the blocks_total PNMS variable, it is theoretically possible to overflow the blocks_total int boundaries, leading to undefined behavior. Cast blocks_total to a long-sized sf_count_t before the calculation, to provide it with enough numeric space and because that is the final typing regardless. CVE: CVE-2022-33065 Fixes: https://github.com/libsndfile/libsndfile/issues/833 Signed-off-by: Alex Stewart Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-10.patch?h=ubuntu/jammy-security Upstream commit https://github.com/libsndfile/libsndfile/commit/cd44bfaf3708e778c8670cb7f707a597c3334376] CVE: CVE-2022-33065 Signed-off-by: Vijay Anusuri --- src/nms_adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c index dca85f0b0..61d171c73 100644 --- a/src/nms_adpcm.c +++ b/src/nms_adpcm.c @@ -1090,7 +1090,7 @@ nms_adpcm_init (SF_PRIVATE *psf) else pnms->blocks_total = psf->datalength / (pnms->shortsperblock * sizeof (short)) ; - psf->sf.frames = pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ; + psf->sf.frames = (sf_count_t) pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ; psf->codec_close = nms_adpcm_close ; psf->seek = nms_adpcm_seek ;