From: Takashi Iwai <tiwai@suse.de>
Subject: wav: Fix segfault due to invalid loop_count
References: CVE-2018-19758, bsc#1117954
The psf->instrument->loop_count can be over the actual loops array size,
and it leads to a segfault.
Just add the loop size fix to address it.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
src/wav.c | 3 +++
1 file changed, 3 insertions(+)
--- a/src/wav.c
+++ b/src/wav.c
@@ -1097,6 +1097,9 @@ wav_write_header (SF_PRIVATE *psf, int c
for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
{ int type ;
+ if (tmp >= ARRAY_LEN (psf->instrument->loops))
+ break;
+
type = psf->instrument->loops [tmp].mode ;
type = (type == SF_LOOP_FORWARD ? 0 : type == SF_LOOP_BACKWARD ? 2 : type == SF_LOOP_ALTERNATING ? 1 : 32) ;
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
4e37cc30f379d8d90ee6796391c7a5e8
>
files
>
14
