File wavpack-CVE-2022-2476.patch of Package wavpack.25157
From 25b4a2725d8568212e7cf89ca05ca29d128af7ac Mon Sep 17 00:00:00 2001
From: David Bryant <david@wavpack.com>
Date: Tue, 5 Jul 2022 18:58:19 -0700
Subject: [PATCH] issue #121: NULL pointer dereference in wvunpack.c
* check for NULL pointer before dereferencing in wvunpack.c
* sanitize custom extensions to be alphanumeric only
---
ChangeLog | 5 +++++
cli/wvunpack.c | 6 ++++--
src/open_utils.c | 10 ++++++++--
3 files changed, 17 insertions(+), 4 deletions(-)
Index: wavpack-5.4.0/cli/wvunpack.c
===================================================================
--- wavpack-5.4.0.orig/cli/wvunpack.c
+++ wavpack-5.4.0/cli/wvunpack.c
@@ -830,8 +830,10 @@ int main(int argc, char **argv)
// clean up in preparation for potentially another file
- if (outpath)
- *filespec_name (outfilename) = '\0';
+ if (outpath) {
+ if (filespec_name (outfilename))
+ *filespec_name (outfilename) = '\0';
+ }
else if (*outfilename != '-') {
free (outfilename);
outfilename = NULL;
Index: wavpack-5.4.0/src/open_utils.c
===================================================================
--- wavpack-5.4.0.orig/src/open_utils.c
+++ wavpack-5.4.0/src/open_utils.c
@@ -18,6 +18,7 @@
#include <stdlib.h>
#include <string.h>
+#include <ctype.h>
#include "wavpack_local.h"
@@ -796,8 +797,13 @@ static int process_metadata (WavpackCont
case ID_ALT_EXTENSION:
if (wpmd->byte_length && wpmd->byte_length < sizeof (wpc->file_extension)) {
- memcpy (wpc->file_extension, wpmd->data, wpmd->byte_length);
- wpc->file_extension [wpmd->byte_length] = 0;
+ int i, j;
+
+ for (i = j = 0; i < wpmd->byte_length; ++i)
+ if (isalnum (((char *) wpmd->data) [i]))
+ wpc->file_extension [j++] = ((char *) wpmd->data) [i];
+
+ wpc->file_extension [j] = 0;
}
return TRUE;
