File timidity-resample-frac-overflow-fix.patch of Package timidity
From: Takashi Iwai <tiwai@suse.de>
Subject: resample: Fix out-of-bound access in resamplers
References: CVE-2017-11547
An adhoc fix for out-of-bound accesses in resamples.
The offset might overflow the given data range.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
--- a/timidity/resample.c
+++ b/timidity/resample.c
@@ -57,6 +57,8 @@ static resample_t resample_cspline(sample_t *src, splen_t ofs, resample_rec_t *r
{
int32 ofsi, ofsf, v0, v1, v2, v3, temp;
+ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+ return src[ofs >> FRACTION_BITS];
ofsi = ofs >> FRACTION_BITS;
v1 = src[ofsi];
v2 = src[ofsi + 1];
@@ -96,6 +98,8 @@ static resample_t resample_lagrange(sample_t *src, splen_t ofs, resample_rec_t *
{
int32 ofsi, ofsf, v0, v1, v2, v3;
+ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+ return src[ofs >> FRACTION_BITS];
ofsi = ofs >> FRACTION_BITS;
v1 = (int32)src[ofsi];
v2 = (int32)src[ofsi + 1];
@@ -154,6 +158,8 @@ static resample_t resample_gauss(sample_t *src, splen_t ofs, resample_rec_t *rec
sample_t *sptr;
int32 left, right, temp_n;
+ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+ return src[ofs >> FRACTION_BITS];
left = (ofs>>FRACTION_BITS);
right = (rec->data_length>>FRACTION_BITS) - left - 1;
temp_n = (right<<1)-1;
@@ -261,6 +267,8 @@ static resample_t resample_newton(sample_t *src, splen_t ofs, resample_rec_t *re
int32 left, right, temp_n;
int ii, jj;
+ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+ return src[ofs >> FRACTION_BITS];
left = (ofs>>FRACTION_BITS);
right = (rec->data_length>>FRACTION_BITS)-(ofs>>FRACTION_BITS)-1;
temp_n = (right<<1)-1;
@@ -330,6 +338,8 @@ static resample_t resample_linear(sample_t *src, splen_t ofs, resample_rec_t *re
{
int32 v1, v2, ofsi;
+ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+ return src[ofs >> FRACTION_BITS];
ofsi = ofs >> FRACTION_BITS;
v1 = src[ofsi];
v2 = src[ofsi + 1];