wav_io: check for EOF when seeking in wav

2022-06-20 14:49:10 +08:00 · 2022-06-20 14:49:10 +08:00 · 9e764a8200
commit 9e764a8200
parent ea9e1391aa
2 changed files with 67 additions and 1 deletions
--- a/backport-wav_io-check-for-EOF-when-seeking-in-wav.patch
+++ b/backport-wav_io-check-for-EOF-when-seeking-in-wav.patch
@ -0,0 +1,59 @@
+From bdc392257c330e49872a5217dfb56becd1ee8f45 Mon Sep 17 00:00:00 2001
+From: Tristan Matthews <tmatth@videolan.org>
+Date: Tue, 11 Sep 2018 05:12:53 -0400
+Subject: [PATCH] wav_io: check for EOF when seeking in wav
+
+Fixes hang discovered by fuzzing: https://github.com/xiph/speex/issues/9
+---
+ src/wav_io.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/src/wav_io.c b/src/wav_io.c
+index c2e2bc85..b5183015 100644
+--- a/src/wav_io.c
+++ b/src/wav_io.c
+@@ -75,8 +75,11 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32
+       itmp = le_int(itmp);
+       /*fprintf (stderr, "skip=%d\n", itmp);*/
+       /*strange way of seeking, but it works even for pipes*/
+-      for (i=0;i<itmp;i++)
+-         fgetc(file);
+      for (i=0;i<itmp;i++) {
+        if (fgetc(file) == EOF) {
+          break;
+        }
+      }
+       /*fseek(file, itmp, SEEK_CUR);*/
+       fread(ch, 1, 4, file);
+       if (feof(file))
+@@ -152,9 +155,13 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32
+ 
+ 
+    /*strange way of seeking, but it works even for pipes*/
+-   if (skip_bytes>0)
+-      for (i=0;i<skip_bytes;i++)
+-         fgetc(file);
+   if (skip_bytes>0) {
+      for (i=0;i<skip_bytes;i++) {
+        if (fgetc(file) == EOF) {
+          break;
+        }
+      }
+   }
+ 
+    /*fseek(file, skip_bytes, SEEK_CUR);*/
+ 
+@@ -164,8 +171,11 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32
+       fread(&itmp, 4, 1, file);
+       itmp = le_int(itmp);
+       /*strange way of seeking, but it works even for pipes*/
+-      for (i=0;i<itmp;i++)
+-         fgetc(file);
+      for (i=0;i<itmp;i++) {
+        if (fgetc(file) == EOF) {
+          break;
+        }
+      }
+       /*fseek(file, itmp, SEEK_CUR);*/
+       fread(ch, 1, 4, file);
+       if (feof(file))
--- a/speex.spec
+++ b/speex.spec
@ -1,6 +1,6 @@
 Name:		speex
 Version:	1.2.0
-Release:	6
+Release:	7
 Summary:	A Free Codec For Free Speech
 License:	BSD
 URL:		https://www.speex.org/
@ -8,6 +8,7 @@ Source0:	http://downloads.us.xiph.org/releases/speex/%{name}-%{version}.tar.gz

 Patch6000: backport-math_approx-use-unsigned-int-for-LCG-pseudorandom-ge.patch
 Patch6001: backport-CVE-2020-23903.patch
+Patch6002: backport-wav_io-check-for-EOF-when-seeking-in-wav.patch

 BuildRequires: gcc git pkgconfig(ogg) pkgconfig(speexdsp)

@ -70,6 +71,12 @@ This package is the development and  files for speex.
 %{_mandir}/man1/speexdec.1.gz

 %changelog
+* Mon Jun 20 2022 shixuantong<shixuantong@h-partners.com> - 1.2.0-7
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:check for EOF when seeking in wav
+
 * Mon Jun 06 2022 shixuantong<shixuantong@h-partners.com> - 1.2.0-6
 - Type:CVE
 - ID:CVE-2020-23903