Skip to content

Commit

Permalink
Severe Remote Code Execution vulnerability macosforge#22
Browse files Browse the repository at this point in the history 
add partial fixes from macosforge#22
  • Loading branch information
@olivierlevon
olivierlevon committed May 22, 2022
1 parent 19dae96 commit eb3ae0c
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
8 changes: 8 additions & 0 deletions codec/ALACBitUtilities.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ void BitBufferInit( BitBuffer * bits, uint8_t * buffer, uint32_t byteSize )
bits->byteSize = byteSize;
}

#define AssertBufferReadBounds(b, n) RequireAction( b->end >= (b->cur + ((b->bitIndex + n) / 8 + ((b->bitIndex + n) % 8 > 0))), return 0; );

// BitBufferRead
//
uint32_t BitBufferRead( BitBuffer * bits, uint8_t numBits )
Expand All @@ -45,6 +47,8 @@ uint32_t BitBufferRead( BitBuffer * bits, uint8_t numBits )

//Assert( numBits <= 16 );

AssertBufferReadBounds(bits, numBits)

returnBits = ((uint32_t)bits->cur[0] << 16) | ((uint32_t)bits->cur[1] << 8) | ((uint32_t)bits->cur[2]);
returnBits = returnBits << bits->bitIndex;
returnBits &= 0x00FFFFFF;
Expand All @@ -69,6 +73,8 @@ uint8_t BitBufferReadSmall( BitBuffer * bits, uint8_t numBits )
uint16_t returnBits;

//Assert( numBits <= 8 );

AssertBufferReadBounds(bits, numBits)

returnBits = (bits->cur[0] << 8) | bits->cur[1];
returnBits = returnBits << bits->bitIndex;
Expand All @@ -92,6 +98,8 @@ uint8_t BitBufferReadOne( BitBuffer * bits )
{
uint8_t returnBits;

AssertBufferReadBounds(bits, 8)

returnBits = (bits->cur[0] >> (7 - bits->bitIndex)) & 1;

bits->bitIndex++;
Expand Down
9 changes: 9 additions & 0 deletions codec/ALACDecoder.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,12 @@ int32_t ALACDecoder::Init( void * inMagicCookie, uint32_t inMagicCookieSize )

mConfig = theConfig;

// sanity checks
RequireAction( mConfig.compatibleVersion <= kALACVersion, return kALAC_ParamError; );
RequireAction(mConfig.bitDepth == 16 || mConfig.bitDepth == 20 || mConfig.bitDepth == 24 || mConfig.bitDepth == 32, return kALAC_ParamError; );
RequireAction(mConfig.frameLength > 0 && mConfig.frameLength <= 16384, return kALAC_ParamError; );
RequireAction(mConfig.sampleRate > 0 && mConfig.sampleRate <= 384000, return kALAC_ParamError; );
RequireAction(mConfig.numChannels > 0 && mConfig.numChannels < kALACMaxChannels, return kALAC_ParamError; );

// allocate mix buffers
mMixBufferU = (int32_t *) calloc( mConfig.frameLength * sizeof(int32_t), 1 );
Expand Down Expand Up @@ -251,6 +256,8 @@ int32_t ALACDecoder::Decode( BitBuffer * bits, uint8_t * sampleBuffer, uint32_t
{
numSamples = BitBufferRead( bits, 16 ) << 16;
numSamples |= BitBufferRead( bits, 16 );

RequireAction(numSamples <= mConfig.frameLength, status = kALAC_ParamError; goto Exit; );
}

if ( escapeFlag == 0 )
Expand Down Expand Up @@ -402,6 +409,8 @@ int32_t ALACDecoder::Decode( BitBuffer * bits, uint8_t * sampleBuffer, uint32_t
{
numSamples = BitBufferRead( bits, 16 ) << 16;
numSamples |= BitBufferRead( bits, 16 );

RequireAction(numSamples <= mConfig.frameLength, status = kALAC_ParamError; goto Exit; );
}

if ( escapeFlag == 0 )
Expand Down

0 comments on commit eb3ae0c

Please sign in to comment.