Fix CVE-2018-7253: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7253 Copied from upstream: https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec diff --git a/cli/dsdiff.c b/cli/dsdiff.c index 410dc1c..c016df9 100644 --- a/cli/dsdiff.c +++ b/cli/dsdiff.c @@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa error_line ("dsdiff file version = 0x%08x", version); } else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) { - char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize); + char *prop_chunk; + + if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) { + error_line ("%s is not a valid .DFF file!", infilename); + return WAVPACK_SOFT_ERROR; + } + + if (debug_logging_mode) + error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize); + + prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize); if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) || bcount != dff_chunk_header.ckDataSize) {