| Description: A corrupt header specifying zero channels would send read_channels() |
| into an infinite loop. Prevent this by sanity checking the channel |
| count in open_read(). Also add an upper bound to prevent overflow |
| in multiplication. |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121 |
| Author: Mans Rullgard <mans@mansr.com> |
| Jaromír Mikeš <mira.mikes@seznam.cz> |
| Forwarded: not-needed |
| |
| --- |
| src/xa.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| Index: sox/src/xa.c |
| =================================================================== |
| --- sox.orig/src/xa.c |
| +++ sox/src/xa.c |
| @@ -143,6 +143,12 @@ static int startread(sox_format_t * ft) |
| lsx_report("User options overriding rate read in .xa header"); |
| } |
| |
| + if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) { |
| + lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d", |
| + ft->signal.channels); |
| + return SOX_EOF; |
| + } |
| + |
| /* Check for supported formats */ |
| if (ft->encoding.bits_per_sample != 16) { |
| lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.", |