oss-sec mailing list archives
CVE Request: integer overflow in ALSA snd_compress_check_input
From: Marcus Meissner <meissner () suse de>
Date: Tue, 28 Jun 2016 12:54:10 +0200
Hi, Someone seems to have assigned CVE-2014-9904 to commit commit 6217e5ede23285ddfee10d2e4ba0cc2d4c046205 Author: Dan Carpenter <dan.carpenter () oracle com> Date: Wed Jul 16 09:37:04 2014 +0300 ALSA: compress: fix an integer overflow check I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()') Signed-off-by: Dan Carpenter <dan.carpenter () oracle com> Signed-off-by: Takashi Iwai <tiwai () suse de> but there was no 2012 CVE assignment to the original fixing commit b35cc8225845 as far as I see: commit b35cc8225845112a616e3a2266d2fde5ab13d3ab Author: Dan Carpenter <dan.carpenter () oracle com> Date: Wed Sep 5 15:32:18 2012 +0300 ALSA: compress_core: integer overflow in snd_compr_allocate_buffer() These are 32 bit values that come from the user, we need to check for integer overflows or we could end up allocating a smaller buffer than expected. Signed-off-by: Dan Carpenter <dan.carpenter () oracle com> Signed-off-by: Takashi Iwai <tiwai () suse de> Is there a 2012 CVE for it? Ciao, Marcus
Current thread:
- CVE Request: integer overflow in ALSA snd_compress_check_input Marcus Meissner (Jun 28)
- Re: CVE Request: integer overflow in ALSA snd_compress_check_input cve-assign (Jun 28)