main/libebml: fix CVE-2019-13615

ref #10697
author: Leo <thinkabit.ukim@gmail.com> 2019-07-29 08:01:06 -0300
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-07-29 15:12:47 +0200
commit: 86cb13bd338f8f4a3c69e861d77fbe8140ce5335 (patch)
tree: a5a660de401eccec2eba8dd409cbb26fc464da42
parent: f684a98ab9869cab9dcbc59ffef6134e4db1a03e (diff)
2 files changed, 95 insertions, 3 deletions
diff --git a/main/libebml/APKBUILD b/main/libebml/APKBUILD
index 686fdb0aa06..d5f64bc41f5 100644
--- a/main/libebml/APKBUILD
+++ b/main/libebml/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Timo Teräs <timo.teras@iki.fi>
 pkgname=libebml
 pkgver=1.3.5
-pkgrel=0
+pkgrel=1
 pkgdesc="a C++ library to parse Extensible Binary Meta-Language files"
 url="https://www.matroska.org/"
 arch="all"
@@ -12,9 +12,15 @@ depends_dev=""
 makedepends="$depends_dev"
 install=""
 subpackages="$pkgname-dev"
-source="http://dl.matroska.org/downloads/$pkgname/$pkgname-$pkgver.tar.xz"
+source="http://dl.matroska.org/downloads/$pkgname/$pkgname-$pkgver.tar.xz
+	CVE-2019-13615.patch
+	"
 options="!check"
 
+# secfixes:
+#   1.3.5-r1:
+#     - CVE-2019-13615
+
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	local i
@@ -42,4 +48,5 @@ package() {
 	make install DESTDIR="$pkgdir"
 }
 
-sha512sums="cdf05015724919b19281bf99c562bb7e0bdf16990da274010f664ff316b6ce95ecbeaa1e479f03505281a7f45d5796aee6e7750a9e1c0596b630911d220dca24  libebml-1.3.5.tar.xz"
+sha512sums="cdf05015724919b19281bf99c562bb7e0bdf16990da274010f664ff316b6ce95ecbeaa1e479f03505281a7f45d5796aee6e7750a9e1c0596b630911d220dca24  libebml-1.3.5.tar.xz
+9cdda162a58c77541065121edafe09643f6c37ffb7b94851903f80a2fb5bf2e4729c6d97b5a23d05257b65abada0f5bf10d9d245cc3b4fd07653bb5ad3c29f0a  CVE-2019-13615.patch"
diff --git a/main/libebml/CVE-2019-13615.patch b/main/libebml/CVE-2019-13615.patch
new file mode 100644
index 00000000000..0c8e24c820d
--- /dev/null
+++ b/main/libebml/CVE-2019-13615.patch
@@ -0,0 +1,85 @@
+diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp
+index 143f439..871247c 100644
+--- a/src/EbmlElement.cpp
++++ b/src/EbmlElement.cpp
+@@ -372,11 +372,12 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
+   int PossibleSizeLength;
+   uint64 SizeUnknown;
+   int ReadIndex = 0; // trick for the algo, start index at 0
+-  uint32 ReadSize = 0;
++  uint32 ReadSize = 0, IdStart = 0;
+   uint64 SizeFound;
+   int SizeIdx;
+   bool bFound;
+   int UpperLevel_original = UpperLevel;
++  uint64 ParseStart = DataStream.getFilePointer();
+ 
+   do {
+     // read a potential ID
+@@ -402,14 +403,17 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
+         // ID not found
+         // shift left the read octets
+         memmove(&PossibleIdNSize[0],&PossibleIdNSize[1], --ReadIndex);
++        IdStart++;
+       }
+ 
++      if (MaxDataSize <= ReadSize)
++        break;
+       if (DataStream.read(&PossibleIdNSize[ReadIndex++], 1) == 0) {
+         return NULL; // no more data ?
+       }
+       ReadSize++;
+ 
+-    } while (!bFound && MaxDataSize > ReadSize);
++    } while (!bFound);
+ 
+     if (!bFound)
+       // we reached the maximum we could read without a proper ID
+@@ -432,6 +436,10 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
+         bFound = false;
+         break;
+       }
++      if (MaxDataSize <= ReadSize) {
++        bFound = false;
++        break;
++      }
+       if( DataStream.read( &PossibleIdNSize[SizeIdx++], 1 ) == 0 ) {
+         return NULL; // no more data ?
+       }
+@@ -454,16 +462,15 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
+           //  0 : child
+           //  1 : same level
+           //  + : further parent
+-          if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 || MaxDataSize >= (PossibleID_Length + PossibleSizeLength + SizeFound))) {
+-            if (SizeFound == SizeUnknown) {
+-              Result->SetSizeInfinite();
++          if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 ||
++                                         MaxDataSize >= (IdStart + PossibleID_Length + _SizeLength + SizeFound))) {
++            if (SizeFound != SizeUnknown || Result->SetSizeInfinite()) {
++              Result->ElementPosition = ParseStart + IdStart;
++              Result->SizePosition = Result->ElementPosition + PossibleID_Length;
++              // place the file at the beggining of the data
++              DataStream.setFilePointer(Result->SizePosition + _SizeLength);
++              return Result;
+             }
+-
+-            Result->SizePosition = DataStream.getFilePointer() - SizeIdx + EBML_ID_LENGTH(PossibleID);
+-            Result->ElementPosition = Result->SizePosition - EBML_ID_LENGTH(PossibleID);
+-            // place the file at the beggining of the data
+-            DataStream.setFilePointer(Result->SizePosition + _SizeLength);
+-            return Result;
+           }
+         }
+         delete Result;
+@@ -473,8 +480,9 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
+     // recover all the data in the buffer minus one byte
+     ReadIndex = SizeIdx - 1;
+     memmove(&PossibleIdNSize[0], &PossibleIdNSize[1], ReadIndex);
++    IdStart++;
+     UpperLevel = UpperLevel_original;
+-  } while ( MaxDataSize > DataStream.getFilePointer() - SizeIdx + PossibleID_Length );
++  } while ( MaxDataSize >= ReadSize );
+ 
+   return NULL;
+ }
+
author	Leo <thinkabit.ukim@gmail.com>	2019-07-29 08:01:06 -0300
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-07-29 15:12:47 +0200
commit	86cb13bd338f8f4a3c69e861d77fbe8140ce5335 (patch)
tree	a5a660de401eccec2eba8dd409cbb26fc464da42
parent	f684a98ab9869cab9dcbc59ffef6134e4db1a03e (diff)