moritzruth/void-packages
1
0
Fork 0
Code Releases Activity Actions 2

libsndfile: fix CVE-2017-17456, CVE-2017-17457, CVE-2018-19661, CVE-2018-19662 & CVE-2018-19758

Browse source 
Switch to p0 patches from upstream git
This commit is contained in:
Christian Buschau 2019-01-29 06:35:22 +01:00 committed by maxice8
parent dc506ac944
commit 7bbb117542
11 changed files with 311 additions and 149 deletions
Download patch file Download diff file Expand all files Collapse all files

50
srcpkgs/libsndfile/patches/CVE-2017-12562.patch
View file

@ -1,19 +1,40 @@
Fix CVE-2017-12562 commit cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8
Author: Jörn Heusipp <osmanx@problemloesungsmaschine.de>
Date: Wed Jun 14 12:25:40 2017 +0200
See: src/common.c: Fix heap buffer overflows when writing strings in binheader
https://nvd.nist.gov/vuln/detail/CVE-2017-12562 Fixes the following problems:
https://github.com/erikd/libsndfile/issues/292 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
big switch statement by an amount (16 bytes) which is enough for all cases
where only a single value gets added. Cases 's', 'S', 'p' however
additionally write an arbitrary length block of data and again enlarge the
buffer to the required amount. However, the required space calculation does
not take into account the size of the length field which gets output before
the data.
3. Buffer size requirement calculation in case 'S' does not account for the
padding byte ("size += (size & 1) ;" happens after the calculation which
uses "size").
4. Case 'S' can overrun the header buffer by 1 byte when no padding is
involved
("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
the buffer is only guaranteed to have "size" space available).
5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
beyond the space which is guaranteed to be allocated in the header buffer.
6. Case 's' can overrun the provided source string by 1 byte if padding is
involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
plus optionally another 1 which is padding and not guaranteed to be
readable via the source string pointer).
for more details. Closes: https://github.com/erikd/libsndfile/issues/292
Changes come from the upstream committed fix at: diff --git src/common.c src/common.c
index 1a6204ca..6b2a2ee9 100644
https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 --- src/common.c
+++ src/common.c
--- libsndfile-1.0.28/src/common.c.orig 2017-08-07 07:13:53.056875691 +0000 @@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+++ libsndfile-1.0.28/src/common.c 2017-08-07 07:23:57.493033443 +0000
@@ -675,16 +675,16 @@
/* Write a C string (guaranteed to have a zero terminator). */ /* Write a C string (guaranteed to have a zero terminator). */
strptr = va_arg (argptr, char *) ; strptr = va_arg (argptr, char *) ;
size = strlen (strptr) + 1 ; size = strlen (strptr) + 1 ;
@ -34,7 +55,7 @@ https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad
psf->header.indx += size ; psf->header.indx += size ;
psf->header.ptr [psf->header.indx - 1] = 0 ; psf->header.ptr [psf->header.indx - 1] = 0 ;
count += 4 + size ; count += 4 + size ;
@@ -697,16 +697,15 @@ @@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
*/ */
strptr = va_arg (argptr, char *) ; strptr = va_arg (argptr, char *) ;
size = strlen (strptr) ; size = strlen (strptr) ;
@ -53,7 +74,7 @@ https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad
count += 4 + size ; count += 4 + size ;
break ; break ;
@@ -718,7 +717,7 @@ @@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
size = (size & 1) ? size : size + 1 ; size = (size & 1) ? size : size + 1 ;
size = (size > 254) ? 254 : size ; size = (size > 254) ? 254 : size ;
@ -62,4 +83,3 @@ https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad
return count ; return count ;
header_put_byte (psf, size) ; header_put_byte (psf, size) ;

46
srcpkgs/libsndfile/patches/CVE-2017-14245-and-CVE-2017-14246.patch → srcpkgs/libsndfile/patches/CVE-2017-14245_CVE-2017-14246.patch
View file

@ -1,27 +1,22 @@
From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001 commit 2d54514a4f6437b67829717c05472d2e3300a258
From: Fabian Greffrath <fabian@greffrath.com> Author: Fabian Greffrath <fabian@greffrath.com>
Date: Wed, 27 Sep 2017 14:46:17 +0200 Date: Wed Sep 27 14:46:17 2017 +0200
Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being
normal
and check elements of the data[] array for being finite. sfe_copy_data_fp: check value of "max" variable for being normal
Both checks use functions provided by the <math.h> header as declared and check elements of the data[] array for being finite.
by the C99 standard.
Fixes #317 Both checks use functions provided by the <math.h> header as declared
CVE-2017-14245 by the C99 standard.
CVE-2017-14246
---
programs/common.c | 20 ++++++++++++++++----
programs/common.h | 2 +-
programs/sndfile-convert.c | 6 +++++-
3 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/programs/common.c b/programs/common.c Fixes #317
CVE-2017-14245
CVE-2017-14246
diff --git programs/common.c programs/common.c
index a21e62ca..a249a585 100644 index a21e62ca..a249a585 100644
--- a/programs/common.c --- programs/common.c
+++ b/programs/common.c +++ programs/common.c
@@ -36,6 +36,7 @@ @@ -36,6 +36,7 @@
#include <string.h> #include <string.h>
#include <ctype.h> #include <ctype.h>
@ -81,10 +76,10 @@ index a21e62ca..a249a585 100644
else else
sfe_copy_data_int (outfile, infile, sfinfo.channels) ; sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
} ; } ;
diff --git a/programs/common.h b/programs/common.h diff --git programs/common.h programs/common.h
index eda2d7d7..986277ee 100644 index eda2d7d7..986277ee 100644
--- a/programs/common.h --- programs/common.h
+++ b/programs/common.h +++ programs/common.h
@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ; @@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ;
void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ; void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ;
@ -94,10 +89,10 @@ index eda2d7d7..986277ee 100644
void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ; void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ;
diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c diff --git programs/sndfile-convert.c programs/sndfile-convert.c
index dff7f793..e6de5935 100644 index dff7f793..e6de5935 100644
--- a/programs/sndfile-convert.c --- programs/sndfile-convert.c
+++ b/programs/sndfile-convert.c +++ programs/sndfile-convert.c
@@ -335,7 +335,11 @@ main (int argc, char * argv []) @@ -335,7 +335,11 @@ main (int argc, char * argv [])
|| (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT) || (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT)
|| (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT) || (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)
@ -111,4 +106,3 @@ index dff7f793..e6de5935 100644
else else
sfe_copy_data_int (outfile, infile, sfinfo.channels) ; sfe_copy_data_int (outfile, infile, sfinfo.channels) ;

39
srcpkgs/libsndfile/patches/CVE-2017-14634.patch
View file

@ -1,29 +1,27 @@
From 85c877d5072866aadbe8ed0c3e0590fbb5e16788 Mon Sep 17 00:00:00 2001 commit 85c877d5072866aadbe8ed0c3e0590fbb5e16788
From: Fabian Greffrath <fabian@greffrath.com> Author: Fabian Greffrath <fabian@greffrath.com>
Date: Thu, 28 Sep 2017 12:15:04 +0200 Date: Thu Sep 28 12:15:04 2017 +0200
Subject: [PATCH] double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code. double64_init: Check psf->sf.channels against upper bound
While the trivial case to catch this (i.e. sf.channels < 1) has already This prevents division by zero later in the code.
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.
CVE-2017-14634 While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.
Closes: https://github.com/erikd/libsndfile/issues/318 CVE-2017-14634
Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
---
src/double64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/double64.c b/src/double64.c Closes: https://github.com/erikd/libsndfile/issues/318
Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
diff --git src/double64.c src/double64.c
index b318ea86..78dfef7f 100644 index b318ea86..78dfef7f 100644
--- a/src/double64.c --- src/double64.c
+++ b/src/double64.c +++ src/double64.c
@@ -91,7 +91,7 @@ int @@ -91,7 +91,7 @@ int
double64_init (SF_PRIVATE *psf) double64_init (SF_PRIVATE *psf)
{ static int double64_caps ; { static int double64_caps ;
@ -33,4 +31,3 @@ index b318ea86..78dfef7f 100644
{ psf_log_printf (psf, "double64_init : internal error : channels = %d\n", psf->sf.channels) ; { psf_log_printf (psf, "double64_init : internal error : channels = %d\n", psf->sf.channels) ;
return SFE_INTERNAL ; return SFE_INTERNAL ;
} ; } ;

88
srcpkgs/libsndfile/patches/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch Normal file
View file

@ -0,0 +1,88 @@
commit 8ddc442d539ca775d80cdbc7af17a718634a743f
Author: Hugo Lefeuvre <hle@owl.eu.com>
Date: Mon Dec 24 06:43:48 2018 +0100
a/ulaw: fix multiple buffer overflows (#432)
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
properly, leading to buffer underflow. INT_MIN is a special value
since - INT_MIN cannot be represented as int.
In this case round - INT_MIN to INT_MAX and proceed as usual.
f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
properly, leading to null pointer dereference.
In this case, arbitrarily set the buffer value to 0.
This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
fixes #344 (CVE-2017-17456 and CVE-2017-17457).
diff --git src/alaw.c src/alaw.c
index 063fd1a2..4220224c 100644
--- src/alaw.c
+++ src/alaw.c
@@ -19,6 +19,7 @@
#include "sfconfig.h"
#include <math.h>
+#include <limits.h>
#include "sndfile.h"
#include "common.h"
@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
static inline void
i2alaw_array (const int *ptr, int count, unsigned char *buffer)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
+ { if (ptr [count] == INT_MIN)
+ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
+ else if (ptr [count] >= 0)
buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
else
buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
static inline void
d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
+ { if (!isfinite (ptr [count]))
+ buffer [count] = 0 ;
+ else if (ptr [count] >= 0)
buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
else
buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
diff --git src/ulaw.c src/ulaw.c
index e50b4cb5..b6070ade 100644
--- src/ulaw.c
+++ src/ulaw.c
@@ -19,6 +19,7 @@
#include "sfconfig.h"
#include <math.h>
+#include <limits.h>
#include "sndfile.h"
#include "common.h"
@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
static inline void
i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
+ { if (ptr [count] == INT_MIN)
+ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
+ else if (ptr [count] >= 0)
buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
else
buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
static inline void
d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
+ { if (!isfinite (ptr [count]))
+ buffer [count] = 0 ;
+ else if (ptr [count] >= 0)
buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
else
buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;

25
srcpkgs/libsndfile/patches/CVE-2017-6892.patch
View file

@ -1,13 +1,18 @@
Description: Fix for CVE-2017-6892 commit f833c53cb596e9e1792949f762e0b33661822748
Author: Erik de Castro Lopez Author: Erik de Castro Lopo <erikd@mega-nerd.com>
Origin: https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748 Date: Tue May 23 20:15:24 2017 +1000
Applied-Upstream: https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748
Last-Update: 2017-06-20 src/aiff.c: Fix a buffer read overflow
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Secunia Advisory SA76717.
--- libsndfile.orig/src/aiff.c
+++ libsndfile/src/aiff.c Found by: Laurent Delosieres, Secunia Research at Flexera Software
@@ -1905,7 +1905,7 @@
diff --git src/aiff.c src/aiff.c
index 5b5f9f53..45864b76 100644
--- src/aiff.c
+++ src/aiff.c
@@ -1759,7 +1759,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword)
psf_binheader_readf (psf, "j", dword - bytesread) ; psf_binheader_readf (psf, "j", dword - bytesread) ;
if (map_info->channel_map != NULL) if (map_info->channel_map != NULL)

30
srcpkgs/libsndfile/patches/CVE-2017-8362.patch
View file

@ -1,14 +1,20 @@
Description: fixed yet another buffer read overflow in FLAC code commit ef1dbb2df1c0e741486646de40bd638a9c4cd808
CVE-2017-8362 Author: Erik de Castro Lopo <erikd@mega-nerd.com>
Author: Erik de Castro Lopo Date: Fri Apr 14 15:19:16 2017 +1000
Origin: upstream
Applied-Upstream: https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808 src/flac.c: Fix a buffer read overflow
Last-Update: 2017-05-28
--- A file (generated by a fuzzer) which increased the number of channels
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ from one frame to the next could cause a read beyond the end of the
--- libsndfile.orig/src/flac.c buffer provided by libFLAC. Only option is to abort the read.
+++ libsndfile/src/flac.c
@@ -169,6 +169,14 @@ Closes: https://github.com/erikd/libsndfile/issues/231
diff --git src/flac.c src/flac.c
index 5a4f8c21..e4f9aaa0 100644
--- src/flac.c
+++ src/flac.c
@@ -169,6 +169,14 @@ flac_buffer_copy (SF_PRIVATE *psf)
const int32_t* const *buffer = pflac->wbuffer ; const int32_t* const *buffer = pflac->wbuffer ;
unsigned i = 0, j, offset, channels, len ; unsigned i = 0, j, offset, channels, len ;
@ -23,7 +29,7 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
/* /*
** frame->header.blocksize is variable and we're using a constant blocksize ** frame->header.blocksize is variable and we're using a constant blocksize
** of FLAC__MAX_BLOCK_SIZE. ** of FLAC__MAX_BLOCK_SIZE.
@@ -202,7 +210,6 @@ @@ -202,7 +210,6 @@ flac_buffer_copy (SF_PRIVATE *psf)
return 0 ; return 0 ;
} ; } ;

69
srcpkgs/libsndfile/patches/CVE-2017-8363.patch
View file

@ -1,14 +1,48 @@
Description: fixing another memory leak in FLAC code commit cd7da8dbf6ee4310d21d9e44b385d6797160d9e8
CVE-2017-8363 Author: Erik de Castro Lopo <erikd@mega-nerd.com>
Author: Erik de Castro Lopo Date: Wed Apr 12 20:19:34 2017 +1000
Origin: upstream
Applied-Upstream: https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 & https://github.com/erikd/libsndfile/commit/5206a9b65e61598fde44d276c81b0585bc428562 src/flac.c: Fix another memory leak
Last-Update: 2017-05-28
--- When the FLAC decoder was passed a malformed file, the associated
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ `FLAC__StreamDecoder` object was not getting released.
--- libsndfile.orig/src/flac.c
+++ libsndfile/src/flac.c Closes: https://github.com/erikd/libsndfile/issues/233
@@ -430,8 +430,7 @@
diff --git src/flac.c src/flac.c
index 986a7b8f..5a4f8c21 100644
--- src/flac.c
+++ src/flac.c
@@ -841,7 +841,9 @@ flac_read_header (SF_PRIVATE *psf)
psf_log_printf (psf, "End\n") ;
- if (psf->error == 0)
+ if (psf->error != 0)
+ FLAC__stream_decoder_delete (pflac->fsd) ;
+ else
{ FLAC__uint64 position ;
FLAC__stream_decoder_get_decode_position (pflac->fsd, &position) ;
commit 5206a9b65e61598fde44d276c81b0585bc428562
Author: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Wed Apr 12 19:10:40 2017 +1000
src/flac.c: Fix a memory leak
The pflac->rbuffer pointer array was being allocated in two
places, but only one of them (the one that was kept) was checking
to ensure the pointers were NULL before allocation.
Leak was found by fuzzing the sndfile-resample binary compiled
with ASAN.
diff --git src/flac.c src/flac.c
index 40629c7d..84de0e26 100644
--- src/flac.c
+++ src/flac.c
@@ -430,8 +430,7 @@ sf_flac_meta_get_vorbiscomments (SF_PRIVATE *psf, const FLAC__StreamMetadata *me
static void static void
sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC__StreamMetadata *metadata, void *client_data) sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC__StreamMetadata *metadata, void *client_data)
{ SF_PRIVATE *psf = (SF_PRIVATE*) client_data ; { SF_PRIVATE *psf = (SF_PRIVATE*) client_data ;
@ -18,7 +52,7 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
switch (metadata->type) switch (metadata->type)
{ case FLAC__METADATA_TYPE_STREAMINFO : { case FLAC__METADATA_TYPE_STREAMINFO :
@@ -481,12 +480,6 @@ @@ -468,12 +467,6 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_
if (bitwidth > 0) if (bitwidth > 0)
psf_log_printf (psf, " Bit width : %d\n", bitwidth) ; psf_log_printf (psf, " Bit width : %d\n", bitwidth) ;
@ -31,14 +65,3 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
break ; break ;
case FLAC__METADATA_TYPE_VORBIS_COMMENT : case FLAC__METADATA_TYPE_VORBIS_COMMENT :
@@ -848,7 +841,9 @@
psf_log_printf (psf, "End\n") ;
- if (psf->error == 0)
+ if (psf->error != 0)
+ FLAC__stream_decoder_delete (pflac->fsd) ;
+ else
{ FLAC__uint64 position ;
FLAC__stream_decoder_get_decode_position (pflac->fsd, &position) ;

44
srcpkgs/libsndfile/patches/CVE-2017-8365.patch
View file

@ -1,14 +1,20 @@
Description: fixing buffer read/write overruns in FLAC-code commit fd0484aba8e51d16af1e3a880f9b8b857b385eb3
CVE-2017-8365, CVE-2017-8363, CVE-2017-8361 Author: Erik de Castro Lopo <erikd@mega-nerd.com>
Author: Erik de Castro Lopo Date: Wed Apr 12 19:45:30 2017 +1000
Origin: upstream
Applied-Upstream: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 FLAC: Fix a buffer read overrun
Last-Update: 2017-05-28
--- Buffer read overrun occurs when reading a FLAC file that switches
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ from 2 channels to one channel mid-stream. Only option is to
--- libsndfile.orig/src/common.h abort the read.
+++ libsndfile/src/common.h
@@ -725,6 +725,7 @@ Closes: https://github.com/erikd/libsndfile/issues/230
diff --git src/common.h src/common.h
index 0bd810c3..e2669b6a 100644
--- src/common.h
+++ src/common.h
@@ -725,6 +725,7 @@ enum
SFE_FLAC_INIT_DECODER, SFE_FLAC_INIT_DECODER,
SFE_FLAC_LOST_SYNC, SFE_FLAC_LOST_SYNC,
SFE_FLAC_BAD_SAMPLE_RATE, SFE_FLAC_BAD_SAMPLE_RATE,
@ -16,9 +22,11 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
SFE_FLAC_UNKOWN_ERROR, SFE_FLAC_UNKOWN_ERROR,
SFE_WVE_NOT_WVE, SFE_WVE_NOT_WVE,
--- libsndfile.orig/src/flac.c diff --git src/flac.c src/flac.c
+++ libsndfile/src/flac.c index 84de0e26..986a7b8f 100644
@@ -435,6 +435,19 @@ --- src/flac.c
+++ src/flac.c
@@ -434,6 +434,19 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_
switch (metadata->type) switch (metadata->type)
{ case FLAC__METADATA_TYPE_STREAMINFO : { case FLAC__METADATA_TYPE_STREAMINFO :
@ -38,9 +46,11 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
psf->sf.channels = metadata->data.stream_info.channels ; psf->sf.channels = metadata->data.stream_info.channels ;
psf->sf.samplerate = metadata->data.stream_info.sample_rate ; psf->sf.samplerate = metadata->data.stream_info.sample_rate ;
psf->sf.frames = metadata->data.stream_info.total_samples ; psf->sf.frames = metadata->data.stream_info.total_samples ;
--- libsndfile.orig/src/sndfile.c diff --git src/sndfile.c src/sndfile.c
+++ libsndfile/src/sndfile.c index 41875610..e2a87be8 100644
@@ -245,6 +245,7 @@ --- src/sndfile.c
+++ src/sndfile.c
@@ -245,6 +245,7 @@ ErrorStruct SndfileErrors [] =
{ SFE_FLAC_INIT_DECODER , "Error : problem with initialization of the flac decoder." }, { SFE_FLAC_INIT_DECODER , "Error : problem with initialization of the flac decoder." },
{ SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." }, { SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." },
{ SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." }, { SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." },

25
srcpkgs/libsndfile/patches/CVE-2018-13139.patch
View file

@ -1,20 +1,18 @@
From aaea680337267bfb6d2544da878890ee7f1c5077 Mon Sep 17 00:00:00 2001 commit aaea680337267bfb6d2544da878890ee7f1c5077
From: "Brett T. Warden" <brett.t.warden@intel.com> Author: Brett T. Warden <brett.t.warden@intel.com>
Date: Tue, 28 Aug 2018 12:01:17 -0700 Date: Tue Aug 28 12:01:17 2018 -0700
Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave
Allocated buffer has space for only 16 channels. Verify that input file Check MAX_CHANNELS in sndfile-deinterleave
meets this limit.
Fixes #397 Allocated buffer has space for only 16 channels. Verify that input file
--- meets this limit.
programs/sndfile-deinterleave.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c Fixes #397
diff --git programs/sndfile-deinterleave.c programs/sndfile-deinterleave.c
index 53660310..225b4d54 100644 index 53660310..225b4d54 100644
--- a/programs/sndfile-deinterleave.c --- programs/sndfile-deinterleave.c
+++ b/programs/sndfile-deinterleave.c +++ programs/sndfile-deinterleave.c
@@ -89,6 +89,13 @@ main (int argc, char **argv) @@ -89,6 +89,13 @@ main (int argc, char **argv)
exit (1) ; exit (1) ;
} ; } ;
@ -29,4 +27,3 @@ index 53660310..225b4d54 100644
state.channels = sfinfo.channels ; state.channels = sfinfo.channels ;
sfinfo.channels = 1 ; sfinfo.channels = 1 ;

23
srcpkgs/libsndfile/patches/CVE-2018-19758.patch Normal file
View file

@ -0,0 +1,23 @@
commit 42132c543358cee9f7c3e9e9b15bb6c1063a608e
Author: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Tue Jan 1 20:11:46 2019 +1100
src/wav.c: Fix heap read overflow
This is CVE-2018-19758.
Closes: https://github.com/erikd/libsndfile/issues/435
diff --git src/wav.c src/wav.c
index 9d71aadb..5c825f2a 100644
--- src/wav.c
+++ src/wav.c
@@ -1146,6 +1146,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
psf_binheader_writef (psf, "44", BHW4 (0), BHW4 (0)) ; /* SMTPE format */
psf_binheader_writef (psf, "44", BHW4 (psf->instrument->loop_count), BHW4 (0)) ;
+ /* Loop count is signed 16 bit number so we limit it range to something sensible. */
+ psf->instrument->loop_count &= 0x7fff ;
for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
{ int type ;

5
srcpkgs/libsndfile/template
View file

@ -1,15 +1,14 @@
# Template file for 'libsndfile' # Template file for 'libsndfile'
pkgname=libsndfile pkgname=libsndfile
version=1.0.28 version=1.0.28
revision=2 revision=3
patch_args="-Np1"
build_style=gnu-configure build_style=gnu-configure
hostmakedepends="pkg-config python" hostmakedepends="pkg-config python"
makedepends="alsa-lib-devel libvorbis-devel libflac-devel sqlite-devel" makedepends="alsa-lib-devel libvorbis-devel libflac-devel sqlite-devel"
short_desc="C library for reading and writing files containing sampled sound" short_desc="C library for reading and writing files containing sampled sound"
maintainer="Juan RP <xtraeme@voidlinux.org>" maintainer="Juan RP <xtraeme@voidlinux.org>"
license="LGPL-2.1-or-later"
homepage="http://www.mega-nerd.com/libsndfile" homepage="http://www.mega-nerd.com/libsndfile"
license="LGPL-2.1"
distfiles="http://www.mega-nerd.com/${pkgname}/files/${pkgname}-${version}.tar.gz" distfiles="http://www.mega-nerd.com/${pkgname}/files/${pkgname}-${version}.tar.gz"
checksum=1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9 checksum=1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9