summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>2018-08-22 17:30:29 +0530
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-23 07:45:32 +0100
commitad842a3a0e6ef78fb9449362753ae3592c775192 (patch)
treef6fea4d5d715c5c0afb8580deefed289110d59ce
parent4c1d03eb226aa838622852b70a87260ab1ac9d91 (diff)
downloadopenembedded-core-contrib-ad842a3a0e6ef78fb9449362753ae3592c775192.tar.gz
openembedded-core-contrib-ad842a3a0e6ef78fb9449362753ae3592c775192.tar.bz2
openembedded-core-contrib-ad842a3a0e6ef78fb9449362753ae3592c775192.zip
libsndfile1: CVE-2017-14245 CVE-2017-14246
sfe_copy_data_fp: check value of "max" variable for being normal and check elements of the data[] array for being finite. Both checks use functions provided by the <math.h> header as declared by the C99 standard. Fixes #317 CVE-2017-14245 CVE-2017-14246 Affects libsndfile1 = 1.0.28 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch121
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb1
2 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
new file mode 100644
index 0000000000..a17ec21f98
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
@@ -0,0 +1,121 @@
+From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Wed, 27 Sep 2017 14:46:17 +0200
+Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being
+ normal
+
+and check elements of the data[] array for being finite.
+
+Both checks use functions provided by the <math.h> header as declared
+by the C99 standard.
+
+Fixes #317
+CVE: CVE-2017-14245
+CVE: CVE-2017-14246
+
+Upstream-Status: Backport [https://github.com/fabiangreffrath/libsndfile/commit/2d54514a4f6437b67829717c05472d2e3300a258]
+
+Signed-off-by: Fabian Greffrath <fabian@greffrath.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ programs/common.c | 20 ++++++++++++++++----
+ programs/common.h | 2 +-
+ programs/sndfile-convert.c | 6 +++++-
+ 3 files changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/programs/common.c b/programs/common.c
+index a21e62c..a249a58 100644
+--- a/programs/common.c
++++ b/programs/common.c
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include <ctype.h>
+ #include <stdint.h>
++#include <math.h>
+
+ #include <sndfile.h>
+
+@@ -45,7 +46,7 @@
+
+ #define MIN(x, y) ((x) < (y) ? (x) : (y))
+
+-void
++int
+ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize)
+ { static double data [BUFFER_LEN], max ;
+ int frames, readcount, k ;
+@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
+ readcount = frames ;
+
+ sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ;
++ if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */
++ return 1 ;
+
+ if (!normalize && max < 1.0)
+ { while (readcount > 0)
+@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
+ while (readcount > 0)
+ { readcount = sf_readf_double (infile, data, frames) ;
+ for (k = 0 ; k < readcount * channels ; k++)
+- data [k] /= max ;
++ { data [k] /= max ;
++
++ if (!isfinite (data [k])) /* infinite or NaN */
++ return 1;
++ }
+ sf_writef_double (outfile, data, readcount) ;
+ } ;
+ } ;
+
+- return ;
++ return 0 ;
+ } /* sfe_copy_data_fp */
+
+ void
+@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * in
+
+ /* If the input file is not the same as the output file, copy the data. */
+ if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT))
+- sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ;
++ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0)
++ { printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ;
++ error_code = 1 ;
++ goto cleanup_exit ;
++ } ;
++ }
+ else
+ sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
+ } ;
+diff --git a/programs/common.h b/programs/common.h
+index eda2d7d..986277e 100644
+--- a/programs/common.h
++++ b/programs/common.h
+@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ;
+
+ void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ;
+
+-void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
++int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
+
+ void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ;
+
+diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c
+index dff7f79..e6de593 100644
+--- a/programs/sndfile-convert.c
++++ b/programs/sndfile-convert.c
+@@ -335,7 +335,11 @@ main (int argc, char * argv [])
+ || (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT)
+ || (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)
+ || (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS))
+- sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ;
++ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0)
++ { printf ("Error : Not able to decode input file %s.\n", infilename) ;
++ return 1 ;
++ } ;
++ }
+ else
+ sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
+
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 281ac82e39..c6f2a460b2 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
file://CVE-2017-8361-8365.patch \
file://CVE-2017-8362.patch \
file://CVE-2017-8363.patch \
+ file://CVE-2017-14245-14246.patch \
"
SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"