diff options
author | Armin Kuster <akuster@mvista.com> | 2021-09-14 17:04:57 -0700 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2021-09-24 04:27:46 -1000 |
commit | f999bac187a935821f8580f3c5b1d08107ba9851 (patch) | |
tree | eab9110250c64aa0ab8cd0eeedf8661039fe2670 | |
parent | 315262830bfe2bc8b2a9259541bb3a0bc83a2cdd (diff) | |
download | openembedded-core-contrib-f999bac187a935821f8580f3c5b1d08107ba9851.tar.gz |
libsndfile: Security fix for CVE-2021-3246
Source: https://github.com/libsndfile/libsndfile
MR: 112098
Type: Security Fix
Disposition: Backport from https://github.com/libsndfile/libsndfile/pull/713
ChangeID: 10d137de063b7a1e543ee96fbcf948945a452869
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch new file mode 100644 index 0000000000..6354f856cb --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch @@ -0,0 +1,36 @@ +From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001 +From: bobsayshilol <bobsayshilol@live.co.uk> +Date: Wed, 17 Feb 2021 23:21:48 +0000 +Subject: [PATCH 1/2] wavlike: Fix incorrect size check + +The SF_CART_INFO_16K struct has an additional 4 byte field to hold +the size of 'tag_text' which the file header doesn't, so don't +include it as part of the check when looking for the max length. + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026 + +Upstream-Status: Backport +CVE: CVE-2021-3246 patch 1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/wavlike.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: libsndfile-1.0.28/src/wavlike.c +=================================================================== +--- libsndfile-1.0.28.orig/src/wavlike.c ++++ libsndfile-1.0.28/src/wavlike.c +@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf + return 0 ; + } ; + +- if (chunksize >= sizeof (SF_CART_INFO_16K)) ++ /* ++ ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part ++ ** of the chunk, so don't include it in the size check. ++ */ ++ if (chunksize >= sizeof (SF_CART_INFO_16K) - 4) + { psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ; + psf_binheader_readf (psf, "j", chunksize) ; + return 0 ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch new file mode 100644 index 0000000000..d6b03d7d4d --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch @@ -0,0 +1,44 @@ +From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001 +From: bobsayshilol <bobsayshilol@live.co.uk> +Date: Thu, 18 Feb 2021 21:52:09 +0000 +Subject: [PATCH 2/2] ms_adpcm: Fix and extend size checks + +'blockalign' is the size of a block, and each block contains 7 samples +per channel as part of the preamble, so check against 'samplesperblock' +rather than 'blockalign'. Also add an additional check that the block +is big enough to hold the samples it claims to hold. + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803 + +Upstream-Status: Backport +CVE: CVE-2021-3246 patch 2 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/ms_adpcm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c +index 5e8f1a31..a21cb994 100644 +--- a/src/ms_adpcm.c ++++ b/src/ms_adpcm.c +@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) + if (psf->file.mode == SFM_WRITE) + samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ; + +- if (blockalign < 7 * psf->sf.channels) +- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ; ++ /* There's 7 samples per channel in the preamble of each block */ ++ if (samplesperblock < 7 * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; ++ return SFE_INTERNAL ; ++ } ; ++ ++ if (2 * blockalign < samplesperblock * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; + return SFE_INTERNAL ; + } ; + +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index 044881a859..2525af8fe0 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -20,6 +20,8 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ file://CVE-2017-12562.patch \ file://CVE-2018-19758.patch \ file://CVE-2019-3832.patch \ + file://CVE-2021-3246_1.patch \ + file://CVE-2021-3246_2.patch \ " SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" |