diff options
| author |   Vivek Kumbhar <vkumbhar@mvista.com> | 2023-11-30 11:35:21 +0530 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2023-11-30 05:33:20 -1000 |
| commit | 0dc086b37b1c333adf99c01ce4ecb717df48d6f9 (patch) | |
| tree | ad332c25504890f27054de9384b91d6b1d103c67 | |
| parent | 11da43b58e19583a9bc16044309610cfb2e86469 (diff) | |
| download | openembedded-core-0dc086b37b1c333adf99c01ce4ecb717df48d6f9.tar.gz | |
libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.c
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch | 46 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb | 1 |
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch new file mode 100644 index 0000000000..c5fba4d6b5 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch @@ -0,0 +1,46 @@ +From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Tue, 10 Oct 2023 16:10:34 -0400 +Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation + +The clang sanitizer warns of a possible signed integer overflow when +calculating the `dataend` value in `mat4_read_header()`. + +``` +src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in +src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in +``` + +Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of +`dataend` before performing the calculation, to avoid the issue. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/789 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> + +Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c] +CVE: CVE-2022-33065 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/mat4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mat4.c b/src/mat4.c +index 0b1b414..575683b 100644 +--- a/src/mat4.c ++++ b/src/mat4.c +@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf) + psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ; + } + else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth) +- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ; ++ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ; + + psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ; + +-- +2.40.1 diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb index f6ea585e34..0c654fd853 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb @@ -11,6 +11,7 @@ LICENSE = "LGPL-2.1-only" SRC_URI = "https://github.com/libsndfile/libsndfile/releases/download/${PV}/libsndfile-${PV}.tar.bz2 \ file://noopus.patch \ file://0001-flac-Fix-improper-buffer-reusing-732.patch \ + file://CVE-2022-33065.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libsndfile/libsndfile/releases/" |