diff options
Diffstat (limited to 'meta/recipes-multimedia/libsndfile')
12 files changed, 839 insertions, 539 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch deleted file mode 100644 index c3f44ca235..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Mon, 7 Jan 2019 15:55:03 +0800 -Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432) - -i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN -properly, leading to buffer underflow. INT_MIN is a special value -since - INT_MIN cannot be represented as int. - -In this case round - INT_MIN to INT_MAX and proceed as usual. - -f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN -properly, leading to null pointer dereference. - -In this case, arbitrarily set the buffer value to 0. - -This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and -fixes #344 (CVE-2017-17456 and CVE-2017-17457). - -Upstream-Status: Backport[https://github.com/erikd/libsndfile/ -commit/585cc28a93be27d6938f276af0011401b9f7c0ca] - -CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - src/alaw.c | 9 +++++++-- - src/ulaw.c | 9 +++++++-- - 2 files changed, 14 insertions(+), 4 deletions(-) - -diff --git a/src/alaw.c b/src/alaw.c -index 063fd1a..4220224 100644 ---- a/src/alaw.c -+++ b/src/alaw.c -@@ -19,6 +19,7 @@ - #include "sfconfig.h" - - #include <math.h> -+#include <limits.h> - - #include "sndfile.h" - #include "common.h" -@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) - static inline void - i2alaw_array (const int *ptr, int count, unsigned char *buffer) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (ptr [count] == INT_MIN) -+ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; -+ else if (ptr [count] >= 0) - buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; - else - buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; -@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact - static inline void - d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (!isfinite (ptr [count])) -+ buffer [count] = 0 ; -+ else if (ptr [count] >= 0) - buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; - else - buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; -diff --git a/src/ulaw.c b/src/ulaw.c -index e50b4cb..b6070ad 100644 ---- a/src/ulaw.c -+++ b/src/ulaw.c -@@ -19,6 +19,7 @@ - #include "sfconfig.h" - - #include <math.h> -+#include <limits.h> - - #include "sndfile.h" - #include "common.h" -@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) - static inline void - i2ulaw_array (const int *ptr, int count, unsigned char *buffer) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (ptr [count] == INT_MIN) -+ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; -+ else if (ptr [count] >= 0) - buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; - else - buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; -@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact - static inline void - d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (!isfinite (ptr [count])) -+ buffer [count] = 0 ; -+ else if (ptr [count] >= 0) - buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; - else - buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch deleted file mode 100644 index a17ec21f98..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001 -From: Fabian Greffrath <fabian@greffrath.com> -Date: Wed, 27 Sep 2017 14:46:17 +0200 -Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being - normal - -and check elements of the data[] array for being finite. - -Both checks use functions provided by the <math.h> header as declared -by the C99 standard. - -Fixes #317 -CVE: CVE-2017-14245 -CVE: CVE-2017-14246 - -Upstream-Status: Backport [https://github.com/fabiangreffrath/libsndfile/commit/2d54514a4f6437b67829717c05472d2e3300a258] - -Signed-off-by: Fabian Greffrath <fabian@greffrath.com> -Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> ---- - programs/common.c | 20 ++++++++++++++++---- - programs/common.h | 2 +- - programs/sndfile-convert.c | 6 +++++- - 3 files changed, 22 insertions(+), 6 deletions(-) - -diff --git a/programs/common.c b/programs/common.c -index a21e62c..a249a58 100644 ---- a/programs/common.c -+++ b/programs/common.c -@@ -36,6 +36,7 @@ - #include <string.h> - #include <ctype.h> - #include <stdint.h> -+#include <math.h> - - #include <sndfile.h> - -@@ -45,7 +46,7 @@ - - #define MIN(x, y) ((x) < (y) ? (x) : (y)) - --void -+int - sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) - { static double data [BUFFER_LEN], max ; - int frames, readcount, k ; -@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize - readcount = frames ; - - sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ; -+ if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */ -+ return 1 ; - - if (!normalize && max < 1.0) - { while (readcount > 0) -@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize - while (readcount > 0) - { readcount = sf_readf_double (infile, data, frames) ; - for (k = 0 ; k < readcount * channels ; k++) -- data [k] /= max ; -+ { data [k] /= max ; -+ -+ if (!isfinite (data [k])) /* infinite or NaN */ -+ return 1; -+ } - sf_writef_double (outfile, data, readcount) ; - } ; - } ; - -- return ; -+ return 0 ; - } /* sfe_copy_data_fp */ - - void -@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * in - - /* If the input file is not the same as the output file, copy the data. */ - if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)) -- sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ; -+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0) -+ { printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ; -+ error_code = 1 ; -+ goto cleanup_exit ; -+ } ; -+ } - else - sfe_copy_data_int (outfile, infile, sfinfo.channels) ; - } ; -diff --git a/programs/common.h b/programs/common.h -index eda2d7d..986277e 100644 ---- a/programs/common.h -+++ b/programs/common.h -@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ; - - void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ; - --void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ; -+int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ; - - void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ; - -diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c -index dff7f79..e6de593 100644 ---- a/programs/sndfile-convert.c -+++ b/programs/sndfile-convert.c -@@ -335,7 +335,11 @@ main (int argc, char * argv []) - || (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT) - || (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT) - || (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS)) -- sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ; -+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0) -+ { printf ("Error : Not able to decode input file %s.\n", infilename) ; -+ return 1 ; -+ } ; -+ } - else - sfe_copy_data_int (outfile, infile, sfinfo.channels) ; - --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch deleted file mode 100644 index 39b4ec1101..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 85c877d5072866aadbe8ed0c3e0590fbb5e16788 Mon Sep 17 00:00:00 2001 -From: Fabian Greffrath <fabian@greffrath.com> -Date: Thu, 28 Sep 2017 12:15:04 +0200 -Subject: [PATCH] double64_init: Check psf->sf.channels against upper bound - -This prevents division by zero later in the code. - -While the trivial case to catch this (i.e. sf.channels < 1) has already -been covered, a crafted file may report a number of channels that is -so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets -miscalculated to zero (if this makes sense) in the determination of the -blockwidth. Since we only support a limited number of channels anyway, -make sure to check here as well. - -CVE: CVE-2017-14634 - -Closes: https://github.com/erikd/libsndfile/issues/318 - -Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788] - -Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com> -Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> ---- - src/double64.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/double64.c b/src/double64.c -index b318ea8..78dfef7 100644 ---- a/src/double64.c -+++ b/src/double64.c -@@ -91,7 +91,7 @@ int - double64_init (SF_PRIVATE *psf) - { static int double64_caps ; - -- if (psf->sf.channels < 1) -+ if (psf->sf.channels < 1 || psf->sf.channels > SF_MAX_CHANNELS) - { psf_log_printf (psf, "double64_init : internal error : channels = %d\n", psf->sf.channels) ; - return SFE_INTERNAL ; - } ; --- -2.13.3 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-6892.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-6892.patch deleted file mode 100644 index 89552ac2d9..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-6892.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f833c53cb596e9e1792949f762e0b33661822748 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Tue, 23 May 2017 20:15:24 +1000 -Subject: [PATCH] src/aiff.c: Fix a buffer read overflow - -Secunia Advisory SA76717. - -Found by: Laurent Delosieres, Secunia Research at Flexera Software - -CVE: CVE-2017-6892 -Upstream-Status: Backport - -Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> - ---- - src/aiff.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/aiff.c b/src/aiff.c -index 5b5f9f5..45864b7 100644 ---- a/src/aiff.c -+++ b/src/aiff.c -@@ -1759,7 +1759,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword) - psf_binheader_readf (psf, "j", dword - bytesread) ; - - if (map_info->channel_map != NULL) -- { size_t chanmap_size = psf->sf.channels * sizeof (psf->channel_map [0]) ; -+ { size_t chanmap_size = SF_MIN (psf->sf.channels, layout_tag & 0xffff) * sizeof (psf->channel_map [0]) ; - - free (psf->channel_map) ; - --- -1.9.1 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8361-8365.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8361-8365.patch deleted file mode 100644 index ac99516bb3..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8361-8365.patch +++ /dev/null @@ -1,73 +0,0 @@ -From fd0484aba8e51d16af1e3a880f9b8b857b385eb3 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Wed, 12 Apr 2017 19:45:30 +1000 -Subject: [PATCH] FLAC: Fix a buffer read overrun - -Buffer read overrun occurs when reading a FLAC file that switches -from 2 channels to one channel mid-stream. Only option is to -abort the read. - -Closes: https://github.com/erikd/libsndfile/issues/230 - -CVE: CVE-2017-8361 CVE-2017-8365 - -Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - src/common.h | 1 + - src/flac.c | 13 +++++++++++++ - src/sndfile.c | 1 + - 3 files changed, 15 insertions(+) - -diff --git a/src/common.h b/src/common.h -index 0bd810c..e2669b6 100644 ---- a/src/common.h -+++ b/src/common.h -@@ -725,6 +725,7 @@ enum - SFE_FLAC_INIT_DECODER, - SFE_FLAC_LOST_SYNC, - SFE_FLAC_BAD_SAMPLE_RATE, -+ SFE_FLAC_CHANNEL_COUNT_CHANGED, - SFE_FLAC_UNKOWN_ERROR, - - SFE_WVE_NOT_WVE, -diff --git a/src/flac.c b/src/flac.c -index 84de0e2..986a7b8 100644 ---- a/src/flac.c -+++ b/src/flac.c -@@ -434,6 +434,19 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_ - - switch (metadata->type) - { case FLAC__METADATA_TYPE_STREAMINFO : -+ if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) -+ { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" -+ "Nothing to be but to error out.\n" , -+ psf->sf.channels, metadata->data.stream_info.channels) ; -+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; -+ return ; -+ } ; -+ -+ if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate) -+ { psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n" -+ "Carrying on as if nothing happened.", -+ psf->sf.samplerate, metadata->data.stream_info.sample_rate) ; -+ } ; - psf->sf.channels = metadata->data.stream_info.channels ; - psf->sf.samplerate = metadata->data.stream_info.sample_rate ; - psf->sf.frames = metadata->data.stream_info.total_samples ; -diff --git a/src/sndfile.c b/src/sndfile.c -index 4187561..e2a87be 100644 ---- a/src/sndfile.c -+++ b/src/sndfile.c -@@ -245,6 +245,7 @@ ErrorStruct SndfileErrors [] = - { SFE_FLAC_INIT_DECODER , "Error : problem with initialization of the flac decoder." }, - { SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." }, - { SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." }, -+ { SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." }, - { SFE_FLAC_UNKOWN_ERROR , "Error : unknown error in flac decoder." }, - - { SFE_WVE_NOT_WVE , "Error : not a WVE file." }, --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8362.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8362.patch deleted file mode 100644 index 9ee7e46a6d..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8362.patch +++ /dev/null @@ -1,59 +0,0 @@ -From ef1dbb2df1c0e741486646de40bd638a9c4cd808 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Fri, 14 Apr 2017 15:19:16 +1000 -Subject: [PATCH] src/flac.c: Fix a buffer read overflow - -A file (generated by a fuzzer) which increased the number of channels -from one frame to the next could cause a read beyond the end of the -buffer provided by libFLAC. Only option is to abort the read. - -Closes: https://github.com/erikd/libsndfile/issues/231 - -CVE: CVE-2017-8362 - -Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - src/flac.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/flac.c b/src/flac.c -index 5a4f8c2..e4f9aaa 100644 ---- a/src/flac.c -+++ b/src/flac.c -@@ -169,6 +169,14 @@ flac_buffer_copy (SF_PRIVATE *psf) - const int32_t* const *buffer = pflac->wbuffer ; - unsigned i = 0, j, offset, channels, len ; - -+ if (psf->sf.channels != (int) frame->header.channels) -+ { psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n" -+ "Nothing to do but to error out.\n" , -+ psf->sf.channels, frame->header.channels) ; -+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; -+ return 0 ; -+ } ; -+ - /* - ** frame->header.blocksize is variable and we're using a constant blocksize - ** of FLAC__MAX_BLOCK_SIZE. -@@ -202,7 +210,6 @@ flac_buffer_copy (SF_PRIVATE *psf) - return 0 ; - } ; - -- - len = SF_MIN (pflac->len, frame->header.blocksize) ; - - if (pflac->remain % channels != 0) -@@ -436,7 +443,7 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_ - { case FLAC__METADATA_TYPE_STREAMINFO : - if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) - { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" -- "Nothing to be but to error out.\n" , -+ "Nothing to do but to error out.\n" , - psf->sf.channels, metadata->data.stream_info.channels) ; - psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; - return ; --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8363.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8363.patch deleted file mode 100644 index e526e5a346..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8363.patch +++ /dev/null @@ -1,37 +0,0 @@ -From cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Wed, 12 Apr 2017 20:19:34 +1000 -Subject: [PATCH] src/flac.c: Fix another memory leak - -When the FLAC decoder was passed a malformed file, the associated -`FLAC__StreamDecoder` object was not getting released. - -Closes: https://github.com/erikd/libsndfile/issues/233 - -CVE: CVE-2017-8363 - -Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - src/flac.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/flac.c b/src/flac.c -index 986a7b8..5a4f8c2 100644 ---- a/src/flac.c -+++ b/src/flac.c -@@ -841,7 +841,9 @@ flac_read_header (SF_PRIVATE *psf) - - psf_log_printf (psf, "End\n") ; - -- if (psf->error == 0) -+ if (psf->error != 0) -+ FLAC__stream_decoder_delete (pflac->fsd) ; -+ else - { FLAC__uint64 position ; - - FLAC__stream_decoder_get_decode_position (pflac->fsd, &position) ; --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch deleted file mode 100644 index 4ae3674df1..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5473aeef7875e54bd0f786fbdd259a35aaee875c Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Wed, 10 Oct 2018 08:59:30 +0800 -Subject: [PATCH] libsndfile1: patch for CVE-2018-13139 - -Upstream-Status: Backport [https://github.com/bwarden/libsndfile/ -commit/df18323c622b54221ee7ace74b177cdcccc152d7] - -CVE: CVE-2018-13139 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - programs/sndfile-deinterleave.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c -index e27593e..721bee7 100644 ---- a/programs/sndfile-deinterleave.c -+++ b/programs/sndfile-deinterleave.c -@@ -89,6 +89,12 @@ main (int argc, char **argv) - exit (1) ; - } ; - -+ if (sfinfo.channels > MAX_CHANNELS) -+ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n", -+ argv [1], sfinfo.channels, MAX_CHANNELS) ; -+ exit (1) ; -+ } ; -+ - state.channels = sfinfo.channels ; - sfinfo.channels = 1 ; - --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/cve-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/cve-2022-33065.patch new file mode 100644 index 0000000000..fa4b2fc08b --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/cve-2022-33065.patch @@ -0,0 +1,739 @@ +From c7ce5b0ebeeb58934825077d1324960aa0747718 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Tue, 10 Oct 2023 16:10:34 -0400 +Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation + +The clang sanitizer warns of a possible signed integer overflow when +calculating the `dataend` value in `mat4_read_header()`. + +``` +src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in +src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in +``` + +Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of +`dataend` before performing the calculation, to avoid the issue. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/789 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Upstream-Status: Backport [9a829113c88a51e57c1e46473e90609e4b7df151] + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/mat4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mat4.c b/src/mat4.c +index 0b1b414b..575683ba 100644 +--- a/src/mat4.c ++++ b/src/mat4.c +@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf) + psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ; + } + else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth) +- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ; ++ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ; + + psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ; + +From 842303f984b2081481e74cb84a9a24ecbe3dec1a Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 16:36:02 -0400 +Subject: [PATCH] au: avoid int overflow while calculating data_end + +At several points in au_read_header(), we calculate the functional end +of the data segment by adding the (int)au_fmt.dataoffset and the +(int)au_fmt.datasize. This can overflow the implicit int_32 return value +and cause undefined behavior. + +Instead, precalculate the value and assign it to a 64-bit +(sf_count_t)data_end variable. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/au.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/au.c b/src/au.c +index 62bd691d..f68f2587 100644 +--- a/src/au.c ++++ b/src/au.c +@@ -291,6 +291,7 @@ static int + au_read_header (SF_PRIVATE *psf) + { AU_FMT au_fmt ; + int marker, dword ; ++ sf_count_t data_end ; + + memset (&au_fmt, 0, sizeof (au_fmt)) ; + psf_binheader_readf (psf, "pm", 0, &marker) ; +@@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf) + return SFE_AU_EMBED_BAD_LEN ; + } ; + ++ data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ; + if (psf->fileoffset > 0) +- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ; ++ { psf->filelength = data_end ; + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; + } +- else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength) ++ else if (au_fmt.datasize == -1 || data_end == psf->filelength) + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; +- else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength) +- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ; ++ else if (data_end < psf->filelength) ++ { psf->filelength = data_end ; + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; + } + else +From 0754d3380a54e3fbdde0f684b88955c80c79f58f Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 16:46:29 -0400 +Subject: [PATCH] avr: fix int overflow in avr_read_header() + +Pre-cast hdr.frames to sf_count_t, to provide the calculation with +enough numeric space to avoid an int-overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/avr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/avr.c b/src/avr.c +index 6c78ff69..1bc1ffc9 100644 +--- a/src/avr.c ++++ b/src/avr.c +@@ -162,7 +162,7 @@ avr_read_header (SF_PRIVATE *psf) + psf->endian = SF_ENDIAN_BIG ; + + psf->dataoffset = AVR_HDR_SIZE ; +- psf->datalength = hdr.frames * (hdr.rez / 8) ; ++ psf->datalength = (sf_count_t) hdr.frames * (hdr.rez / 8) ; + + if (psf->fileoffset > 0) + psf->filelength = AVR_HDR_SIZE + psf->datalength ; +From 6ac31a68a614e2bba4a05b54e5558d6270c98376 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 16:54:21 -0400 +Subject: [PATCH] sds: fix int overflow warning in sample calculations + +The sds_*byte_read() functions compose their uint_32 sample buffers by +shifting 7bit samples into a 32bit wide buffer, and adding them +together. Because the 7bit samples are stored in 32bit ints, code +fuzzers become concerned that the addition operation can overflow and +cause undefined behavior. + +Instead, bitwise-OR the bytes together - which should accomplish the +same arithmetic operation, without risking an int-overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> + +Do the same for the 3byte and 4byte read functions. +--- + src/sds.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/sds.c b/src/sds.c +index 6bc76171..2a0f164c 100644 +--- a/src/sds.c ++++ b/src/sds.c +@@ -454,7 +454,7 @@ sds_2byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 2) +- { sample = arith_shift_left (ucptr [k], 25) + arith_shift_left (ucptr [k + 1], 18) ; ++ { sample = arith_shift_left (ucptr [k], 25) | arith_shift_left (ucptr [k + 1], 18) ; + psds->read_samples [k / 2] = (int) (sample - 0x80000000) ; + } ; + +@@ -498,7 +498,7 @@ sds_3byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 3) +- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) ; ++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) ; + psds->read_samples [k / 3] = (int) (sample - 0x80000000) ; + } ; + +@@ -542,7 +542,7 @@ sds_4byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 4) +- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) + (ucptr [k + 3] << 4) ; ++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) | (ucptr [k + 3] << 4) ; + psds->read_samples [k / 4] = (int) (sample - 0x80000000) ; + } ; + +From 96428e1dd4998f1cd47df24f8fe9b0da35d7b947 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 17:26:51 -0400 +Subject: [PATCH] aiff: fix int overflow when counting header elements + +aiff_read_basc_chunk() tries to count the AIFF header size by keeping +track of the bytes returned by psf_binheader_readf(). Though improbable, +it is technically possible for these added bytes to exceed the int-sized +`count` accumulator. + +Use a 64-bit sf_count_t type for `count`, to ensure that it always has +enough numeric space. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/aiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/aiff.c b/src/aiff.c +index a2bda8f4..6b244302 100644 +--- a/src/aiff.c ++++ b/src/aiff.c +@@ -1702,7 +1702,7 @@ static int + aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize) + { const char * type_str ; + basc_CHUNK bc ; +- int count ; ++ sf_count_t count ; + + count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ; + count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ; +From b352c350d35bf978e4d3a32e5d9df1f2284445f4 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 17:43:02 -0400 +Subject: [PATCH] ircam: fix int overflow in ircam_read_header() + +When reading the IRCAM header, it is possible for the calculated +blockwidth to exceed the bounds of a signed int32. + +Use a 64bit sf_count_t to store the blockwidth. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/common.h | 2 +- + src/ircam.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/common.h b/src/common.h +index d92eabde..5369cb67 100644 +--- a/src/common.h ++++ b/src/common.h +@@ -439,7 +439,7 @@ typedef struct sf_private_tag + sf_count_t datalength ; /* Length in bytes of the audio data. */ + sf_count_t dataend ; /* Offset to file tailer. */ + +- int blockwidth ; /* Size in bytes of one set of interleaved samples. */ ++ sf_count_t blockwidth ; /* Size in bytes of one set of interleaved samples. */ + int bytewidth ; /* Size in bytes of one sample (one channel). */ + + void *dither ; +diff --git a/src/ircam.c b/src/ircam.c +index 8e7cdba8..3d73ba44 100644 +--- a/src/ircam.c ++++ b/src/ircam.c +@@ -171,35 +171,35 @@ ircam_read_header (SF_PRIVATE *psf) + switch (encoding) + { case IRCAM_PCM_16 : + psf->bytewidth = 2 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_16 ; + break ; + + case IRCAM_PCM_32 : + psf->bytewidth = 4 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_32 ; + break ; + + case IRCAM_FLOAT : + psf->bytewidth = 4 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_FLOAT ; + break ; + + case IRCAM_ALAW : + psf->bytewidth = 1 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ALAW ; + break ; + + case IRCAM_ULAW : + psf->bytewidth = 1 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ; + break ; +From 3bcd291e57867f88f558fa6f80990e84311df78c Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 16:12:22 -0400 +Subject: [PATCH] mat4/mat5: fix int overflow when calculating blockwidth + +Pre-cast the components of the blockwidth calculation to sf_count_t to +avoid overflowing integers during calculation. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/mat4.c | 2 +- + src/mat5.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/mat4.c b/src/mat4.c +index 575683ba..9f046f0c 100644 +--- a/src/mat4.c ++++ b/src/mat4.c +@@ -104,7 +104,7 @@ mat4_open (SF_PRIVATE *psf) + + psf->container_close = mat4_close ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + switch (subformat) + { case SF_FORMAT_PCM_16 : +diff --git a/src/mat5.c b/src/mat5.c +index da5a6eca..20f0ea64 100644 +--- a/src/mat5.c ++++ b/src/mat5.c +@@ -114,7 +114,7 @@ mat5_open (SF_PRIVATE *psf) + + psf->container_close = mat5_close ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + switch (subformat) + { case SF_FORMAT_PCM_U8 : +From c177e292d47ef73b1d3c1bb391320299a0ed2ff9 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Mon, 16 Oct 2023 12:37:47 -0400 +Subject: [PATCH] common: fix int overflow in psf_binheader_readf() + +The psf_binheader_readf() function attempts to count and return the +number of bytes traversed in the header. During this accumulation, it is +possible to overflow the int-sized byte_count variable. + +Avoid this overflow by checking that the accumulated bytes do not exceed +INT_MAX and throwing an error if they do. This implies that files with +multi-gigabyte headers threaten to produce this error, but I imagine +those files don't really exist - and this error is better than the +undefined behavior which would have resulted previously. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/common.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/src/common.c b/src/common.c +index 1c3d951d..7f6cceca 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -18,6 +18,7 @@ + + #include <config.h> + ++#include <limits.h> + #include <stdarg.h> + #include <string.h> + #if HAVE_UNISTD_H +@@ -990,6 +991,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + double *doubleptr ; + char c ; + int byte_count = 0, count = 0 ; ++ int read_bytes = 0 ; + + if (! format) + return psf_ftell (psf) ; +@@ -998,6 +1000,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + + while ((c = *format++)) + { ++ read_bytes = 0 ; + if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16)) + break ; + +@@ -1014,7 +1017,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, ucptr, sizeof (int)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (int)) ; + *intptr = GET_MARKER (ucptr) ; + break ; + +@@ -1022,7 +1025,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ; ++ read_bytes = header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ; + { int k ; + intdata = 0 ; + for (k = 0 ; k < 16 ; k++) +@@ -1034,14 +1037,14 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case '1' : + charptr = va_arg (argptr, char*) ; + *charptr = 0 ; +- byte_count += header_read (psf, charptr, sizeof (char)) ; ++ read_bytes = header_read (psf, charptr, sizeof (char)) ; + break ; + + case '2' : /* 2 byte value with the current endian-ness */ + shortptr = va_arg (argptr, unsigned short*) ; + *shortptr = 0 ; + ucptr = (unsigned char*) shortptr ; +- byte_count += header_read (psf, ucptr, sizeof (short)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (short)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *shortptr = GET_BE_SHORT (ucptr) ; + else +@@ -1051,7 +1054,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case '3' : /* 3 byte value with the current endian-ness */ + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; +- byte_count += header_read (psf, sixteen_bytes, 3) ; ++ read_bytes = header_read (psf, sixteen_bytes, 3) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *intptr = GET_BE_3BYTE (sixteen_bytes) ; + else +@@ -1062,7 +1065,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, ucptr, sizeof (int)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (int)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *intptr = psf_get_be32 (ucptr, 0) ; + else +@@ -1072,7 +1075,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case '8' : /* 8 byte value with the current endian-ness */ + countptr = va_arg (argptr, sf_count_t *) ; + *countptr = 0 ; +- byte_count += header_read (psf, sixteen_bytes, 8) ; ++ read_bytes = header_read (psf, sixteen_bytes, 8) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + countdata = psf_get_be64 (sixteen_bytes, 0) ; + else +@@ -1083,7 +1086,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'f' : /* Float conversion */ + floatptr = va_arg (argptr, float *) ; + *floatptr = 0.0 ; +- byte_count += header_read (psf, floatptr, sizeof (float)) ; ++ read_bytes = header_read (psf, floatptr, sizeof (float)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *floatptr = float32_be_read ((unsigned char*) floatptr) ; + else +@@ -1093,7 +1096,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'd' : /* double conversion */ + doubleptr = va_arg (argptr, double *) ; + *doubleptr = 0.0 ; +- byte_count += header_read (psf, doubleptr, sizeof (double)) ; ++ read_bytes = header_read (psf, doubleptr, sizeof (double)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *doubleptr = double64_be_read ((unsigned char*) doubleptr) ; + else +@@ -1117,7 +1120,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + charptr = va_arg (argptr, char*) ; + count = va_arg (argptr, size_t) ; + memset (charptr, 0, count) ; +- byte_count += header_read (psf, charptr, count) ; ++ read_bytes = header_read (psf, charptr, count) ; + break ; + + case 'G' : +@@ -1128,7 +1131,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + if (psf->header.indx + count >= psf->header.len && psf_bump_header_allocation (psf, count)) + break ; + +- byte_count += header_gets (psf, charptr, count) ; ++ read_bytes = header_gets (psf, charptr, count) ; + break ; + + case 'z' : +@@ -1152,7 +1155,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'j' : /* Seek to position from current position. */ + count = va_arg (argptr, size_t) ; + header_seek (psf, count, SEEK_CUR) ; +- byte_count += count ; ++ read_bytes = count ; + break ; + + case '!' : /* Clear buffer, forcing re-read. */ +@@ -1164,8 +1167,17 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + psf->error = SFE_INTERNAL ; + break ; + } ; ++ ++ if (read_bytes > 0 && byte_count > (INT_MAX - read_bytes)) ++ { psf_log_printf (psf, "Header size exceeds INT_MAX. Aborting.", c) ; ++ psf->error = SFE_INTERNAL ; ++ break ; ++ } else ++ { byte_count += read_bytes ; + } ; + ++ } ; /*end while*/ ++ + va_end (argptr) ; + + return byte_count ; +From a23d563386e7c8d93dcdbe7d5b1d63cad6009116 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Thu, 19 Oct 2023 14:07:19 -0400 +Subject: [PATCH] nms_adpcm: fix int overflow in signal estimate + +It is possible (though functionally incorrect) for the signal estimate +calculation in nms_adpcm_update() to overflow the int value of s_e, +resulting in undefined behavior. + +Since adpcm state signal values are never practically larger than +16 bits, use smaller numeric sizes throughout the file to avoid the +overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Authored-by: Arthur Taylor <art@ified.ca> +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +Rebased-by: Alex Stewart <alex.stewart@ni.com> +--- + src/nms_adpcm.c | 85 ++++++++++++++++++++++++------------------------- + 1 file changed, 42 insertions(+), 43 deletions(-) + +diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c +index 96d6ad26..460ea077 100644 +--- a/src/nms_adpcm.c ++++ b/src/nms_adpcm.c +@@ -48,36 +48,36 @@ + /* Variable names from ITU G.726 spec */ + struct nms_adpcm_state + { /* Log of the step size multiplier. Operated on by codewords. */ +- int yl ; ++ short yl ; + + /* Quantizer step size multiplier. Generated from yl. */ +- int y ; ++ short y ; + +- /* Coefficents of the pole predictor */ +- int a [2] ; ++ /* Coefficients of the pole predictor */ ++ short a [2] ; + +- /* Coefficents of the zero predictor */ +- int b [6] ; ++ /* Coefficients of the zero predictor */ ++ short b [6] ; + + /* Previous quantized deltas (multiplied by 2^14) */ +- int d_q [7] ; ++ short d_q [7] ; + + /* d_q [x] + s_ez [x], used by the pole-predictor for signs only. */ +- int p [3] ; ++ short p [3] ; + + /* Previous reconstructed signal values. */ +- int s_r [2] ; ++ short s_r [2] ; + + /* Zero predictor components of the signal estimate. */ +- int s_ez ; ++ short s_ez ; + + /* Signal estimate, (including s_ez). */ +- int s_e ; ++ short s_e ; + + /* The most recent codeword (enc:generated, dec:inputted) */ +- int Ik ; ++ char Ik ; + +- int parity ; ++ char parity ; + + /* + ** Offset into code tables for the bitrate. +@@ -109,7 +109,7 @@ typedef struct + } NMS_ADPCM_PRIVATE ; + + /* Pre-computed exponential interval used in the antilog approximation. */ +-static unsigned int table_expn [] = ++static unsigned short table_expn [] = + { 0x4000, 0x4167, 0x42d5, 0x444c, 0x45cb, 0x4752, 0x48e2, 0x4a7a, + 0x4c1b, 0x4dc7, 0x4f7a, 0x5138, 0x52ff, 0x54d1, 0x56ac, 0x5892, + 0x5a82, 0x5c7e, 0x5e84, 0x6096, 0x62b4, 0x64dd, 0x6712, 0x6954, +@@ -117,21 +117,21 @@ static unsigned int table_expn [] = + } ; + + /* Table mapping codewords to scale factor deltas. */ +-static int table_scale_factor_step [] = ++static short table_scale_factor_step [] = + { 0x0, 0x0, 0x0, 0x0, 0x4b0, 0x0, 0x0, 0x0, /* 2-bit */ + -0x3c, 0x0, 0x90, 0x0, 0x2ee, 0x0, 0x898, 0x0, /* 3-bit */ + -0x30, 0x12, 0x6b, 0xc8, 0x188, 0x2e0, 0x551, 0x1150, /* 4-bit */ + } ; + + /* Table mapping codewords to quantized delta interval steps. */ +-static unsigned int table_step [] = ++static unsigned short table_step [] = + { 0x73F, 0, 0, 0, 0x1829, 0, 0, 0, /* 2-bit */ + 0x3EB, 0, 0xC18, 0, 0x1581, 0, 0x226E, 0, /* 3-bit */ + 0x20C, 0x635, 0xA83, 0xF12, 0x1418, 0x19E3, 0x211A, 0x2BBA, /* 4-bit */ + } ; + + /* Binary search lookup table for quantizing using table_step. */ +-static int table_step_search [] = ++static short table_step_search [] = + { 0, 0x1F6D, 0, -0x1F6D, 0, 0, 0, 0, /* 2-bit */ + 0x1008, 0x1192, 0, -0x219A, 0x1656, -0x1656, 0, 0, /* 3-bit */ + 0x872, 0x1277, -0x8E6, -0x232B, 0xD06, -0x17D7, -0x11D3, 0, /* 4-bit */ +@@ -179,23 +179,23 @@ static sf_count_t nms_adpcm_seek (SF_PRIVATE *psf, int mode, sf_count_t offset) + ** Maps [1,20480] to [1,1024] in an exponential relationship. This is + ** approximately ret = b^exp where b = e^(ln(1024)/ln(20480)) ~= 1.0003385 + */ +-static inline int +-nms_adpcm_antilog (int exp) +-{ int ret ; ++static inline short ++nms_adpcm_antilog (short exp) ++{ int_fast32_t r ; + +- ret = 0x1000 ; +- ret += (((exp & 0x3f) * 0x166b) >> 12) ; +- ret *= table_expn [(exp & 0x7c0) >> 6] ; +- ret >>= (26 - (exp >> 11)) ; ++ r = 0x1000 ; ++ r += (((int_fast32_t) (exp & 0x3f) * 0x166b) >> 12) ; ++ r *= table_expn [(exp & 0x7c0) >> 6] ; ++ r >>= (26 - (exp >> 11)) ; + +- return ret ; ++ return (short) r ; + } /* nms_adpcm_antilog */ + + static void + nms_adpcm_update (struct nms_adpcm_state *s) + { /* Variable names from ITU G.726 spec */ +- int a1ul ; +- int fa1 ; ++ short a1ul, fa1 ; ++ int_fast32_t se ; + int i ; + + /* Decay and Modify the scale factor in the log domain based on the codeword. */ +@@ -222,7 +222,7 @@ nms_adpcm_update (struct nms_adpcm_state *s) + else if (fa1 > 256) + fa1 = 256 ; + +- s->a [0] = (0xff * s->a [0]) >> 8 ; ++ s->a [0] = (s->a [0] * 0xff) >> 8 ; + if (s->p [0] != 0 && s->p [1] != 0 && ((s->p [0] ^ s->p [1]) < 0)) + s->a [0] -= 192 ; + else +@@ -230,7 +230,7 @@ nms_adpcm_update (struct nms_adpcm_state *s) + fa1 = -fa1 ; + } + +- s->a [1] = fa1 + ((0xfe * s->a [1]) >> 8) ; ++ s->a [1] = fa1 + ((s->a [1] * 0xfe) >> 8) ; + if (s->p [0] != 0 && s->p [2] != 0 && ((s->p [0] ^ s->p [2]) < 0)) + s->a [1] -= 128 ; + else +@@ -250,19 +250,18 @@ nms_adpcm_update (struct nms_adpcm_state *s) + s->a [0] = a1ul ; + } ; + +- /* Compute the zero predictor estimate. Rotate past deltas too. */ +- s->s_ez = 0 ; ++ /* Compute the zero predictor estimate and rotate past deltas. */ ++ se = 0 ; + for (i = 5 ; i >= 0 ; i--) +- { s->s_ez += s->d_q [i] * s->b [i] ; ++ { se += (int_fast32_t) s->d_q [i] * s->b [i] ; + s->d_q [i + 1] = s->d_q [i] ; + } ; ++ s->s_ez = se >> 14 ; + +- /* Compute the signal estimate. */ +- s->s_e = s->a [0] * s->s_r [0] + s->a [1] * s->s_r [1] + s->s_ez ; +- +- /* Return to scale */ +- s->s_ez >>= 14 ; +- s->s_e >>= 14 ; ++ /* Complete the signal estimate. */ ++ se += (int_fast32_t) s->a [0] * s->s_r [0] ; ++ se += (int_fast32_t) s->a [1] * s->s_r [1] ; ++ s->s_e = se >> 14 ; + + /* Rotate members to prepare for next iteration. */ + s->s_r [1] = s->s_r [0] ; +@@ -274,7 +273,7 @@ nms_adpcm_update (struct nms_adpcm_state *s) + static int16_t + nms_adpcm_reconstruct_sample (struct nms_adpcm_state *s, uint8_t I) + { /* Variable names from ITU G.726 spec */ +- int dqx ; ++ int_fast32_t dqx ; + + /* + ** The ordering of the 12-bit right-shift is a precision loss. It agrees +@@ -308,17 +307,17 @@ nms_adpcm_codec_init (struct nms_adpcm_state *s, enum nms_enc_type type) + /* + ** nms_adpcm_encode_sample() + ** +-** Encode a linear 16-bit pcm sample into a 2,3, or 4 bit NMS-ADPCM codeword ++** Encode a linear 16-bit pcm sample into a 2, 3, or 4 bit NMS-ADPCM codeword + ** using and updating the predictor state. + */ + static uint8_t + nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl) + { /* Variable names from ITU G.726 spec */ +- int d ; ++ int_fast32_t d ; + uint8_t I ; + + /* Down scale the sample from 16 => ~14 bits. */ +- sl = (sl * 0x1fdf) / 0x7fff ; ++ sl = ((int_fast32_t) sl * 0x1fdf) / 0x7fff ; + + /* Compute estimate, and delta from actual value */ + nms_adpcm_update (s) ; +@@ -407,7 +406,7 @@ nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl) + */ + static int16_t + nms_adpcm_decode_sample (struct nms_adpcm_state *s, uint8_t I) +-{ int sl ; ++{ int_fast32_t sl ; + + nms_adpcm_update (s) ; + sl = nms_adpcm_reconstruct_sample (s, I) ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/noopus.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/noopus.patch new file mode 100644 index 0000000000..cb1778bede --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/noopus.patch @@ -0,0 +1,68 @@ +From 593256a3e386a4e17fe26cfbfb813cf4996447d7 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Mon, 4 Apr 2022 19:46:44 +0200 +Subject: [PATCH] Disable opus library + +We don't have opus in OE-Core which causes all the external libs to be disabled +silently. The silent issue is discussed in the link below and hints a patch +to make things configurable may be accepted. + +This patch removing the opus piece at least gets most of the functionality +we previously used back whilst the issue is discussed. + +Upstream-Status: Denied [https://github.com/libsndfile/libsndfile/pull/812] + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + configure.ac | 10 +++++----- + src/ogg_opus.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 727b67bc..f9d2e447 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -373,13 +373,13 @@ AS_IF([test -n "$PKG_CONFIG"], [ + enable_external_libs=yes + ]) + +- AS_IF([test "x$ac_cv_flac$ac_cv_ogg$ac_cv_vorbis$ac_cv_vorbisenc$ac_cv_opus" = "xyesyesyesyesyes"], [ ++ AS_IF([test "x$ac_cv_flac$ac_cv_ogg$ac_cv_vorbis$ac_cv_vorbisenc" = "xyesyesyesyes"], [ + HAVE_EXTERNAL_XIPH_LIBS=1 + enable_external_libs=yes + +- EXTERNAL_XIPH_CFLAGS="$FLAC_CFLAGS $VORBIS_CFLAGS $VORBISENC_CFLAGS $SPEEX_CFLAGS $OPUS_CFLAGS $OGG_CFLAGS " +- EXTERNAL_XIPH_LIBS="$FLAC_LIBS $VORBIS_LIBS $VORBISENC_LIBS $SPEEX_LIBS $OPUS_LIBS $OGG_LIBS " +- EXTERNAL_XIPH_REQUIRE="flac ogg vorbis vorbisenc opus" ++ EXTERNAL_XIPH_CFLAGS="$FLAC_CFLAGS $VORBIS_CFLAGS $VORBISENC_CFLAGS $SPEEX_CFLAGS $OGG_CFLAGS " ++ EXTERNAL_XIPH_LIBS="$FLAC_LIBS $VORBIS_LIBS $VORBISENC_LIBS $SPEEX_LIBS $OGG_LIBS " ++ EXTERNAL_XIPH_REQUIRE="flac ogg vorbis vorbisenc" + + if test x$ac_cv_speex = "xyes" ; then + EXTERNAL_XIPH_REQUIRE="$EXTERNAL_XIPH_REQUIRE speex" +@@ -788,7 +788,7 @@ AC_MSG_RESULT([ + + Experimental code : ................... ${enable_experimental:-no} + Using ALSA in example programs : ...... ${enable_alsa:-no} +- External FLAC/Ogg/Vorbis/Opus : ....... ${enable_external_libs:-no} ++ External FLAC/Ogg/Vorbis : ....... ${enable_external_libs:-no} + External MPEG Lame/MPG123 : ........... ${enable_mpeg:-no} + Building Octave interface : ........... ${OCTAVE_BUILD} + +diff --git a/src/ogg_opus.c b/src/ogg_opus.c +index dfa446ee..0d4fe57b 100644 +--- a/src/ogg_opus.c ++++ b/src/ogg_opus.c +@@ -159,7 +159,7 @@ + #include "sfendian.h" + #include "common.h" + +-#if HAVE_EXTERNAL_XIPH_LIBS ++#if 0 + + #include <ogg/ogg.h> + #include <opus/opus.h> +-- +2.30.2 + diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb deleted file mode 100644 index 13248f5cb7..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ /dev/null @@ -1,37 +0,0 @@ -SUMMARY = "Audio format Conversion library" -HOMEPAGE = "http://www.mega-nerd.com/libsndfile" -AUTHOR = "Erik de Castro Lopo" -DEPENDS = "flac libogg libvorbis sqlite3" -SECTION = "libs/multimedia" -LICENSE = "LGPLv2.1" - -SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ - file://CVE-2017-6892.patch \ - file://CVE-2017-8361-8365.patch \ - file://CVE-2017-8362.patch \ - file://CVE-2017-8363.patch \ - file://CVE-2017-14245-14246.patch \ - file://CVE-2017-14634.patch \ - file://CVE-2018-13139.patch \ - file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \ - " - -SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" -SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9" - -LIC_FILES_CHKSUM = "file://COPYING;md5=e77fe93202736b47c07035910f47974a" - -CVE_PRODUCT = "libsndfile" - -S = "${WORKDIR}/libsndfile-${PV}" - -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'alsa', d)}" -PACKAGECONFIG[alsa] = "--enable-alsa,--disable-alsa,alsa-lib" - -inherit autotools lib_package pkgconfig - -do_configure_prepend_arm() { - export ac_cv_sys_largefile_source=1 - export ac_cv_sys_file_offset_bits=64 -} - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.2.2.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.2.2.bb new file mode 100644 index 0000000000..a9ee7c3575 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.2.2.bb @@ -0,0 +1,32 @@ +SUMMARY = "Audio format Conversion library" +DESCRIPTION = "Library for reading and writing files containing sampled \ +sound (such as MS Windows WAV and the Apple/SGI AIFF format) through \ +one standard library interface." +HOMEPAGE = "https://libsndfile.github.io/libsndfile/" +DEPENDS = "flac libogg libvorbis" +SECTION = "libs/multimedia" +LICENSE = "LGPL-2.1-only" + +SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/libsndfile-${PV}.tar.xz \ + file://noopus.patch \ + file://cve-2022-33065.patch \ + " +GITHUB_BASE_URI = "https://github.com/libsndfile/libsndfile/releases/" + +SRC_URI[sha256sum] = "3799ca9924d3125038880367bf1468e53a1b7e3686a934f098b7e1d286cdb80e" + +LIC_FILES_CHKSUM = "file://COPYING;md5=e77fe93202736b47c07035910f47974a" + +CVE_PRODUCT = "libsndfile" + +S = "${WORKDIR}/libsndfile-${PV}" + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'alsa', d)}" +PACKAGECONFIG[alsa] = "--enable-alsa,--disable-alsa,alsa-lib" +PACKAGECONFIG[regtest] = "--enable-sqlite,--disable-sqlite,sqlite3" + +inherit autotools lib_package pkgconfig multilib_header github-releases + +do_install:append() { + oe_multilib_header sndfile.h +} |