diff options
| author | Peter Marko <peter.marko@siemens.com> | 2024-12-27 11:56:13 +0100 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2025-02-04 14:29:37 -0800 |
| commit | 85c8b0ab7a5272da4c4976e3aeaedb0b5e4d907c (patch) | |
| tree | 443abd25136f305d7ddeb0fb077c7c7847cd8b5b | |
| parent | beefbac3d79f6030a194667dd1290107a6735a0a (diff) | |
| download | meta-openembedded-85c8b0ab7a5272da4c4976e3aeaedb0b5e4d907c.tar.gz | |
audiofile: fix multiple CVEs
CVE-2017-6830 / CVE-2017-6834 / CVE-2017-6836 / CVE-2017-6838
Use patch from buildroot:
https://github.com/buildroot/buildroot/commit/4a1a8277bba490d227f413e218138e39f1fe1203
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 75f2bd2b3b145d8282db9926d8212c6d81bde99e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb | 1 | ||||
| -rw-r--r-- | meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch | 79 |
2 files changed, 80 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb index a48bed2a3b..8aebe88f26 100644 --- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb +++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb | |||
| @@ -15,6 +15,7 @@ SRC_URI = " \ | |||
| 15 | file://0003-fix-CVE-2015-7747.patch \ | 15 | file://0003-fix-CVE-2015-7747.patch \ |
| 16 | file://0004-Always-check-the-number-of-coefficients.patch \ | 16 | file://0004-Always-check-the-number-of-coefficients.patch \ |
| 17 | file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \ | 17 | file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \ |
| 18 | file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \ | ||
| 18 | " | 19 | " |
| 19 | SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008" | 20 | SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008" |
| 20 | SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782" | 21 | SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782" |
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch new file mode 100644 index 0000000000..ec21b09f30 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch | |||
| @@ -0,0 +1,79 @@ | |||
| 1 | From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Antonio Larrosa <larrosa@kde.org> | ||
| 3 | Date: Mon, 6 Mar 2017 13:54:52 +0100 | ||
| 4 | Subject: [PATCH] Check for multiplication overflow in sfconvert | ||
| 5 | |||
| 6 | Checks that a multiplication doesn't overflow when | ||
| 7 | calculating the buffer size, and if it overflows, | ||
| 8 | reduce the buffer size instead of failing. | ||
| 9 | |||
| 10 | This fixes the 00192-audiofile-signintoverflow-sfconvert case | ||
| 11 | in #41 | ||
| 12 | |||
| 13 | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> | ||
| 14 | |||
| 15 | CVE: CVE-2017-6830 | ||
| 16 | CVE: CVE-2017-6834 | ||
| 17 | CVE: CVE-2017-6836 | ||
| 18 | CVE: CVE-2017-6838 | ||
| 19 | Upstream-Status: Inactive-Upstream [lastrelease: 2013] | ||
| 20 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 21 | --- | ||
| 22 | sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++-- | ||
| 23 | 1 file changed, 32 insertions(+), 2 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c | ||
| 26 | index 80a1bc4..970a3e4 100644 | ||
| 27 | --- a/sfcommands/sfconvert.c | ||
| 28 | +++ b/sfcommands/sfconvert.c | ||
| 29 | @@ -45,6 +45,33 @@ void printusage (void); | ||
| 30 | void usageerror (void); | ||
| 31 | bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid); | ||
| 32 | |||
| 33 | +int firstBitSet(int x) | ||
| 34 | +{ | ||
| 35 | + int position=0; | ||
| 36 | + while (x!=0) | ||
| 37 | + { | ||
| 38 | + x>>=1; | ||
| 39 | + ++position; | ||
| 40 | + } | ||
| 41 | + return position; | ||
| 42 | +} | ||
| 43 | + | ||
| 44 | +#ifndef __has_builtin | ||
| 45 | +#define __has_builtin(x) 0 | ||
| 46 | +#endif | ||
| 47 | + | ||
| 48 | +int multiplyCheckOverflow(int a, int b, int *result) | ||
| 49 | +{ | ||
| 50 | +#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) | ||
| 51 | + return __builtin_mul_overflow(a, b, result); | ||
| 52 | +#else | ||
| 53 | + if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits | ||
| 54 | + return true; | ||
| 55 | + *result = a * b; | ||
| 56 | + return false; | ||
| 57 | +#endif | ||
| 58 | +} | ||
| 59 | + | ||
| 60 | int main (int argc, char **argv) | ||
| 61 | { | ||
| 62 | if (argc == 2) | ||
| 63 | @@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid) | ||
| 64 | { | ||
| 65 | int frameSize = afGetVirtualFrameSize(infile, trackid, 1); | ||
| 66 | |||
| 67 | - const int kBufferFrameCount = 65536; | ||
| 68 | - void *buffer = malloc(kBufferFrameCount * frameSize); | ||
| 69 | + int kBufferFrameCount = 65536; | ||
| 70 | + int bufferSize; | ||
| 71 | + while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) | ||
| 72 | + kBufferFrameCount /= 2; | ||
| 73 | + void *buffer = malloc(bufferSize); | ||
| 74 | |||
| 75 | AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK); | ||
| 76 | AFframecount totalFramesWritten = 0; | ||
| 77 | -- | ||
| 78 | 2.11.0 | ||
| 79 | |||