2 files changed, 47 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index 8aebe88f26..3d0ce3bfbc 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
    file://0004-Always-check-the-number-of-coefficients.patch \
    file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
    file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
+    file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \
 "
 SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
new file mode 100644
index 0000000000..38294ca200
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
@@ -0,0 +1,46 @@
+From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:59:26 +0100
+Subject: [PATCH] Actually fail when error occurs in parseFormat
+When there's an unsupported number of bits per sample or an invalid
+number of samples per block, don't only print an error message using
+the error handler, but actually stop parsing the file.
+This fixes #35 (also reported at
+https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
+https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
+)
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6831
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/WAVE.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..d762249 100644
+--- a/libaudiofile/WAVE.cpp
+++ b/libaudiofile/WAVE.cpp
+@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+                        {
+                                _af_error(AF_BAD_NOT_IMPLEMENTED,
+                                        "IMA ADPCM compression supports only 4 bits per sample");
+                               return AF_FAIL;
+                        }
+ 
+                        int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
+@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+                        {
+                                _af_error(AF_BAD_CODEC_CONFIG,
+                                        "Invalid samples per block for IMA ADPCM compression");
+                               return AF_FAIL;
+                        }
+ 
+                        track->f.sampleWidth = 16;
+-- 
+2.11.0

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb index 8aebe88f26..3d0ce3bfbc 100644 --- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb +++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
16	file://0004-Always-check-the-number-of-coefficients.patch \	16	file://0004-Always-check-the-number-of-coefficients.patch \
17	file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \	17	file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
18	file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \	18	file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
		19	file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \
19	"	20	"
20	SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"	21	SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
21	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"	22	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"


diff --git a/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch new file mode 100644 index 0000000000..38294ca200 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
@@ -0,0 +1,46 @@
		1	From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
		2	From: Antonio Larrosa <larrosa@kde.org>
		3	Date: Mon, 6 Mar 2017 18:59:26 +0100
		4	Subject: [PATCH] Actually fail when error occurs in parseFormat
		5
		6	When there's an unsupported number of bits per sample or an invalid
		7	number of samples per block, don't only print an error message using
		8	the error handler, but actually stop parsing the file.
		9
		10	This fixes #35 (also reported at
		11	https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
		12	https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
		13	)
		14
		15	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
		16
		17	CVE: CVE-2017-6831
		18	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
		19	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		20	---
		21	libaudiofile/WAVE.cpp \| 2 ++
		22	1 file changed, 2 insertions(+)
		23
		24	diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
		25	index 0e81cf7..d762249 100644
		26	--- a/libaudiofile/WAVE.cpp
		27	+++ b/libaudiofile/WAVE.cpp
		28	@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
		29	{
		30	_af_error(AF_BAD_NOT_IMPLEMENTED,
		31	"IMA ADPCM compression supports only 4 bits per sample");
		32	+ return AF_FAIL;
		33	}
		34
		35	int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
		36	@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
		37	{
		38	_af_error(AF_BAD_CODEC_CONFIG,
		39	"Invalid samples per block for IMA ADPCM compression");
		40	+ return AF_FAIL;
		41	}
		42
		43	track->f.sampleWidth = 16;
		44	--
		45	2.11.0
		46