2 files changed, 80 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index a48bed2a3b..8aebe88f26 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
    file://0003-fix-CVE-2015-7747.patch \
    file://0004-Always-check-the-number-of-coefficients.patch \
    file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
+    file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
 "
 SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
new file mode 100644
index 0000000000..ec21b09f30
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
@@ -0,0 +1,79 @@
+From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:54:52 +0100
+Subject: [PATCH] Check for multiplication overflow in sfconvert
+Checks that a multiplication doesn't overflow when
+calculating the buffer size, and if it overflows,
+reduce the buffer size instead of failing.
+This fixes the 00192-audiofile-signintoverflow-sfconvert case
+in #41
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6830
+CVE: CVE-2017-6834
+CVE: CVE-2017-6836
+CVE: CVE-2017-6838
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 80a1bc4..970a3e4 100644
+--- a/sfcommands/sfconvert.c
+++ b/sfcommands/sfconvert.c
+@@ -45,6 +45,33 @@ void printusage (void);
+ void usageerror (void);
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
+ 
+int firstBitSet(int x)
+{
+        int position=0;
+        while (x!=0)
+        {
+                x>>=1;
+                ++position;
+        }
+        return position;
+}
+
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
+int multiplyCheckOverflow(int a, int b, int *result)
+{
+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
+       return __builtin_mul_overflow(a, b, result);
+#else
+       if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
+               return true;
+       *result = a * b;
+       return false;
+#endif
+}
+
+ int main (int argc, char **argv)
+ {
+        if (argc == 2)
+@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+        int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+ 
+-       const int kBufferFrameCount = 65536;
+-       void *buffer = malloc(kBufferFrameCount * frameSize);
+       int kBufferFrameCount = 65536;
+       int bufferSize;
+       while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
+               kBufferFrameCount /= 2;
+       void *buffer = malloc(bufferSize);
+ 
+        AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
+        AFframecount totalFramesWritten = 0;
+-- 
+2.11.0

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb index a48bed2a3b..8aebe88f26 100644 --- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb +++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
15	file://0003-fix-CVE-2015-7747.patch \	15	file://0003-fix-CVE-2015-7747.patch \
16	file://0004-Always-check-the-number-of-coefficients.patch \	16	file://0004-Always-check-the-number-of-coefficients.patch \
17	file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \	17	file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
		18	file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
18	"	19	"
19	SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"	20	SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
20	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"	21	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"


diff --git a/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch new file mode 100644 index 0000000000..ec21b09f30 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
@@ -0,0 +1,79 @@
		1	From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
		2	From: Antonio Larrosa <larrosa@kde.org>
		3	Date: Mon, 6 Mar 2017 13:54:52 +0100
		4	Subject: [PATCH] Check for multiplication overflow in sfconvert
		5
		6	Checks that a multiplication doesn't overflow when
		7	calculating the buffer size, and if it overflows,
		8	reduce the buffer size instead of failing.
		9
		10	This fixes the 00192-audiofile-signintoverflow-sfconvert case
		11	in #41
		12
		13	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
		14
		15	CVE: CVE-2017-6830
		16	CVE: CVE-2017-6834
		17	CVE: CVE-2017-6836
		18	CVE: CVE-2017-6838
		19	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
		20	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		21	---
		22	sfcommands/sfconvert.c \| 34 ++++++++++++++++++++++++++++++++--
		23	1 file changed, 32 insertions(+), 2 deletions(-)
		24
		25	diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
		26	index 80a1bc4..970a3e4 100644
		27	--- a/sfcommands/sfconvert.c
		28	+++ b/sfcommands/sfconvert.c
		29	@@ -45,6 +45,33 @@ void printusage (void);
		30	void usageerror (void);
		31	bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
		32
		33	+int firstBitSet(int x)
		34	+{
		35	+ int position=0;
		36	+ while (x!=0)
		37	+ {
		38	+ x>>=1;
		39	+ ++position;
		40	+ }
		41	+ return position;
		42	+}
		43	+
		44	+#ifndef __has_builtin
		45	+#define __has_builtin(x) 0
		46	+#endif
		47	+
		48	+int multiplyCheckOverflow(int a, int b, int *result)
		49	+{
		50	+#if (defined __GNUC__ && __GNUC__ >= 5) \|\| ( __clang__ && __has_builtin(__builtin_mul_overflow))
		51	+ return __builtin_mul_overflow(a, b, result);
		52	+#else
		53	+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
		54	+ return true;
		55	+ result = a b;
		56	+ return false;
		57	+#endif
		58	+}
		59	+
		60	int main (int argc, char **argv)
		61	{
		62	if (argc == 2)
		63	@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
		64	{
		65	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
		66
		67	- const int kBufferFrameCount = 65536;
		68	- void buffer = malloc(kBufferFrameCount frameSize);
		69	+ int kBufferFrameCount = 65536;
		70	+ int bufferSize;
		71	+ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
		72	+ kBufferFrameCount /= 2;
		73	+ void *buffer = malloc(bufferSize);
		74
		75	AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
		76	AFframecount totalFramesWritten = 0;
		77	--
		78	2.11.0
		79