2 files changed, 44 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index 7654c073f4..a48bed2a3b 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -14,6 +14,7 @@ SRC_URI = " \
    file://0002-fix-build-on-gcc6.patch \
    file://0003-fix-CVE-2015-7747.patch \
    file://0004-Always-check-the-number-of-coefficients.patch \
+    file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
 "
 SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch b/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
new file mode 100644
index 0000000000..00bb7e597e
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
@@ -0,0 +1,43 @@
+From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:02:31 +0100
+Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp
+This fixes #33
+(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981
+and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/)
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6829
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/modules/IMA.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp
+index 7476d44..df4aad6 100644
+--- a/libaudiofile/modules/IMA.cpp
+++ b/libaudiofile/modules/IMA.cpp
+@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded)
+                if (encoded[1] & 0x80)
+                        m_adpcmState[c].previousValue -= 0x10000;
+ 
+-               m_adpcmState[c].index = encoded[2];
+               m_adpcmState[c].index = clamp(encoded[2], 0, 88);
+ 
+                *decoded++ = m_adpcmState[c].previousValue;
+ 
+@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded)
+                        predictor -= 0x10000;
+ 
+                state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
+-               state.index = encoded[1] & 0x7f;
+               state.index = clamp(encoded[1] & 0x7f, 0, 88);
+                encoded += 2;
+ 
+                for (int n=0; n<m_framesPerPacket; n+=2)
+-- 
+2.11.0

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb index 7654c073f4..a48bed2a3b 100644 --- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb +++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -14,6 +14,7 @@ SRC_URI = " \
14	file://0002-fix-build-on-gcc6.patch \	14	file://0002-fix-build-on-gcc6.patch \
15	file://0003-fix-CVE-2015-7747.patch \	15	file://0003-fix-CVE-2015-7747.patch \
16	file://0004-Always-check-the-number-of-coefficients.patch \	16	file://0004-Always-check-the-number-of-coefficients.patch \
		17	file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
17	"	18	"
18	SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"	19	SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
19	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"	20	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"


diff --git a/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch b/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch new file mode 100644 index 0000000000..00bb7e597e --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
@@ -0,0 +1,43 @@
		1	From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001
		2	From: Antonio Larrosa <larrosa@kde.org>
		3	Date: Mon, 6 Mar 2017 18:02:31 +0100
		4	Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp
		5
		6	This fixes #33
		7	(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981
		8	and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/)
		9
		10	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
		11
		12	CVE: CVE-2017-6829
		13	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
		14	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		15	---
		16	libaudiofile/modules/IMA.cpp \| 4 ++--
		17	1 file changed, 2 insertions(+), 2 deletions(-)
		18
		19	diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp
		20	index 7476d44..df4aad6 100644
		21	--- a/libaudiofile/modules/IMA.cpp
		22	+++ b/libaudiofile/modules/IMA.cpp
		23	@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t encoded, int16_t decoded)
		24	if (encoded[1] & 0x80)
		25	m_adpcmState[c].previousValue -= 0x10000;
		26
		27	- m_adpcmState[c].index = encoded[2];
		28	+ m_adpcmState[c].index = clamp(encoded[2], 0, 88);
		29
		30	*decoded++ = m_adpcmState[c].previousValue;
		31
		32	@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t encoded, int16_t decoded)
		33	predictor -= 0x10000;
		34
		35	state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
		36	- state.index = encoded[1] & 0x7f;
		37	+ state.index = clamp(encoded[1] & 0x7f, 0, 88);
		38	encoded += 2;
		39
		40	for (int n=0; n<m_framesPerPacket; n+=2)
		41	--
		42	2.11.0
		43