3 files changed, 83 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index 50df31c7b9..fd80729bd2 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -18,6 +18,8 @@ SRC_URI = " \
    file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
    file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \
    file://0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch \
+    file://CVE-2019-13147.patch \
+    file://CVE-2022-24599.patch \
 "
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
diff --git a/meta-oe/recipes-multimedia/audiofile/files/CVE-2019-13147.patch b/meta-oe/recipes-multimedia/audiofile/files/CVE-2019-13147.patch
new file mode 100644
index 0000000000..19f6892f69
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/CVE-2019-13147.patch
@@ -0,0 +1,31 @@
+This patch is taken from opensuse: 
+https://build.opensuse.org/package/show/multimedia:libs/audiofile
+CVE: CVE-2019-13147
+Upstream-Status: Inactive-Upstream [lastcommit: 2016-Aug-30]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+diff --unified --recursive --text --new-file --color audiofile-0.3.6/libaudiofile/NeXT.cpp audiofile-0.3.6.new/libaudiofile/NeXT.cpp
+--- audiofile-0.3.6/libaudiofile/NeXT.cpp       2013-03-06 13:30:03.000000000 +0800
+++ audiofile-0.3.6.new/libaudiofile/NeXT.cpp   2025-05-14 10:45:11.685700984 +0800
+@@ -32,6 +32,7 @@
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+#include <limits.h>
+ 
+ #include "File.h"
+ #include "Setup.h"
+@@ -122,6 +123,12 @@
+                _af_error(AF_BAD_CHANNELS, "invalid file with 0 channels");
+                return AF_FAIL;
+        }
+       /* avoid overflow of INT for double size rate */
+       if (channelCount > (INT32_MAX / (sizeof(double))))
+       {
+               _af_error(AF_BAD_CHANNELS, "invalid file with %i channels", channelCount);
+               return AF_FAIL;
+       }
+ 
+        Track *track = allocateTrack();
+        if (!track)
diff --git a/meta-oe/recipes-multimedia/audiofile/files/CVE-2022-24599.patch b/meta-oe/recipes-multimedia/audiofile/files/CVE-2022-24599.patch
new file mode 100644
index 0000000000..9214d80172
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/CVE-2022-24599.patch
@@ -0,0 +1,50 @@
+This patch is taken from opensuse:
+https://build.opensuse.org/package/show/multimedia:libs/audiofile
+CVE: CVE-2022-24599
+Upstream-Status: Inactive-Upstream [lastcommit: 2016-Aug-30]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+diff --unified --recursive --text --new-file --color audiofile-0.3.6.old/sfcommands/printinfo.c audiofile-0.3.6.new/sfcommands/printinfo.c
+--- audiofile-0.3.6.old/sfcommands/printinfo.c  2013-03-06 13:30:03.000000000 +0800
+++ audiofile-0.3.6.new/sfcommands/printinfo.c  2025-04-30 15:18:24.778177640 +0800
+@@ -37,6 +37,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+#include <limits.h>
+ 
+ static char *copyrightstring (AFfilehandle file);
+ 
+@@ -147,7 +148,11 @@
+        int             i, misccount;
+ 
+        misccount = afGetMiscIDs(file, NULL);
+-       miscids = (int *) malloc(sizeof (int) * misccount);
+       if (!misccount)
+           return NULL;
+       miscids = (int *)calloc(misccount, sizeof(int));
+       if (!miscids)
+           return NULL;
+        afGetMiscIDs(file, miscids);
+ 
+        for (i=0; i<misccount; i++)
+@@ -159,13 +164,16 @@
+                        If this code executes, the miscellaneous chunk is a
+                        copyright chunk.
+                */
+-               int datasize = afGetMiscSize(file, miscids[i]);
+-               char *data = (char *) malloc(datasize);
+               size_t datasize = afGetMiscSize(file, miscids[i]);
+               if (datasize >= INT_MAX - 1)
+                   goto error;
+               char *data = (char *)calloc(datasize + 1, sizeof(char));
+                afReadMisc(file, miscids[i], data, datasize);
+                copyright = data;
+                break;
+        }
+ 
+error:
+        free(miscids);
+ 
+        return copyright;

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb index 50df31c7b9..fd80729bd2 100644 --- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb +++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -18,6 +18,8 @@ SRC_URI = " \
18	file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \	18	file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
19	file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \	19	file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \
20	file://0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch \	20	file://0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch \
		21	file://CVE-2019-13147.patch \
		22	file://CVE-2022-24599.patch \
21	"	23	"
22	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"	24	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
23		25


diff --git a/meta-oe/recipes-multimedia/audiofile/files/CVE-2019-13147.patch b/meta-oe/recipes-multimedia/audiofile/files/CVE-2019-13147.patch new file mode 100644 index 0000000000..19f6892f69 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/CVE-2019-13147.patch
@@ -0,0 +1,31 @@
		1	This patch is taken from opensuse:
		2	https://build.opensuse.org/package/show/multimedia:libs/audiofile
		3
		4	CVE: CVE-2019-13147
		5	Upstream-Status: Inactive-Upstream [lastcommit: 2016-Aug-30]
		6	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		7
		8	diff --unified --recursive --text --new-file --color audiofile-0.3.6/libaudiofile/NeXT.cpp audiofile-0.3.6.new/libaudiofile/NeXT.cpp
		9	--- audiofile-0.3.6/libaudiofile/NeXT.cpp 2013-03-06 13:30:03.000000000 +0800
		10	+++ audiofile-0.3.6.new/libaudiofile/NeXT.cpp 2025-05-14 10:45:11.685700984 +0800
		11	@@ -32,6 +32,7 @@
		12	#include <stdint.h>
		13	#include <stdlib.h>
		14	#include <string.h>
		15	+#include <limits.h>
		16
		17	#include "File.h"
		18	#include "Setup.h"
		19	@@ -122,6 +123,12 @@
		20	_af_error(AF_BAD_CHANNELS, "invalid file with 0 channels");
		21	return AF_FAIL;
		22	}
		23	+ /* avoid overflow of INT for double size rate */
		24	+ if (channelCount > (INT32_MAX / (sizeof(double))))
		25	+ {
		26	+ _af_error(AF_BAD_CHANNELS, "invalid file with %i channels", channelCount);
		27	+ return AF_FAIL;
		28	+ }
		29
		30	Track *track = allocateTrack();
		31	if (!track)


diff --git a/meta-oe/recipes-multimedia/audiofile/files/CVE-2022-24599.patch b/meta-oe/recipes-multimedia/audiofile/files/CVE-2022-24599.patch new file mode 100644 index 0000000000..9214d80172 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/CVE-2022-24599.patch
@@ -0,0 +1,50 @@
		1	This patch is taken from opensuse:
		2	https://build.opensuse.org/package/show/multimedia:libs/audiofile
		3
		4	CVE: CVE-2022-24599
		5	Upstream-Status: Inactive-Upstream [lastcommit: 2016-Aug-30]
		6	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		7
		8	diff --unified --recursive --text --new-file --color audiofile-0.3.6.old/sfcommands/printinfo.c audiofile-0.3.6.new/sfcommands/printinfo.c
		9	--- audiofile-0.3.6.old/sfcommands/printinfo.c 2013-03-06 13:30:03.000000000 +0800
		10	+++ audiofile-0.3.6.new/sfcommands/printinfo.c 2025-04-30 15:18:24.778177640 +0800
		11	@@ -37,6 +37,7 @@
		12	#include <stdint.h>
		13	#include <stdio.h>
		14	#include <stdlib.h>
		15	+#include <limits.h>
		16
		17	static char *copyrightstring (AFfilehandle file);
		18
		19	@@ -147,7 +148,11 @@
		20	int i, misccount;
		21
		22	misccount = afGetMiscIDs(file, NULL);
		23	- miscids = (int ) malloc(sizeof (int) misccount);
		24	+ if (!misccount)
		25	+ return NULL;
		26	+ miscids = (int *)calloc(misccount, sizeof(int));
		27	+ if (!miscids)
		28	+ return NULL;
		29	afGetMiscIDs(file, miscids);
		30
		31	for (i=0; i<misccount; i++)
		32	@@ -159,13 +164,16 @@
		33	If this code executes, the miscellaneous chunk is a
		34	copyright chunk.
		35	*/
		36	- int datasize = afGetMiscSize(file, miscids[i]);
		37	- char data = (char ) malloc(datasize);
		38	+ size_t datasize = afGetMiscSize(file, miscids[i]);
		39	+ if (datasize >= INT_MAX - 1)
		40	+ goto error;
		41	+ char data = (char )calloc(datasize + 1, sizeof(char));
		42	afReadMisc(file, miscids[i], data, datasize);
		43	copyright = data;
		44	break;
		45	}
		46
		47	+error:
		48	free(miscids);
		49
		50	return copyright;