3 files changed, 73 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index b14b4792b3..cc7fef2a26 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -22,6 +22,8 @@ SRC_URI = " \
    file://test-for-CVE-2015-7747.patch \
    file://CVE-2019-13147.patch \
    file://CVE-2022-24599.patch \
+    file://CVE-2018-13440.patch \
+    file://CVE-2018-17059.patch \
 "
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
diff --git a/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-13440.patch b/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-13440.patch
new file mode 100644
index 0000000000..f468696845
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-13440.patch
@@ -0,0 +1,36 @@
+From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 10:48:45 +0200
+Subject: [PATCH] ModuleState: handle compress/decompress init failure
+When the unit initcompress or initdecompress function fails,
+m_fileModule is NULL. Return AF_FAIL in that case instead of
+causing NULL pointer dereferences later.
+Fixes #49
+This patch has been backported from Debian:
+https://sources.debian.org/src/audiofile/0.3.6-7/debian/patches/11_CVE-2018-13440.patch
+CVE: CVE-2018-13440
+Upstream-Status: Inactive-Upstream [lastcommit: 2016-Aug-30]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libaudiofile/modules/ModuleState.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp
+index 0c29d7a..070fd9b 100644
+--- a/libaudiofile/modules/ModuleState.cpp
+++ b/libaudiofile/modules/ModuleState.cpp
+@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track)
+                m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok,
+                        file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames);
+ 
+       if (!m_fileModule)
+               return AF_FAIL;
+
+        if (unit->needsRebuffer)
+        {
+                assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP);
diff --git a/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-17059.patch b/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-17059.patch
new file mode 100644
index 0000000000..e9b560102a
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-17059.patch
@@ -0,0 +1,35 @@
+From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 12:11:12 +0200
+Subject: [PATCH] SimpleModule: set output chunk framecount after pull
+After pulling the data, set the output chunk to the amount of
+frames we pulled so that the next module in the chain has the correct
+frame count.
+Fixes #50 and #51
+This patch has been backported from Debian:
+https://sources.debian.org/src/audiofile/0.3.6-7/debian/patches/12_CVE-2018-17095.patch
+CVE: CVE-2018-17095
+Upstream-Status: Inactive-Upstream [lastcommit: 2016-Aug-30]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libaudiofile/modules/SimpleModule.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp
+index 2bae1eb..e87932c 100644
+--- a/libaudiofile/modules/SimpleModule.cpp
+++ b/libaudiofile/modules/SimpleModule.cpp
+@@ -26,6 +26,7 @@
+ void SimpleModule::runPull()
+ {
+        pull(m_outChunk->frameCount);
+       m_outChunk->frameCount = m_inChunk->frameCount;
+        run(*m_inChunk, *m_outChunk);
+ }
+

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb index b14b4792b3..cc7fef2a26 100644 --- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb +++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -22,6 +22,8 @@ SRC_URI = " \
22	file://test-for-CVE-2015-7747.patch \	22	file://test-for-CVE-2015-7747.patch \
23	file://CVE-2019-13147.patch \	23	file://CVE-2019-13147.patch \
24	file://CVE-2022-24599.patch \	24	file://CVE-2022-24599.patch \
		25	file://CVE-2018-13440.patch \
		26	file://CVE-2018-17059.patch \
25	"	27	"
26	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"	28	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
27		29


diff --git a/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-13440.patch b/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-13440.patch new file mode 100644 index 0000000000..f468696845 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-13440.patch
@@ -0,0 +1,36 @@
		1	From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001
		2	From: Wim Taymans <wtaymans@redhat.com>
		3	Date: Thu, 27 Sep 2018 10:48:45 +0200
		4	Subject: [PATCH] ModuleState: handle compress/decompress init failure
		5
		6	When the unit initcompress or initdecompress function fails,
		7	m_fileModule is NULL. Return AF_FAIL in that case instead of
		8	causing NULL pointer dereferences later.
		9
		10	Fixes #49
		11
		12	This patch has been backported from Debian:
		13	https://sources.debian.org/src/audiofile/0.3.6-7/debian/patches/11_CVE-2018-13440.patch
		14
		15	CVE: CVE-2018-13440
		16	Upstream-Status: Inactive-Upstream [lastcommit: 2016-Aug-30]
		17	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		18
		19	---
		20	libaudiofile/modules/ModuleState.cpp \| 3 +++
		21	1 file changed, 3 insertions(+)
		22
		23	diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp
		24	index 0c29d7a..070fd9b 100644
		25	--- a/libaudiofile/modules/ModuleState.cpp
		26	+++ b/libaudiofile/modules/ModuleState.cpp
		27	@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track)
		28	m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok,
		29	file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames);
		30
		31	+ if (!m_fileModule)
		32	+ return AF_FAIL;
		33	+
		34	if (unit->needsRebuffer)
		35	{
		36	assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP);


diff --git a/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-17059.patch b/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-17059.patch new file mode 100644 index 0000000000..e9b560102a --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/CVE-2018-17059.patch
@@ -0,0 +1,35 @@
		1	From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001
		2	From: Wim Taymans <wtaymans@redhat.com>
		3	Date: Thu, 27 Sep 2018 12:11:12 +0200
		4	Subject: [PATCH] SimpleModule: set output chunk framecount after pull
		5
		6	After pulling the data, set the output chunk to the amount of
		7	frames we pulled so that the next module in the chain has the correct
		8	frame count.
		9
		10	Fixes #50 and #51
		11
		12	This patch has been backported from Debian:
		13	https://sources.debian.org/src/audiofile/0.3.6-7/debian/patches/12_CVE-2018-17095.patch
		14
		15	CVE: CVE-2018-17095
		16
		17	Upstream-Status: Inactive-Upstream [lastcommit: 2016-Aug-30]
		18	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		19
		20	---
		21	libaudiofile/modules/SimpleModule.cpp \| 1 +
		22	1 file changed, 1 insertion(+)
		23
		24	diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp
		25	index 2bae1eb..e87932c 100644
		26	--- a/libaudiofile/modules/SimpleModule.cpp
		27	+++ b/libaudiofile/modules/SimpleModule.cpp
		28	@@ -26,6 +26,7 @@
		29	void SimpleModule::runPull()
		30	{
		31	pull(m_outChunk->frameCount);
		32	+ m_outChunk->frameCount = m_inChunk->frameCount;
		33	run(m_inChunk, m_outChunk);
		34	}
		35