1 files changed, 79 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
new file mode 100644
index 0000000000..ec21b09f30
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
@@ -0,0 +1,79 @@
+From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:54:52 +0100
+Subject: [PATCH] Check for multiplication overflow in sfconvert
+Checks that a multiplication doesn't overflow when
+calculating the buffer size, and if it overflows,
+reduce the buffer size instead of failing.
+This fixes the 00192-audiofile-signintoverflow-sfconvert case
+in #41
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6830
+CVE: CVE-2017-6834
+CVE: CVE-2017-6836
+CVE: CVE-2017-6838
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 80a1bc4..970a3e4 100644
+--- a/sfcommands/sfconvert.c
+++ b/sfcommands/sfconvert.c
+@@ -45,6 +45,33 @@ void printusage (void);
+ void usageerror (void);
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
+ 
+int firstBitSet(int x)
+{
+        int position=0;
+        while (x!=0)
+        {
+                x>>=1;
+                ++position;
+        }
+        return position;
+}
+
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
+int multiplyCheckOverflow(int a, int b, int *result)
+{
+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
+       return __builtin_mul_overflow(a, b, result);
+#else
+       if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
+               return true;
+       *result = a * b;
+       return false;
+#endif
+}
+
+ int main (int argc, char **argv)
+ {
+        if (argc == 2)
+@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+        int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+ 
+-       const int kBufferFrameCount = 65536;
+-       void *buffer = malloc(kBufferFrameCount * frameSize);
+       int kBufferFrameCount = 65536;
+       int bufferSize;
+       while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
+               kBufferFrameCount /= 2;
+       void *buffer = malloc(bufferSize);
+ 
+        AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
+        AFframecount totalFramesWritten = 0;
+-- 
+2.11.0

diff --git a/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch new file mode 100644 index 0000000000..ec21b09f30 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
@@ -0,0 +1,79 @@
	1	From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
	2	From: Antonio Larrosa <larrosa@kde.org>
	3	Date: Mon, 6 Mar 2017 13:54:52 +0100
	4	Subject: [PATCH] Check for multiplication overflow in sfconvert
	5
	6	Checks that a multiplication doesn't overflow when
	7	calculating the buffer size, and if it overflows,
	8	reduce the buffer size instead of failing.
	9
	10	This fixes the 00192-audiofile-signintoverflow-sfconvert case
	11	in #41
	12
	13	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
	14
	15	CVE: CVE-2017-6830
	16	CVE: CVE-2017-6834
	17	CVE: CVE-2017-6836
	18	CVE: CVE-2017-6838
	19	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
	20	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	21	---
	22	sfcommands/sfconvert.c \| 34 ++++++++++++++++++++++++++++++++--
	23	1 file changed, 32 insertions(+), 2 deletions(-)
	24
	25	diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
	26	index 80a1bc4..970a3e4 100644
	27	--- a/sfcommands/sfconvert.c
	28	+++ b/sfcommands/sfconvert.c
	29	@@ -45,6 +45,33 @@ void printusage (void);
	30	void usageerror (void);
	31	bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
	32
	33	+int firstBitSet(int x)
	34	+{
	35	+ int position=0;
	36	+ while (x!=0)
	37	+ {
	38	+ x>>=1;
	39	+ ++position;
	40	+ }
	41	+ return position;
	42	+}
	43	+
	44	+#ifndef __has_builtin
	45	+#define __has_builtin(x) 0
	46	+#endif
	47	+
	48	+int multiplyCheckOverflow(int a, int b, int *result)
	49	+{
	50	+#if (defined __GNUC__ && __GNUC__ >= 5) \|\| ( __clang__ && __has_builtin(__builtin_mul_overflow))
	51	+ return __builtin_mul_overflow(a, b, result);
	52	+#else
	53	+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
	54	+ return true;
	55	+ result = a b;
	56	+ return false;
	57	+#endif
	58	+}
	59	+
	60	int main (int argc, char **argv)
	61	{
	62	if (argc == 2)
	63	@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
	64	{
	65	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
	66
	67	- const int kBufferFrameCount = 65536;
	68	- void buffer = malloc(kBufferFrameCount frameSize);
	69	+ int kBufferFrameCount = 65536;
	70	+ int bufferSize;
	71	+ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
	72	+ kBufferFrameCount /= 2;
	73	+ void *buffer = malloc(bufferSize);
	74
	75	AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
	76	AFframecount totalFramesWritten = 0;
	77	--
	78	2.11.0
	79