1 files changed, 46 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
new file mode 100644
index 0000000000..38294ca200
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
@@ -0,0 +1,46 @@
+From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:59:26 +0100
+Subject: [PATCH] Actually fail when error occurs in parseFormat
+When there's an unsupported number of bits per sample or an invalid
+number of samples per block, don't only print an error message using
+the error handler, but actually stop parsing the file.
+This fixes #35 (also reported at
+https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
+https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
+)
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6831
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/WAVE.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..d762249 100644
+--- a/libaudiofile/WAVE.cpp
+++ b/libaudiofile/WAVE.cpp
+@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+                        {
+                                _af_error(AF_BAD_NOT_IMPLEMENTED,
+                                        "IMA ADPCM compression supports only 4 bits per sample");
+                               return AF_FAIL;
+                        }
+ 
+                        int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
+@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+                        {
+                                _af_error(AF_BAD_CODEC_CONFIG,
+                                        "Invalid samples per block for IMA ADPCM compression");
+                               return AF_FAIL;
+                        }
+ 
+                        track->f.sampleWidth = 16;
+-- 
+2.11.0

diff --git a/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch new file mode 100644 index 0000000000..38294ca200 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
@@ -0,0 +1,46 @@
	1	From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
	2	From: Antonio Larrosa <larrosa@kde.org>
	3	Date: Mon, 6 Mar 2017 18:59:26 +0100
	4	Subject: [PATCH] Actually fail when error occurs in parseFormat
	5
	6	When there's an unsupported number of bits per sample or an invalid
	7	number of samples per block, don't only print an error message using
	8	the error handler, but actually stop parsing the file.
	9
	10	This fixes #35 (also reported at
	11	https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
	12	https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
	13	)
	14
	15	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
	16
	17	CVE: CVE-2017-6831
	18	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
	19	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	20	---
	21	libaudiofile/WAVE.cpp \| 2 ++
	22	1 file changed, 2 insertions(+)
	23
	24	diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
	25	index 0e81cf7..d762249 100644
	26	--- a/libaudiofile/WAVE.cpp
	27	+++ b/libaudiofile/WAVE.cpp
	28	@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
	29	{
	30	_af_error(AF_BAD_NOT_IMPLEMENTED,
	31	"IMA ADPCM compression supports only 4 bits per sample");
	32	+ return AF_FAIL;
	33	}
	34
	35	int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
	36	@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
	37	{
	38	_af_error(AF_BAD_CODEC_CONFIG,
	39	"Invalid samples per block for IMA ADPCM compression");
	40	+ return AF_FAIL;
	41	}
	42
	43	track->f.sampleWidth = 16;
	44	--
	45	2.11.0
	46