1 files changed, 126 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
new file mode 100644
index 0000000000..857ed78c59
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
@@ -0,0 +1,126 @@
+From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:43:53 +0100
+Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample
+Check for multiplication overflow (using __builtin_mul_overflow
+if available) in MSADPCM.cpp decodeSample and return an empty
+decoded block if an error occurs.
+This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6839
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/modules/BlockCodec.cpp |  5 ++--
+ libaudiofile/modules/MSADPCM.cpp    | 47 +++++++++++++++++++++++++++++++++----
+ 2 files changed, 46 insertions(+), 6 deletions(-)
+diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
+index 45925e8..4731be1 100644
+--- a/libaudiofile/modules/BlockCodec.cpp
+++ b/libaudiofile/modules/BlockCodec.cpp
+@@ -52,8 +52,9 @@ void BlockCodec::runPull()
+        // Decompress into m_outChunk.
+        for (int i=0; i<blocksRead; i++)
+        {
+-               decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
+-                       static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount);
+               if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
+                       static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0)
+                       break;
+ 
+                framesRead += m_framesPerPacket;
+        }
+diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
+index 8ea3c85..ef9c38c 100644
+--- a/libaudiofile/modules/MSADPCM.cpp
+++ b/libaudiofile/modules/MSADPCM.cpp
+@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] =
+        768, 614, 512, 409, 307, 230, 230, 230
+ };
+ 
+int firstBitSet(int x)
+{
+        int position=0;
+        while (x!=0)
+        {
+                x>>=1;
+                ++position;
+        }
+        return position;
+}
+
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
+int multiplyCheckOverflow(int a, int b, int *result)
+{
+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
+       return __builtin_mul_overflow(a, b, result);
+#else
+       if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
+               return true;
+       *result = a * b;
+       return false;
+#endif
+}
+
+
+ // Compute a linear PCM value from the given differential coded value.
+ static int16_t decodeSample(ms_adpcm_state &state,
+-       uint8_t code, const int16_t *coefficient)
+       uint8_t code, const int16_t *coefficient, bool *ok=NULL)
+ {
+        int linearSample = (state.sample1 * coefficient[0] +
+                state.sample2 * coefficient[1]) >> 8;
+       int delta;
+ 
+        linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta;
+ 
+        linearSample = clamp(linearSample, MIN_INT16, MAX_INT16);
+ 
+-       int delta = (state.delta * adaptationTable[code]) >> 8;
+       if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta))
+       {
+                if (ok) *ok=false;
+               _af_error(AF_BAD_COMPRESSION, "Error decoding sample");
+               return 0;
+       }
+       delta >>= 8;
+        if (delta < 16)
+                delta = 16;
+ 
+        state.delta = delta;
+        state.sample2 = state.sample1;
+        state.sample1 = linearSample;
+       if (ok) *ok=true;
+ 
+        return static_cast<int16_t>(linearSample);
+ }
+@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded)
+        {
+                uint8_t code;
+                int16_t newSample;
+               bool ok;
+ 
+                code = *encoded >> 4;
+-               newSample = decodeSample(*state[0], code, coefficient[0]);
+               newSample = decodeSample(*state[0], code, coefficient[0], &ok);
+               if (!ok) return 0;
+                *decoded++ = newSample;
+ 
+                code = *encoded & 0x0f;
+-               newSample = decodeSample(*state[1], code, coefficient[1]);
+               newSample = decodeSample(*state[1], code, coefficient[1], &ok);
+               if (!ok) return 0;
+                *decoded++ = newSample;
+ 
+                encoded++;
+-- 
+2.11.0

diff --git a/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch new file mode 100644 index 0000000000..857ed78c59 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
@@ -0,0 +1,126 @@
	1	From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001
	2	From: Antonio Larrosa <larrosa@kde.org>
	3	Date: Mon, 6 Mar 2017 13:43:53 +0100
	4	Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample
	5
	6	Check for multiplication overflow (using __builtin_mul_overflow
	7	if available) in MSADPCM.cpp decodeSample and return an empty
	8	decoded block if an error occurs.
	9
	10	This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41
	11
	12	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
	13
	14	CVE: CVE-2017-6839
	15	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
	16	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	17	---
	18	libaudiofile/modules/BlockCodec.cpp \| 5 ++--
	19	libaudiofile/modules/MSADPCM.cpp \| 47 +++++++++++++++++++++++++++++++++----
	20	2 files changed, 46 insertions(+), 6 deletions(-)
	21
	22	diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
	23	index 45925e8..4731be1 100644
	24	--- a/libaudiofile/modules/BlockCodec.cpp
	25	+++ b/libaudiofile/modules/BlockCodec.cpp
	26	@@ -52,8 +52,9 @@ void BlockCodec::runPull()
	27	// Decompress into m_outChunk.
	28	for (int i=0; i<blocksRead; i++)
	29	{
	30	- decodeBlock(static_cast<const uint8_t >(m_inChunk->buffer) + i m_bytesPerPacket,
	31	- static_cast<int16_t >(m_outChunk->buffer) + i m_framesPerPacket * m_track->f.channelCount);
	32	+ if (decodeBlock(static_cast<const uint8_t >(m_inChunk->buffer) + i m_bytesPerPacket,
	33	+ static_cast<int16_t >(m_outChunk->buffer) + i m_framesPerPacket * m_track->f.channelCount)==0)
	34	+ break;
	35
	36	framesRead += m_framesPerPacket;
	37	}
	38	diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
	39	index 8ea3c85..ef9c38c 100644
	40	--- a/libaudiofile/modules/MSADPCM.cpp
	41	+++ b/libaudiofile/modules/MSADPCM.cpp
	42	@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] =
	43	768, 614, 512, 409, 307, 230, 230, 230
	44	};
	45
	46	+int firstBitSet(int x)
	47	+{
	48	+ int position=0;
	49	+ while (x!=0)
	50	+ {
	51	+ x>>=1;
	52	+ ++position;
	53	+ }
	54	+ return position;
	55	+}
	56	+
	57	+#ifndef __has_builtin
	58	+#define __has_builtin(x) 0
	59	+#endif
	60	+
	61	+int multiplyCheckOverflow(int a, int b, int *result)
	62	+{
	63	+#if (defined __GNUC__ && __GNUC__ >= 5) \|\| ( __clang__ && __has_builtin(__builtin_mul_overflow))
	64	+ return __builtin_mul_overflow(a, b, result);
	65	+#else
	66	+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
	67	+ return true;
	68	+ result = a b;
	69	+ return false;
	70	+#endif
	71	+}
	72	+
	73	+
	74	// Compute a linear PCM value from the given differential coded value.
	75	static int16_t decodeSample(ms_adpcm_state &state,
	76	- uint8_t code, const int16_t *coefficient)
	77	+ uint8_t code, const int16_t coefficient, bool ok=NULL)
	78	{
	79	int linearSample = (state.sample1 * coefficient[0] +
	80	state.sample2 * coefficient[1]) >> 8;
	81	+ int delta;
	82
	83	linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta;
	84
	85	linearSample = clamp(linearSample, MIN_INT16, MAX_INT16);
	86
	87	- int delta = (state.delta * adaptationTable[code]) >> 8;
	88	+ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta))
	89	+ {
	90	+ if (ok) *ok=false;
	91	+ _af_error(AF_BAD_COMPRESSION, "Error decoding sample");
	92	+ return 0;
	93	+ }
	94	+ delta >>= 8;
	95	if (delta < 16)
	96	delta = 16;
	97
	98	state.delta = delta;
	99	state.sample2 = state.sample1;
	100	state.sample1 = linearSample;
	101	+ if (ok) *ok=true;
	102
	103	return static_cast<int16_t>(linearSample);
	104	}
	105	@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t encoded, int16_t decoded)
	106	{
	107	uint8_t code;
	108	int16_t newSample;
	109	+ bool ok;
	110
	111	code = *encoded >> 4;
	112	- newSample = decodeSample(*state[0], code, coefficient[0]);
	113	+ newSample = decodeSample(*state[0], code, coefficient[0], &ok);
	114	+ if (!ok) return 0;
	115	*decoded++ = newSample;
	116
	117	code = *encoded & 0x0f;
	118	- newSample = decodeSample(*state[1], code, coefficient[1]);
	119	+ newSample = decodeSample(*state[1], code, coefficient[1], &ok);
	120	+ if (!ok) return 0;
	121	*decoded++ = newSample;
	122
	123	encoded++;
	124	--
	125	2.11.0
	126