6 files changed, 345 insertions, 1 deletions
diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index a09f84381e..50df31c7b9 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -13,8 +13,12 @@ SRC_URI = " \
    file://0001-fix-negative-shift-constants.patch \
    file://0002-fix-build-on-gcc6.patch \
    file://0003-fix-CVE-2015-7747.patch \
+    file://0004-Always-check-the-number-of-coefficients.patch \
+    file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
+    file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
+    file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \
+    file://0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch \
 "
-SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
 inherit autotools lib_package pkgconfig
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch b/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch
new file mode 100644
index 0000000000..17a97163f5
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch
@@ -0,0 +1,46 @@
+From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 12:51:22 +0100
+Subject: [PATCH] Always check the number of coefficients
+When building the library with NDEBUG, asserts are eliminated
+so it's better to always check that the number of coefficients
+is inside the array range.
+This fixes the 00191-audiofile-indexoob issue in #41
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6827
+CVE: CVE-2017-6828
+CVE: CVE-2017-6832
+CVE: CVE-2017-6833
+CVE: CVE-2017-6835
+CVE: CVE-2017-6837
+CVE: CVE-2020-18781
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/WAVE.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..61f9541 100644
+--- a/libaudiofile/WAVE.cpp
+++ b/libaudiofile/WAVE.cpp
+@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ 
+                        /* numCoefficients should be at least 7. */
+                        assert(numCoefficients >= 7 && numCoefficients <= 255);
+                       if (numCoefficients < 7 || numCoefficients > 255)
+                       {
+                               _af_error(AF_BAD_HEADER,
+                                               "Bad number of coefficients");
+                               return AF_FAIL;
+                       }
+ 
+                        m_msadpcmNumCoefficients = numCoefficients;
+ 
+-- 
+2.11.0
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch b/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
new file mode 100644
index 0000000000..00bb7e597e
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
@@ -0,0 +1,43 @@
+From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:02:31 +0100
+Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp
+This fixes #33
+(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981
+and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/)
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6829
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/modules/IMA.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp
+index 7476d44..df4aad6 100644
+--- a/libaudiofile/modules/IMA.cpp
+++ b/libaudiofile/modules/IMA.cpp
+@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded)
+                if (encoded[1] & 0x80)
+                        m_adpcmState[c].previousValue -= 0x10000;
+ 
+-               m_adpcmState[c].index = encoded[2];
+               m_adpcmState[c].index = clamp(encoded[2], 0, 88);
+ 
+                *decoded++ = m_adpcmState[c].previousValue;
+ 
+@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded)
+                        predictor -= 0x10000;
+ 
+                state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
+-               state.index = encoded[1] & 0x7f;
+               state.index = clamp(encoded[1] & 0x7f, 0, 88);
+                encoded += 2;
+ 
+                for (int n=0; n<m_framesPerPacket; n+=2)
+-- 
+2.11.0
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
new file mode 100644
index 0000000000..ec21b09f30
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
@@ -0,0 +1,79 @@
+From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:54:52 +0100
+Subject: [PATCH] Check for multiplication overflow in sfconvert
+Checks that a multiplication doesn't overflow when
+calculating the buffer size, and if it overflows,
+reduce the buffer size instead of failing.
+This fixes the 00192-audiofile-signintoverflow-sfconvert case
+in #41
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6830
+CVE: CVE-2017-6834
+CVE: CVE-2017-6836
+CVE: CVE-2017-6838
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 80a1bc4..970a3e4 100644
+--- a/sfcommands/sfconvert.c
+++ b/sfcommands/sfconvert.c
+@@ -45,6 +45,33 @@ void printusage (void);
+ void usageerror (void);
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
+ 
+int firstBitSet(int x)
+{
+        int position=0;
+        while (x!=0)
+        {
+                x>>=1;
+                ++position;
+        }
+        return position;
+}
+
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
+int multiplyCheckOverflow(int a, int b, int *result)
+{
+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
+       return __builtin_mul_overflow(a, b, result);
+#else
+       if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
+               return true;
+       *result = a * b;
+       return false;
+#endif
+}
+
+ int main (int argc, char **argv)
+ {
+        if (argc == 2)
+@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+        int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+ 
+-       const int kBufferFrameCount = 65536;
+-       void *buffer = malloc(kBufferFrameCount * frameSize);
+       int kBufferFrameCount = 65536;
+       int bufferSize;
+       while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
+               kBufferFrameCount /= 2;
+       void *buffer = malloc(bufferSize);
+ 
+        AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
+        AFframecount totalFramesWritten = 0;
+-- 
+2.11.0
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
new file mode 100644
index 0000000000..38294ca200
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
@@ -0,0 +1,46 @@
+From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:59:26 +0100
+Subject: [PATCH] Actually fail when error occurs in parseFormat
+When there's an unsupported number of bits per sample or an invalid
+number of samples per block, don't only print an error message using
+the error handler, but actually stop parsing the file.
+This fixes #35 (also reported at
+https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
+https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
+)
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6831
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/WAVE.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..d762249 100644
+--- a/libaudiofile/WAVE.cpp
+++ b/libaudiofile/WAVE.cpp
+@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+                        {
+                                _af_error(AF_BAD_NOT_IMPLEMENTED,
+                                        "IMA ADPCM compression supports only 4 bits per sample");
+                               return AF_FAIL;
+                        }
+ 
+                        int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
+@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+                        {
+                                _af_error(AF_BAD_CODEC_CONFIG,
+                                        "Invalid samples per block for IMA ADPCM compression");
+                               return AF_FAIL;
+                        }
+ 
+                        track->f.sampleWidth = 16;
+-- 
+2.11.0
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
new file mode 100644
index 0000000000..857ed78c59
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
@@ -0,0 +1,126 @@
+From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:43:53 +0100
+Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample
+Check for multiplication overflow (using __builtin_mul_overflow
+if available) in MSADPCM.cpp decodeSample and return an empty
+decoded block if an error occurs.
+This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+CVE: CVE-2017-6839
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/modules/BlockCodec.cpp |  5 ++--
+ libaudiofile/modules/MSADPCM.cpp    | 47 +++++++++++++++++++++++++++++++++----
+ 2 files changed, 46 insertions(+), 6 deletions(-)
+diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
+index 45925e8..4731be1 100644
+--- a/libaudiofile/modules/BlockCodec.cpp
+++ b/libaudiofile/modules/BlockCodec.cpp
+@@ -52,8 +52,9 @@ void BlockCodec::runPull()
+        // Decompress into m_outChunk.
+        for (int i=0; i<blocksRead; i++)
+        {
+-               decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
+-                       static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount);
+               if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
+                       static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0)
+                       break;
+ 
+                framesRead += m_framesPerPacket;
+        }
+diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
+index 8ea3c85..ef9c38c 100644
+--- a/libaudiofile/modules/MSADPCM.cpp
+++ b/libaudiofile/modules/MSADPCM.cpp
+@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] =
+        768, 614, 512, 409, 307, 230, 230, 230
+ };
+ 
+int firstBitSet(int x)
+{
+        int position=0;
+        while (x!=0)
+        {
+                x>>=1;
+                ++position;
+        }
+        return position;
+}
+
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
+int multiplyCheckOverflow(int a, int b, int *result)
+{
+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
+       return __builtin_mul_overflow(a, b, result);
+#else
+       if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
+               return true;
+       *result = a * b;
+       return false;
+#endif
+}
+
+
+ // Compute a linear PCM value from the given differential coded value.
+ static int16_t decodeSample(ms_adpcm_state &state,
+-       uint8_t code, const int16_t *coefficient)
+       uint8_t code, const int16_t *coefficient, bool *ok=NULL)
+ {
+        int linearSample = (state.sample1 * coefficient[0] +
+                state.sample2 * coefficient[1]) >> 8;
+       int delta;
+ 
+        linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta;
+ 
+        linearSample = clamp(linearSample, MIN_INT16, MAX_INT16);
+ 
+-       int delta = (state.delta * adaptationTable[code]) >> 8;
+       if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta))
+       {
+                if (ok) *ok=false;
+               _af_error(AF_BAD_COMPRESSION, "Error decoding sample");
+               return 0;
+       }
+       delta >>= 8;
+        if (delta < 16)
+                delta = 16;
+ 
+        state.delta = delta;
+        state.sample2 = state.sample1;
+        state.sample1 = linearSample;
+       if (ok) *ok=true;
+ 
+        return static_cast<int16_t>(linearSample);
+ }
+@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded)
+        {
+                uint8_t code;
+                int16_t newSample;
+               bool ok;
+ 
+                code = *encoded >> 4;
+-               newSample = decodeSample(*state[0], code, coefficient[0]);
+               newSample = decodeSample(*state[0], code, coefficient[0], &ok);
+               if (!ok) return 0;
+                *decoded++ = newSample;
+ 
+                code = *encoded & 0x0f;
+-               newSample = decodeSample(*state[1], code, coefficient[1]);
+               newSample = decodeSample(*state[1], code, coefficient[1], &ok);
+               if (!ok) return 0;
+                *decoded++ = newSample;
+ 
+                encoded++;
+-- 
+2.11.0

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb index a09f84381e..50df31c7b9 100644 --- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb +++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -13,8 +13,12 @@ SRC_URI = " \
13	file://0001-fix-negative-shift-constants.patch \	13	file://0001-fix-negative-shift-constants.patch \
14	file://0002-fix-build-on-gcc6.patch \	14	file://0002-fix-build-on-gcc6.patch \
15	file://0003-fix-CVE-2015-7747.patch \	15	file://0003-fix-CVE-2015-7747.patch \
		16	file://0004-Always-check-the-number-of-coefficients.patch \
		17	file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
		18	file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
		19	file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \
		20	file://0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch \
16	"	21	"
17	SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
18	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"	22	SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
19		23
20	inherit autotools lib_package pkgconfig	24	inherit autotools lib_package pkgconfig


diff --git a/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch b/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch new file mode 100644 index 0000000000..17a97163f5 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch
@@ -0,0 +1,46 @@
		1	From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001
		2	From: Antonio Larrosa <larrosa@kde.org>
		3	Date: Mon, 6 Mar 2017 12:51:22 +0100
		4	Subject: [PATCH] Always check the number of coefficients
		5
		6	When building the library with NDEBUG, asserts are eliminated
		7	so it's better to always check that the number of coefficients
		8	is inside the array range.
		9
		10	This fixes the 00191-audiofile-indexoob issue in #41
		11
		12	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
		13
		14	CVE: CVE-2017-6827
		15	CVE: CVE-2017-6828
		16	CVE: CVE-2017-6832
		17	CVE: CVE-2017-6833
		18	CVE: CVE-2017-6835
		19	CVE: CVE-2017-6837
		20	CVE: CVE-2020-18781
		21	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
		22	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		23	---
		24	libaudiofile/WAVE.cpp \| 6 ++++++
		25	1 file changed, 6 insertions(+)
		26
		27	diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
		28	index 0e81cf7..61f9541 100644
		29	--- a/libaudiofile/WAVE.cpp
		30	+++ b/libaudiofile/WAVE.cpp
		31	@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
		32
		33	/* numCoefficients should be at least 7. */
		34	assert(numCoefficients >= 7 && numCoefficients <= 255);
		35	+ if (numCoefficients < 7 \|\| numCoefficients > 255)
		36	+ {
		37	+ _af_error(AF_BAD_HEADER,
		38	+ "Bad number of coefficients");
		39	+ return AF_FAIL;
		40	+ }
		41
		42	m_msadpcmNumCoefficients = numCoefficients;
		43
		44	--
		45	2.11.0
		46


diff --git a/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch b/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch new file mode 100644 index 0000000000..00bb7e597e --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
@@ -0,0 +1,43 @@
		1	From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001
		2	From: Antonio Larrosa <larrosa@kde.org>
		3	Date: Mon, 6 Mar 2017 18:02:31 +0100
		4	Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp
		5
		6	This fixes #33
		7	(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981
		8	and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/)
		9
		10	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
		11
		12	CVE: CVE-2017-6829
		13	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
		14	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		15	---
		16	libaudiofile/modules/IMA.cpp \| 4 ++--
		17	1 file changed, 2 insertions(+), 2 deletions(-)
		18
		19	diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp
		20	index 7476d44..df4aad6 100644
		21	--- a/libaudiofile/modules/IMA.cpp
		22	+++ b/libaudiofile/modules/IMA.cpp
		23	@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t encoded, int16_t decoded)
		24	if (encoded[1] & 0x80)
		25	m_adpcmState[c].previousValue -= 0x10000;
		26
		27	- m_adpcmState[c].index = encoded[2];
		28	+ m_adpcmState[c].index = clamp(encoded[2], 0, 88);
		29
		30	*decoded++ = m_adpcmState[c].previousValue;
		31
		32	@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t encoded, int16_t decoded)
		33	predictor -= 0x10000;
		34
		35	state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
		36	- state.index = encoded[1] & 0x7f;
		37	+ state.index = clamp(encoded[1] & 0x7f, 0, 88);
		38	encoded += 2;
		39
		40	for (int n=0; n<m_framesPerPacket; n+=2)
		41	--
		42	2.11.0
		43


diff --git a/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch new file mode 100644 index 0000000000..ec21b09f30 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
@@ -0,0 +1,79 @@
		1	From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
		2	From: Antonio Larrosa <larrosa@kde.org>
		3	Date: Mon, 6 Mar 2017 13:54:52 +0100
		4	Subject: [PATCH] Check for multiplication overflow in sfconvert
		5
		6	Checks that a multiplication doesn't overflow when
		7	calculating the buffer size, and if it overflows,
		8	reduce the buffer size instead of failing.
		9
		10	This fixes the 00192-audiofile-signintoverflow-sfconvert case
		11	in #41
		12
		13	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
		14
		15	CVE: CVE-2017-6830
		16	CVE: CVE-2017-6834
		17	CVE: CVE-2017-6836
		18	CVE: CVE-2017-6838
		19	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
		20	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		21	---
		22	sfcommands/sfconvert.c \| 34 ++++++++++++++++++++++++++++++++--
		23	1 file changed, 32 insertions(+), 2 deletions(-)
		24
		25	diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
		26	index 80a1bc4..970a3e4 100644
		27	--- a/sfcommands/sfconvert.c
		28	+++ b/sfcommands/sfconvert.c
		29	@@ -45,6 +45,33 @@ void printusage (void);
		30	void usageerror (void);
		31	bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
		32
		33	+int firstBitSet(int x)
		34	+{
		35	+ int position=0;
		36	+ while (x!=0)
		37	+ {
		38	+ x>>=1;
		39	+ ++position;
		40	+ }
		41	+ return position;
		42	+}
		43	+
		44	+#ifndef __has_builtin
		45	+#define __has_builtin(x) 0
		46	+#endif
		47	+
		48	+int multiplyCheckOverflow(int a, int b, int *result)
		49	+{
		50	+#if (defined __GNUC__ && __GNUC__ >= 5) \|\| ( __clang__ && __has_builtin(__builtin_mul_overflow))
		51	+ return __builtin_mul_overflow(a, b, result);
		52	+#else
		53	+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
		54	+ return true;
		55	+ result = a b;
		56	+ return false;
		57	+#endif
		58	+}
		59	+
		60	int main (int argc, char **argv)
		61	{
		62	if (argc == 2)
		63	@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
		64	{
		65	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
		66
		67	- const int kBufferFrameCount = 65536;
		68	- void buffer = malloc(kBufferFrameCount frameSize);
		69	+ int kBufferFrameCount = 65536;
		70	+ int bufferSize;
		71	+ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
		72	+ kBufferFrameCount /= 2;
		73	+ void *buffer = malloc(bufferSize);
		74
		75	AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
		76	AFframecount totalFramesWritten = 0;
		77	--
		78	2.11.0
		79


diff --git a/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch new file mode 100644 index 0000000000..38294ca200 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
@@ -0,0 +1,46 @@
		1	From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
		2	From: Antonio Larrosa <larrosa@kde.org>
		3	Date: Mon, 6 Mar 2017 18:59:26 +0100
		4	Subject: [PATCH] Actually fail when error occurs in parseFormat
		5
		6	When there's an unsupported number of bits per sample or an invalid
		7	number of samples per block, don't only print an error message using
		8	the error handler, but actually stop parsing the file.
		9
		10	This fixes #35 (also reported at
		11	https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
		12	https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
		13	)
		14
		15	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
		16
		17	CVE: CVE-2017-6831
		18	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
		19	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		20	---
		21	libaudiofile/WAVE.cpp \| 2 ++
		22	1 file changed, 2 insertions(+)
		23
		24	diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
		25	index 0e81cf7..d762249 100644
		26	--- a/libaudiofile/WAVE.cpp
		27	+++ b/libaudiofile/WAVE.cpp
		28	@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
		29	{
		30	_af_error(AF_BAD_NOT_IMPLEMENTED,
		31	"IMA ADPCM compression supports only 4 bits per sample");
		32	+ return AF_FAIL;
		33	}
		34
		35	int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
		36	@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
		37	{
		38	_af_error(AF_BAD_CODEC_CONFIG,
		39	"Invalid samples per block for IMA ADPCM compression");
		40	+ return AF_FAIL;
		41	}
		42
		43	track->f.sampleWidth = 16;
		44	--
		45	2.11.0
		46


diff --git a/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch new file mode 100644 index 0000000000..857ed78c59 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
@@ -0,0 +1,126 @@
		1	From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001
		2	From: Antonio Larrosa <larrosa@kde.org>
		3	Date: Mon, 6 Mar 2017 13:43:53 +0100
		4	Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample
		5
		6	Check for multiplication overflow (using __builtin_mul_overflow
		7	if available) in MSADPCM.cpp decodeSample and return an empty
		8	decoded block if an error occurs.
		9
		10	This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41
		11
		12	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
		13
		14	CVE: CVE-2017-6839
		15	Upstream-Status: Inactive-Upstream [lastrelease: 2013]
		16	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		17	---
		18	libaudiofile/modules/BlockCodec.cpp \| 5 ++--
		19	libaudiofile/modules/MSADPCM.cpp \| 47 +++++++++++++++++++++++++++++++++----
		20	2 files changed, 46 insertions(+), 6 deletions(-)
		21
		22	diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
		23	index 45925e8..4731be1 100644
		24	--- a/libaudiofile/modules/BlockCodec.cpp
		25	+++ b/libaudiofile/modules/BlockCodec.cpp
		26	@@ -52,8 +52,9 @@ void BlockCodec::runPull()
		27	// Decompress into m_outChunk.
		28	for (int i=0; i<blocksRead; i++)
		29	{
		30	- decodeBlock(static_cast<const uint8_t >(m_inChunk->buffer) + i m_bytesPerPacket,
		31	- static_cast<int16_t >(m_outChunk->buffer) + i m_framesPerPacket * m_track->f.channelCount);
		32	+ if (decodeBlock(static_cast<const uint8_t >(m_inChunk->buffer) + i m_bytesPerPacket,
		33	+ static_cast<int16_t >(m_outChunk->buffer) + i m_framesPerPacket * m_track->f.channelCount)==0)
		34	+ break;
		35
		36	framesRead += m_framesPerPacket;
		37	}
		38	diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
		39	index 8ea3c85..ef9c38c 100644
		40	--- a/libaudiofile/modules/MSADPCM.cpp
		41	+++ b/libaudiofile/modules/MSADPCM.cpp
		42	@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] =
		43	768, 614, 512, 409, 307, 230, 230, 230
		44	};
		45
		46	+int firstBitSet(int x)
		47	+{
		48	+ int position=0;
		49	+ while (x!=0)
		50	+ {
		51	+ x>>=1;
		52	+ ++position;
		53	+ }
		54	+ return position;
		55	+}
		56	+
		57	+#ifndef __has_builtin
		58	+#define __has_builtin(x) 0
		59	+#endif
		60	+
		61	+int multiplyCheckOverflow(int a, int b, int *result)
		62	+{
		63	+#if (defined __GNUC__ && __GNUC__ >= 5) \|\| ( __clang__ && __has_builtin(__builtin_mul_overflow))
		64	+ return __builtin_mul_overflow(a, b, result);
		65	+#else
		66	+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
		67	+ return true;
		68	+ result = a b;
		69	+ return false;
		70	+#endif
		71	+}
		72	+
		73	+
		74	// Compute a linear PCM value from the given differential coded value.
		75	static int16_t decodeSample(ms_adpcm_state &state,
		76	- uint8_t code, const int16_t *coefficient)
		77	+ uint8_t code, const int16_t coefficient, bool ok=NULL)
		78	{
		79	int linearSample = (state.sample1 * coefficient[0] +
		80	state.sample2 * coefficient[1]) >> 8;
		81	+ int delta;
		82
		83	linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta;
		84
		85	linearSample = clamp(linearSample, MIN_INT16, MAX_INT16);
		86
		87	- int delta = (state.delta * adaptationTable[code]) >> 8;
		88	+ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta))
		89	+ {
		90	+ if (ok) *ok=false;
		91	+ _af_error(AF_BAD_COMPRESSION, "Error decoding sample");
		92	+ return 0;
		93	+ }
		94	+ delta >>= 8;
		95	if (delta < 16)
		96	delta = 16;
		97
		98	state.delta = delta;
		99	state.sample2 = state.sample1;
		100	state.sample1 = linearSample;
		101	+ if (ok) *ok=true;
		102
		103	return static_cast<int16_t>(linearSample);
		104	}
		105	@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t encoded, int16_t decoded)
		106	{
		107	uint8_t code;
		108	int16_t newSample;
		109	+ bool ok;
		110
		111	code = *encoded >> 4;
		112	- newSample = decodeSample(*state[0], code, coefficient[0]);
		113	+ newSample = decodeSample(*state[0], code, coefficient[0], &ok);
		114	+ if (!ok) return 0;
		115	*decoded++ = newSample;
		116
		117	code = *encoded & 0x0f;
		118	- newSample = decodeSample(*state[1], code, coefficient[1]);
		119	+ newSample = decodeSample(*state[1], code, coefficient[1], &ok);
		120	+ if (!ok) return 0;
		121	*decoded++ = newSample;
		122
		123	encoded++;
		124	--
		125	2.11.0
		126