summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChangqing Li <changqing.li@windriver.com>2019-02-20 16:54:20 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-02-25 16:35:33 +0000
commitae9160e099e9b23f1b756020d78db46052a1dca6 (patch)
tree34e3b1b764d28e423447fda832557db5b7bad26e
parent1efe414a67de27ac2e045e0ed6209e33cdeb7ec0 (diff)
downloadpoky-ae9160e099e9b23f1b756020d78db46052a1dca6.tar.gz
libsndfile1: Security fix CVE-2018-19432
(From OE-Core rev: 6f010c9b7777aae5ce2108122d0c6d3b1d630a21) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch115
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb1
2 files changed, 116 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
new file mode 100644
index 0000000000..8ded2c0f85
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
@@ -0,0 +1,115 @@
1From 6f3266277bed16525f0ac2f0f03ff4626f1923e5 Mon Sep 17 00:00:00 2001
2From: Erik de Castro Lopo <erikd@mega-nerd.com>
3Date: Thu, 8 Mar 2018 18:00:21 +1100
4Subject: [PATCH] Fix max channel count bug
5
6The code was allowing files to be written with a channel count of exactly
7`SF_MAX_CHANNELS` but was failing to read some file formats with the same
8channel count.
9
10Upstream-Status: Backport [https://github.com/erikd/libsndfile/
11commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5]
12
13CVE: CVE-2018-19432
14
15Signed-off-by: Changqing Li <changqing.li@windriver.com>
16
17---
18 src/aiff.c | 6 +++---
19 src/rf64.c | 4 ++--
20 src/w64.c | 4 ++--
21 src/wav.c | 4 ++--
22 4 files changed, 9 insertions(+), 9 deletions(-)
23
24diff --git a/src/aiff.c b/src/aiff.c
25index fbd43cb..6386bce 100644
26--- a/src/aiff.c
27+++ b/src/aiff.c
28@@ -1,5 +1,5 @@
29 /*
30-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
31+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
32 ** Copyright (C) 2005 David Viens <davidv@plogue.com>
33 **
34 ** This program is free software; you can redistribute it and/or modify
35@@ -950,7 +950,7 @@ aiff_read_header (SF_PRIVATE *psf, COMM_
36 if (psf->sf.channels < 1)
37 return SFE_CHANNEL_COUNT_ZERO ;
38
39- if (psf->sf.channels >= SF_MAX_CHANNELS)
40+ if (psf->sf.channels > SF_MAX_CHANNELS)
41 return SFE_CHANNEL_COUNT ;
42
43 if (! (found_chunk & HAVE_FORM))
44@@ -1030,7 +1030,7 @@ aiff_read_comm_chunk (SF_PRIVATE *psf, C
45 psf_log_printf (psf, " Sample Rate : %d\n", samplerate) ;
46 psf_log_printf (psf, " Frames : %u%s\n", comm_fmt->numSampleFrames, (comm_fmt->numSampleFrames == 0 && psf->filelength > 104) ? " (Should not be 0)" : "") ;
47
48- if (comm_fmt->numChannels < 1 || comm_fmt->numChannels >= SF_MAX_CHANNELS)
49+ if (comm_fmt->numChannels < 1 || comm_fmt->numChannels > SF_MAX_CHANNELS)
50 { psf_log_printf (psf, " Channels : %d (should be >= 1 and < %d)\n", comm_fmt->numChannels, SF_MAX_CHANNELS) ;
51 return SFE_CHANNEL_COUNT_BAD ;
52 } ;
53diff --git a/src/rf64.c b/src/rf64.c
54index d57f0f3..876cd45 100644
55--- a/src/rf64.c
56+++ b/src/rf64.c
57@@ -1,5 +1,5 @@
58 /*
59-** Copyright (C) 2008-2017 Erik de Castro Lopo <erikd@mega-nerd.com>
60+** Copyright (C) 2008-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
61 ** Copyright (C) 2009 Uli Franke <cls@nebadje.org>
62 **
63 ** This program is free software; you can redistribute it and/or modify
64@@ -382,7 +382,7 @@ rf64_read_header (SF_PRIVATE *psf, int *
65 if (psf->sf.channels < 1)
66 return SFE_CHANNEL_COUNT_ZERO ;
67
68- if (psf->sf.channels >= SF_MAX_CHANNELS)
69+ if (psf->sf.channels > SF_MAX_CHANNELS)
70 return SFE_CHANNEL_COUNT ;
71
72 /* WAVs can be little or big endian */
73diff --git a/src/w64.c b/src/w64.c
74index 939b716..a37d2c5 100644
75--- a/src/w64.c
76+++ b/src/w64.c
77@@ -1,5 +1,5 @@
78 /*
79-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
80+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
81 **
82 ** This program is free software; you can redistribute it and/or modify
83 ** it under the terms of the GNU Lesser General Public License as published by
84@@ -383,7 +383,7 @@ w64_read_header (SF_PRIVATE *psf, int *b
85 if (psf->sf.channels < 1)
86 return SFE_CHANNEL_COUNT_ZERO ;
87
88- if (psf->sf.channels >= SF_MAX_CHANNELS)
89+ if (psf->sf.channels > SF_MAX_CHANNELS)
90 return SFE_CHANNEL_COUNT ;
91
92 psf->endian = SF_ENDIAN_LITTLE ; /* All W64 files are little endian. */
93diff --git a/src/wav.c b/src/wav.c
94index 7bd97bc..dc97545 100644
95--- a/src/wav.c
96+++ b/src/wav.c
97@@ -1,5 +1,5 @@
98 /*
99-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
100+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
101 ** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
102 **
103 ** This program is free software; you can redistribute it and/or modify
104@@ -627,7 +627,7 @@ wav_read_header (SF_PRIVATE *psf, int *b
105 if (psf->sf.channels < 1)
106 return SFE_CHANNEL_COUNT_ZERO ;
107
108- if (psf->sf.channels >= SF_MAX_CHANNELS)
109+ if (psf->sf.channels > SF_MAX_CHANNELS)
110 return SFE_CHANNEL_COUNT ;
111
112 if (format != WAVE_FORMAT_PCM && (parsestage & HAVE_fact) == 0)
113--
1141.7.9.5
115
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 13248f5cb7..9700f4a6e7 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
14 file://CVE-2017-14634.patch \ 14 file://CVE-2017-14634.patch \
15 file://CVE-2018-13139.patch \ 15 file://CVE-2018-13139.patch \
16 file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \ 16 file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
17 file://CVE-2018-19432.patch \
17 " 18 "
18 19
19SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" 20SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"