summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2017-09-22 14:27:51 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-09-25 14:14:17 +0100
commitfd994b5bede3724ce23f3766e6109d83e534d3f3 (patch)
tree356ea100035070392985d7918bc1f7293a911cff
parent2d948eec2dc5314ccb526ee4dda18711186d6ef2 (diff)
downloadpoky-fd994b5bede3724ce23f3766e6109d83e534d3f3.tar.gz
lame: fix CVE-2017-13712
Backport patch to fix CVE-2017-13712 for lame. (From OE-Core rev: 3e80f86b4227f1d6ddd604a0738449d93f01c03f) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/lame/lame/CVE-2017-13712.patch309
-rw-r--r--meta/recipes-multimedia/lame/lame_3.99.5.bb4
2 files changed, 312 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/lame/lame/CVE-2017-13712.patch b/meta/recipes-multimedia/lame/lame/CVE-2017-13712.patch
new file mode 100644
index 0000000000..f9ec7665ff
--- /dev/null
+++ b/meta/recipes-multimedia/lame/lame/CVE-2017-13712.patch
@@ -0,0 +1,309 @@
1Upstream-Status: Backport [http://lame.cvs.sourceforge.net/viewvc/lame/lame/libmp3lame/id3tag.c?r1=1.79&r2=1.80]
2
3Backport patch to fix CVE-2017-13712 for lame.
4
5Signed-off-by: Kai Kang <kai.kang@windriver.com>
6---
7--- a/libmp3lame/id3tag.c 2017/08/22 19:44:05 1.79
8+++ b/libmp3lame/id3tag.c 2017/08/28 15:39:51 1.80
9@@ -194,7 +194,11 @@
10 }
11 #endif
12
13-
14+static int
15+is_lame_internal_flags_null(lame_t gfp)
16+{
17+ return (gfp && gfp->internal_flags) ? 0 : 1;
18+}
19
20 static int
21 id3v2_add_ucs2_lng(lame_t gfp, uint32_t frame_id, unsigned short const *desc, unsigned short const *text);
22@@ -238,8 +242,7 @@
23 static void
24 id3v2AddAudioDuration(lame_t gfp, double ms)
25 {
26- lame_internal_flags *gfc = gfp != 0 ? gfp->internal_flags : 0;
27- SessionConfig_t const *const cfg = &gfc->cfg;
28+ SessionConfig_t const *const cfg = &gfp->internal_flags->cfg; /* caller checked pointers */
29 char buffer[1024];
30 double const max_ulong = MAX_U_32_NUM;
31 unsigned long playlength_ms;
32@@ -280,7 +283,12 @@
33 void
34 id3tag_init(lame_t gfp)
35 {
36- lame_internal_flags *gfc = gfp->internal_flags;
37+ lame_internal_flags *gfc = 0;
38+
39+ if (is_lame_internal_flags_null(gfp)) {
40+ return;
41+ }
42+ gfc = gfp->internal_flags;
43 free_id3tag(gfc);
44 memset(&gfc->tag_spec, 0, sizeof gfc->tag_spec);
45 gfc->tag_spec.genre_id3v1 = GENRE_NUM_UNKNOWN;
46@@ -293,7 +301,12 @@
47 void
48 id3tag_add_v2(lame_t gfp)
49 {
50- lame_internal_flags *gfc = gfp->internal_flags;
51+ lame_internal_flags *gfc = 0;
52+
53+ if (is_lame_internal_flags_null(gfp)) {
54+ return;
55+ }
56+ gfc = gfp->internal_flags;
57 gfc->tag_spec.flags &= ~V1_ONLY_FLAG;
58 gfc->tag_spec.flags |= ADD_V2_FLAG;
59 }
60@@ -301,7 +314,12 @@
61 void
62 id3tag_v1_only(lame_t gfp)
63 {
64- lame_internal_flags *gfc = gfp->internal_flags;
65+ lame_internal_flags *gfc = 0;
66+
67+ if (is_lame_internal_flags_null(gfp)) {
68+ return;
69+ }
70+ gfc = gfp->internal_flags;
71 gfc->tag_spec.flags &= ~(ADD_V2_FLAG | V2_ONLY_FLAG);
72 gfc->tag_spec.flags |= V1_ONLY_FLAG;
73 }
74@@ -309,7 +327,12 @@
75 void
76 id3tag_v2_only(lame_t gfp)
77 {
78- lame_internal_flags *gfc = gfp->internal_flags;
79+ lame_internal_flags *gfc = 0;
80+
81+ if (is_lame_internal_flags_null(gfp)) {
82+ return;
83+ }
84+ gfc = gfp->internal_flags;
85 gfc->tag_spec.flags &= ~V1_ONLY_FLAG;
86 gfc->tag_spec.flags |= V2_ONLY_FLAG;
87 }
88@@ -317,7 +340,12 @@
89 void
90 id3tag_space_v1(lame_t gfp)
91 {
92- lame_internal_flags *gfc = gfp->internal_flags;
93+ lame_internal_flags *gfc = 0;
94+
95+ if (is_lame_internal_flags_null(gfp)) {
96+ return;
97+ }
98+ gfc = gfp->internal_flags;
99 gfc->tag_spec.flags &= ~V2_ONLY_FLAG;
100 gfc->tag_spec.flags |= SPACE_V1_FLAG;
101 }
102@@ -331,7 +359,12 @@
103 void
104 id3tag_set_pad(lame_t gfp, size_t n)
105 {
106- lame_internal_flags *gfc = gfp->internal_flags;
107+ lame_internal_flags *gfc = 0;
108+
109+ if (is_lame_internal_flags_null(gfp)) {
110+ return;
111+ }
112+ gfc = gfp->internal_flags;
113 gfc->tag_spec.flags &= ~V1_ONLY_FLAG;
114 gfc->tag_spec.flags |= PAD_V2_FLAG;
115 gfc->tag_spec.flags |= ADD_V2_FLAG;
116@@ -583,22 +616,29 @@
117 int
118 id3tag_set_albumart(lame_t gfp, const char *image, size_t size)
119 {
120- int mimetype = 0;
121- unsigned char const *data = (unsigned char const *) image;
122- lame_internal_flags *gfc = gfp->internal_flags;
123-
124- /* determine MIME type from the actual image data */
125- if (2 < size && data[0] == 0xFF && data[1] == 0xD8) {
126- mimetype = MIMETYPE_JPEG;
127- }
128- else if (4 < size && data[0] == 0x89 && strncmp((const char *) &data[1], "PNG", 3) == 0) {
129- mimetype = MIMETYPE_PNG;
130- }
131- else if (4 < size && strncmp((const char *) data, "GIF8", 4) == 0) {
132- mimetype = MIMETYPE_GIF;
133+ int mimetype = MIMETYPE_NONE;
134+ lame_internal_flags *gfc = 0;
135+
136+ if (is_lame_internal_flags_null(gfp)) {
137+ return 0;
138 }
139- else {
140- return -1;
141+ gfc = gfp->internal_flags;
142+
143+ if (image != 0) {
144+ unsigned char const *data = (unsigned char const *) image;
145+ /* determine MIME type from the actual image data */
146+ if (2 < size && data[0] == 0xFF && data[1] == 0xD8) {
147+ mimetype = MIMETYPE_JPEG;
148+ }
149+ else if (4 < size && data[0] == 0x89 && strncmp((const char *) &data[1], "PNG", 3) == 0) {
150+ mimetype = MIMETYPE_PNG;
151+ }
152+ else if (4 < size && strncmp((const char *) data, "GIF8", 4) == 0) {
153+ mimetype = MIMETYPE_GIF;
154+ }
155+ else {
156+ return -1;
157+ }
158 }
159 if (gfc->tag_spec.albumart != 0) {
160 free(gfc->tag_spec.albumart);
161@@ -606,7 +646,7 @@
162 gfc->tag_spec.albumart_size = 0;
163 gfc->tag_spec.albumart_mimetype = MIMETYPE_NONE;
164 }
165- if (size < 1) {
166+ if (size < 1 || mimetype == MIMETYPE_NONE) {
167 return 0;
168 }
169 gfc->tag_spec.albumart = lame_calloc(unsigned char, size);
170@@ -959,6 +999,9 @@
171 if (frame_id == 0) {
172 return -1;
173 }
174+ if (is_lame_internal_flags_null(gfp)) {
175+ return 0;
176+ }
177 if (text == 0) {
178 return 0;
179 }
180@@ -1008,6 +1051,9 @@
181 if (frame_id == 0) {
182 return -1;
183 }
184+ if (is_lame_internal_flags_null(gfp)) {
185+ return 0;
186+ }
187 if (text == 0) {
188 return 0;
189 }
190@@ -1037,6 +1083,9 @@
191 int
192 id3tag_set_comment_latin1(lame_t gfp, char const *lang, char const *desc, char const *text)
193 {
194+ if (is_lame_internal_flags_null(gfp)) {
195+ return 0;
196+ }
197 return id3v2_add_latin1(gfp, ID_COMMENT, lang, desc, text);
198 }
199
200@@ -1044,6 +1093,9 @@
201 int
202 id3tag_set_comment_utf16(lame_t gfp, char const *lang, unsigned short const *desc, unsigned short const *text)
203 {
204+ if (is_lame_internal_flags_null(gfp)) {
205+ return 0;
206+ }
207 return id3v2_add_ucs2(gfp, ID_COMMENT, lang, desc, text);
208 }
209
210@@ -1054,6 +1106,9 @@
211 int
212 id3tag_set_comment_ucs2(lame_t gfp, char const *lang, unsigned short const *desc, unsigned short const *text)
213 {
214+ if (is_lame_internal_flags_null(gfp)) {
215+ return 0;
216+ }
217 return id3tag_set_comment_utf16(gfp, lang, desc, text);
218 }
219
220@@ -1244,9 +1299,9 @@
221 int
222 id3tag_set_genre(lame_t gfp, const char *genre)
223 {
224- lame_internal_flags *gfc = gfp->internal_flags;
225+ lame_internal_flags *gfc = gfp != 0 ? gfp->internal_flags : 0;
226 int ret = 0;
227- if (genre && *genre) {
228+ if (gfc && genre && *genre) {
229 int const num = lookupGenre(genre);
230 if (num == -1) return num;
231 gfc->tag_spec.flags |= CHANGED_FLAG;
232@@ -1539,6 +1594,9 @@
233 int
234 id3tag_set_fieldvalue(lame_t gfp, const char *fieldvalue)
235 {
236+ if (is_lame_internal_flags_null(gfp)) {
237+ return 0;
238+ }
239 if (fieldvalue && *fieldvalue) {
240 if (strlen(fieldvalue) < 5 || fieldvalue[4] != '=') {
241 return -1;
242@@ -1551,6 +1609,9 @@
243 int
244 id3tag_set_fieldvalue_utf16(lame_t gfp, const unsigned short *fieldvalue)
245 {
246+ if (is_lame_internal_flags_null(gfp)) {
247+ return 0;
248+ }
249 if (fieldvalue && *fieldvalue) {
250 size_t dx = hasUcs2ByteOrderMarker(fieldvalue[0]);
251 unsigned short const separator = fromLatin1Char(fieldvalue, '=');
252@@ -1581,20 +1642,21 @@
253 int
254 id3tag_set_fieldvalue_ucs2(lame_t gfp, const unsigned short *fieldvalue)
255 {
256+ if (is_lame_internal_flags_null(gfp)) {
257+ return 0;
258+ }
259 return id3tag_set_fieldvalue_utf16(gfp, fieldvalue);
260 }
261
262 size_t
263 lame_get_id3v2_tag(lame_t gfp, unsigned char *buffer, size_t size)
264 {
265- lame_internal_flags *gfc;
266- if (gfp == 0) {
267+ lame_internal_flags *gfc = 0;
268+
269+ if (is_lame_internal_flags_null(gfp)) {
270 return 0;
271 }
272 gfc = gfp->internal_flags;
273- if (gfc == 0) {
274- return 0;
275- }
276 if (test_tag_spec_flags(gfc, V1_ONLY_FLAG)) {
277 return 0;
278 }
279@@ -1736,7 +1798,12 @@
280 int
281 id3tag_write_v2(lame_t gfp)
282 {
283- lame_internal_flags *gfc = gfp->internal_flags;
284+ lame_internal_flags *gfc = 0;
285+
286+ if (is_lame_internal_flags_null(gfp)) {
287+ return 0;
288+ }
289+ gfc = gfp->internal_flags;
290 #if 0
291 debug_tag_spec_flags(gfc, "write v2");
292 #endif
293@@ -1837,10 +1904,15 @@
294 int
295 id3tag_write_v1(lame_t gfp)
296 {
297- lame_internal_flags *const gfc = gfp->internal_flags;
298+ lame_internal_flags* gfc = 0;
299 size_t i, n, m;
300 unsigned char tag[128];
301
302+ if (is_lame_internal_flags_null(gfp)) {
303+ return 0;
304+ }
305+ gfc = gfp->internal_flags;
306+
307 m = sizeof(tag);
308 n = lame_get_id3v1_tag(gfp, tag, m);
309 if (n > m) {
diff --git a/meta/recipes-multimedia/lame/lame_3.99.5.bb b/meta/recipes-multimedia/lame/lame_3.99.5.bb
index 047761153d..e5321bb9d8 100644
--- a/meta/recipes-multimedia/lame/lame_3.99.5.bb
+++ b/meta/recipes-multimedia/lame/lame_3.99.5.bb
@@ -14,7 +14,9 @@ PR = "r1"
14 14
15SRC_URI = "${SOURCEFORGE_MIRROR}/lame/lame-${PV}.tar.gz \ 15SRC_URI = "${SOURCEFORGE_MIRROR}/lame/lame-${PV}.tar.gz \
16 file://no-gtk1.patch \ 16 file://no-gtk1.patch \
17 file://lame-3.99.5_fix_for_automake-1.12.x.patch " 17 file://lame-3.99.5_fix_for_automake-1.12.x.patch \
18 file://CVE-2017-13712.patch \
19 "
18 20
19SRC_URI[md5sum] = "84835b313d4a8b68f5349816d33e07ce" 21SRC_URI[md5sum] = "84835b313d4a8b68f5349816d33e07ce"
20SRC_URI[sha256sum] = "24346b4158e4af3bd9f2e194bb23eb473c75fb7377011523353196b19b9a23ff" 22SRC_URI[sha256sum] = "24346b4158e4af3bd9f2e194bb23eb473c75fb7377011523353196b19b9a23ff"