diff options
author | Kai Kang <kai.kang@windriver.com> | 2017-09-22 14:27:51 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-09-25 14:14:17 +0100 |
commit | fd994b5bede3724ce23f3766e6109d83e534d3f3 (patch) | |
tree | 356ea100035070392985d7918bc1f7293a911cff | |
parent | 2d948eec2dc5314ccb526ee4dda18711186d6ef2 (diff) | |
download | poky-fd994b5bede3724ce23f3766e6109d83e534d3f3.tar.gz |
lame: fix CVE-2017-13712
Backport patch to fix CVE-2017-13712 for lame.
(From OE-Core rev: 3e80f86b4227f1d6ddd604a0738449d93f01c03f)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-multimedia/lame/lame/CVE-2017-13712.patch | 309 | ||||
-rw-r--r-- | meta/recipes-multimedia/lame/lame_3.99.5.bb | 4 |
2 files changed, 312 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/lame/lame/CVE-2017-13712.patch b/meta/recipes-multimedia/lame/lame/CVE-2017-13712.patch new file mode 100644 index 0000000000..f9ec7665ff --- /dev/null +++ b/meta/recipes-multimedia/lame/lame/CVE-2017-13712.patch | |||
@@ -0,0 +1,309 @@ | |||
1 | Upstream-Status: Backport [http://lame.cvs.sourceforge.net/viewvc/lame/lame/libmp3lame/id3tag.c?r1=1.79&r2=1.80] | ||
2 | |||
3 | Backport patch to fix CVE-2017-13712 for lame. | ||
4 | |||
5 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
6 | --- | ||
7 | --- a/libmp3lame/id3tag.c 2017/08/22 19:44:05 1.79 | ||
8 | +++ b/libmp3lame/id3tag.c 2017/08/28 15:39:51 1.80 | ||
9 | @@ -194,7 +194,11 @@ | ||
10 | } | ||
11 | #endif | ||
12 | |||
13 | - | ||
14 | +static int | ||
15 | +is_lame_internal_flags_null(lame_t gfp) | ||
16 | +{ | ||
17 | + return (gfp && gfp->internal_flags) ? 0 : 1; | ||
18 | +} | ||
19 | |||
20 | static int | ||
21 | id3v2_add_ucs2_lng(lame_t gfp, uint32_t frame_id, unsigned short const *desc, unsigned short const *text); | ||
22 | @@ -238,8 +242,7 @@ | ||
23 | static void | ||
24 | id3v2AddAudioDuration(lame_t gfp, double ms) | ||
25 | { | ||
26 | - lame_internal_flags *gfc = gfp != 0 ? gfp->internal_flags : 0; | ||
27 | - SessionConfig_t const *const cfg = &gfc->cfg; | ||
28 | + SessionConfig_t const *const cfg = &gfp->internal_flags->cfg; /* caller checked pointers */ | ||
29 | char buffer[1024]; | ||
30 | double const max_ulong = MAX_U_32_NUM; | ||
31 | unsigned long playlength_ms; | ||
32 | @@ -280,7 +283,12 @@ | ||
33 | void | ||
34 | id3tag_init(lame_t gfp) | ||
35 | { | ||
36 | - lame_internal_flags *gfc = gfp->internal_flags; | ||
37 | + lame_internal_flags *gfc = 0; | ||
38 | + | ||
39 | + if (is_lame_internal_flags_null(gfp)) { | ||
40 | + return; | ||
41 | + } | ||
42 | + gfc = gfp->internal_flags; | ||
43 | free_id3tag(gfc); | ||
44 | memset(&gfc->tag_spec, 0, sizeof gfc->tag_spec); | ||
45 | gfc->tag_spec.genre_id3v1 = GENRE_NUM_UNKNOWN; | ||
46 | @@ -293,7 +301,12 @@ | ||
47 | void | ||
48 | id3tag_add_v2(lame_t gfp) | ||
49 | { | ||
50 | - lame_internal_flags *gfc = gfp->internal_flags; | ||
51 | + lame_internal_flags *gfc = 0; | ||
52 | + | ||
53 | + if (is_lame_internal_flags_null(gfp)) { | ||
54 | + return; | ||
55 | + } | ||
56 | + gfc = gfp->internal_flags; | ||
57 | gfc->tag_spec.flags &= ~V1_ONLY_FLAG; | ||
58 | gfc->tag_spec.flags |= ADD_V2_FLAG; | ||
59 | } | ||
60 | @@ -301,7 +314,12 @@ | ||
61 | void | ||
62 | id3tag_v1_only(lame_t gfp) | ||
63 | { | ||
64 | - lame_internal_flags *gfc = gfp->internal_flags; | ||
65 | + lame_internal_flags *gfc = 0; | ||
66 | + | ||
67 | + if (is_lame_internal_flags_null(gfp)) { | ||
68 | + return; | ||
69 | + } | ||
70 | + gfc = gfp->internal_flags; | ||
71 | gfc->tag_spec.flags &= ~(ADD_V2_FLAG | V2_ONLY_FLAG); | ||
72 | gfc->tag_spec.flags |= V1_ONLY_FLAG; | ||
73 | } | ||
74 | @@ -309,7 +327,12 @@ | ||
75 | void | ||
76 | id3tag_v2_only(lame_t gfp) | ||
77 | { | ||
78 | - lame_internal_flags *gfc = gfp->internal_flags; | ||
79 | + lame_internal_flags *gfc = 0; | ||
80 | + | ||
81 | + if (is_lame_internal_flags_null(gfp)) { | ||
82 | + return; | ||
83 | + } | ||
84 | + gfc = gfp->internal_flags; | ||
85 | gfc->tag_spec.flags &= ~V1_ONLY_FLAG; | ||
86 | gfc->tag_spec.flags |= V2_ONLY_FLAG; | ||
87 | } | ||
88 | @@ -317,7 +340,12 @@ | ||
89 | void | ||
90 | id3tag_space_v1(lame_t gfp) | ||
91 | { | ||
92 | - lame_internal_flags *gfc = gfp->internal_flags; | ||
93 | + lame_internal_flags *gfc = 0; | ||
94 | + | ||
95 | + if (is_lame_internal_flags_null(gfp)) { | ||
96 | + return; | ||
97 | + } | ||
98 | + gfc = gfp->internal_flags; | ||
99 | gfc->tag_spec.flags &= ~V2_ONLY_FLAG; | ||
100 | gfc->tag_spec.flags |= SPACE_V1_FLAG; | ||
101 | } | ||
102 | @@ -331,7 +359,12 @@ | ||
103 | void | ||
104 | id3tag_set_pad(lame_t gfp, size_t n) | ||
105 | { | ||
106 | - lame_internal_flags *gfc = gfp->internal_flags; | ||
107 | + lame_internal_flags *gfc = 0; | ||
108 | + | ||
109 | + if (is_lame_internal_flags_null(gfp)) { | ||
110 | + return; | ||
111 | + } | ||
112 | + gfc = gfp->internal_flags; | ||
113 | gfc->tag_spec.flags &= ~V1_ONLY_FLAG; | ||
114 | gfc->tag_spec.flags |= PAD_V2_FLAG; | ||
115 | gfc->tag_spec.flags |= ADD_V2_FLAG; | ||
116 | @@ -583,22 +616,29 @@ | ||
117 | int | ||
118 | id3tag_set_albumart(lame_t gfp, const char *image, size_t size) | ||
119 | { | ||
120 | - int mimetype = 0; | ||
121 | - unsigned char const *data = (unsigned char const *) image; | ||
122 | - lame_internal_flags *gfc = gfp->internal_flags; | ||
123 | - | ||
124 | - /* determine MIME type from the actual image data */ | ||
125 | - if (2 < size && data[0] == 0xFF && data[1] == 0xD8) { | ||
126 | - mimetype = MIMETYPE_JPEG; | ||
127 | - } | ||
128 | - else if (4 < size && data[0] == 0x89 && strncmp((const char *) &data[1], "PNG", 3) == 0) { | ||
129 | - mimetype = MIMETYPE_PNG; | ||
130 | - } | ||
131 | - else if (4 < size && strncmp((const char *) data, "GIF8", 4) == 0) { | ||
132 | - mimetype = MIMETYPE_GIF; | ||
133 | + int mimetype = MIMETYPE_NONE; | ||
134 | + lame_internal_flags *gfc = 0; | ||
135 | + | ||
136 | + if (is_lame_internal_flags_null(gfp)) { | ||
137 | + return 0; | ||
138 | } | ||
139 | - else { | ||
140 | - return -1; | ||
141 | + gfc = gfp->internal_flags; | ||
142 | + | ||
143 | + if (image != 0) { | ||
144 | + unsigned char const *data = (unsigned char const *) image; | ||
145 | + /* determine MIME type from the actual image data */ | ||
146 | + if (2 < size && data[0] == 0xFF && data[1] == 0xD8) { | ||
147 | + mimetype = MIMETYPE_JPEG; | ||
148 | + } | ||
149 | + else if (4 < size && data[0] == 0x89 && strncmp((const char *) &data[1], "PNG", 3) == 0) { | ||
150 | + mimetype = MIMETYPE_PNG; | ||
151 | + } | ||
152 | + else if (4 < size && strncmp((const char *) data, "GIF8", 4) == 0) { | ||
153 | + mimetype = MIMETYPE_GIF; | ||
154 | + } | ||
155 | + else { | ||
156 | + return -1; | ||
157 | + } | ||
158 | } | ||
159 | if (gfc->tag_spec.albumart != 0) { | ||
160 | free(gfc->tag_spec.albumart); | ||
161 | @@ -606,7 +646,7 @@ | ||
162 | gfc->tag_spec.albumart_size = 0; | ||
163 | gfc->tag_spec.albumart_mimetype = MIMETYPE_NONE; | ||
164 | } | ||
165 | - if (size < 1) { | ||
166 | + if (size < 1 || mimetype == MIMETYPE_NONE) { | ||
167 | return 0; | ||
168 | } | ||
169 | gfc->tag_spec.albumart = lame_calloc(unsigned char, size); | ||
170 | @@ -959,6 +999,9 @@ | ||
171 | if (frame_id == 0) { | ||
172 | return -1; | ||
173 | } | ||
174 | + if (is_lame_internal_flags_null(gfp)) { | ||
175 | + return 0; | ||
176 | + } | ||
177 | if (text == 0) { | ||
178 | return 0; | ||
179 | } | ||
180 | @@ -1008,6 +1051,9 @@ | ||
181 | if (frame_id == 0) { | ||
182 | return -1; | ||
183 | } | ||
184 | + if (is_lame_internal_flags_null(gfp)) { | ||
185 | + return 0; | ||
186 | + } | ||
187 | if (text == 0) { | ||
188 | return 0; | ||
189 | } | ||
190 | @@ -1037,6 +1083,9 @@ | ||
191 | int | ||
192 | id3tag_set_comment_latin1(lame_t gfp, char const *lang, char const *desc, char const *text) | ||
193 | { | ||
194 | + if (is_lame_internal_flags_null(gfp)) { | ||
195 | + return 0; | ||
196 | + } | ||
197 | return id3v2_add_latin1(gfp, ID_COMMENT, lang, desc, text); | ||
198 | } | ||
199 | |||
200 | @@ -1044,6 +1093,9 @@ | ||
201 | int | ||
202 | id3tag_set_comment_utf16(lame_t gfp, char const *lang, unsigned short const *desc, unsigned short const *text) | ||
203 | { | ||
204 | + if (is_lame_internal_flags_null(gfp)) { | ||
205 | + return 0; | ||
206 | + } | ||
207 | return id3v2_add_ucs2(gfp, ID_COMMENT, lang, desc, text); | ||
208 | } | ||
209 | |||
210 | @@ -1054,6 +1106,9 @@ | ||
211 | int | ||
212 | id3tag_set_comment_ucs2(lame_t gfp, char const *lang, unsigned short const *desc, unsigned short const *text) | ||
213 | { | ||
214 | + if (is_lame_internal_flags_null(gfp)) { | ||
215 | + return 0; | ||
216 | + } | ||
217 | return id3tag_set_comment_utf16(gfp, lang, desc, text); | ||
218 | } | ||
219 | |||
220 | @@ -1244,9 +1299,9 @@ | ||
221 | int | ||
222 | id3tag_set_genre(lame_t gfp, const char *genre) | ||
223 | { | ||
224 | - lame_internal_flags *gfc = gfp->internal_flags; | ||
225 | + lame_internal_flags *gfc = gfp != 0 ? gfp->internal_flags : 0; | ||
226 | int ret = 0; | ||
227 | - if (genre && *genre) { | ||
228 | + if (gfc && genre && *genre) { | ||
229 | int const num = lookupGenre(genre); | ||
230 | if (num == -1) return num; | ||
231 | gfc->tag_spec.flags |= CHANGED_FLAG; | ||
232 | @@ -1539,6 +1594,9 @@ | ||
233 | int | ||
234 | id3tag_set_fieldvalue(lame_t gfp, const char *fieldvalue) | ||
235 | { | ||
236 | + if (is_lame_internal_flags_null(gfp)) { | ||
237 | + return 0; | ||
238 | + } | ||
239 | if (fieldvalue && *fieldvalue) { | ||
240 | if (strlen(fieldvalue) < 5 || fieldvalue[4] != '=') { | ||
241 | return -1; | ||
242 | @@ -1551,6 +1609,9 @@ | ||
243 | int | ||
244 | id3tag_set_fieldvalue_utf16(lame_t gfp, const unsigned short *fieldvalue) | ||
245 | { | ||
246 | + if (is_lame_internal_flags_null(gfp)) { | ||
247 | + return 0; | ||
248 | + } | ||
249 | if (fieldvalue && *fieldvalue) { | ||
250 | size_t dx = hasUcs2ByteOrderMarker(fieldvalue[0]); | ||
251 | unsigned short const separator = fromLatin1Char(fieldvalue, '='); | ||
252 | @@ -1581,20 +1642,21 @@ | ||
253 | int | ||
254 | id3tag_set_fieldvalue_ucs2(lame_t gfp, const unsigned short *fieldvalue) | ||
255 | { | ||
256 | + if (is_lame_internal_flags_null(gfp)) { | ||
257 | + return 0; | ||
258 | + } | ||
259 | return id3tag_set_fieldvalue_utf16(gfp, fieldvalue); | ||
260 | } | ||
261 | |||
262 | size_t | ||
263 | lame_get_id3v2_tag(lame_t gfp, unsigned char *buffer, size_t size) | ||
264 | { | ||
265 | - lame_internal_flags *gfc; | ||
266 | - if (gfp == 0) { | ||
267 | + lame_internal_flags *gfc = 0; | ||
268 | + | ||
269 | + if (is_lame_internal_flags_null(gfp)) { | ||
270 | return 0; | ||
271 | } | ||
272 | gfc = gfp->internal_flags; | ||
273 | - if (gfc == 0) { | ||
274 | - return 0; | ||
275 | - } | ||
276 | if (test_tag_spec_flags(gfc, V1_ONLY_FLAG)) { | ||
277 | return 0; | ||
278 | } | ||
279 | @@ -1736,7 +1798,12 @@ | ||
280 | int | ||
281 | id3tag_write_v2(lame_t gfp) | ||
282 | { | ||
283 | - lame_internal_flags *gfc = gfp->internal_flags; | ||
284 | + lame_internal_flags *gfc = 0; | ||
285 | + | ||
286 | + if (is_lame_internal_flags_null(gfp)) { | ||
287 | + return 0; | ||
288 | + } | ||
289 | + gfc = gfp->internal_flags; | ||
290 | #if 0 | ||
291 | debug_tag_spec_flags(gfc, "write v2"); | ||
292 | #endif | ||
293 | @@ -1837,10 +1904,15 @@ | ||
294 | int | ||
295 | id3tag_write_v1(lame_t gfp) | ||
296 | { | ||
297 | - lame_internal_flags *const gfc = gfp->internal_flags; | ||
298 | + lame_internal_flags* gfc = 0; | ||
299 | size_t i, n, m; | ||
300 | unsigned char tag[128]; | ||
301 | |||
302 | + if (is_lame_internal_flags_null(gfp)) { | ||
303 | + return 0; | ||
304 | + } | ||
305 | + gfc = gfp->internal_flags; | ||
306 | + | ||
307 | m = sizeof(tag); | ||
308 | n = lame_get_id3v1_tag(gfp, tag, m); | ||
309 | if (n > m) { | ||
diff --git a/meta/recipes-multimedia/lame/lame_3.99.5.bb b/meta/recipes-multimedia/lame/lame_3.99.5.bb index 047761153d..e5321bb9d8 100644 --- a/meta/recipes-multimedia/lame/lame_3.99.5.bb +++ b/meta/recipes-multimedia/lame/lame_3.99.5.bb | |||
@@ -14,7 +14,9 @@ PR = "r1" | |||
14 | 14 | ||
15 | SRC_URI = "${SOURCEFORGE_MIRROR}/lame/lame-${PV}.tar.gz \ | 15 | SRC_URI = "${SOURCEFORGE_MIRROR}/lame/lame-${PV}.tar.gz \ |
16 | file://no-gtk1.patch \ | 16 | file://no-gtk1.patch \ |
17 | file://lame-3.99.5_fix_for_automake-1.12.x.patch " | 17 | file://lame-3.99.5_fix_for_automake-1.12.x.patch \ |
18 | file://CVE-2017-13712.patch \ | ||
19 | " | ||
18 | 20 | ||
19 | SRC_URI[md5sum] = "84835b313d4a8b68f5349816d33e07ce" | 21 | SRC_URI[md5sum] = "84835b313d4a8b68f5349816d33e07ce" |
20 | SRC_URI[sha256sum] = "24346b4158e4af3bd9f2e194bb23eb473c75fb7377011523353196b19b9a23ff" | 22 | SRC_URI[sha256sum] = "24346b4158e4af3bd9f2e194bb23eb473c75fb7377011523353196b19b9a23ff" |