diff options
author | Changqing Li <changqing.li@windriver.com> | 2019-01-07 16:06:32 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-01-08 11:16:44 +0000 |
commit | 7bb927d65f0c35a9de71573a575a24544f64cf23 (patch) | |
tree | 24f4e250f0e02aa0e410144dfbf28a18b5690add | |
parent | 06adfa26963880be08674393db3a6463d59769e0 (diff) | |
download | poky-7bb927d65f0c35a9de71573a575a24544f64cf23.tar.gz |
libsndfile1: Security fix CVE-2017-17456/17457 CVE-2018-19661/19662
fix 4 CVEs, which is backport from
https://github.com/erikd/libsndfile/commit/585cc28a93be27d6938f276af0011401b9f7c0ca
(From OE-Core rev: 8f4af329df5373db8910726a6b954652623003dd)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch | 101 | ||||
-rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | 1 |
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch new file mode 100644 index 0000000000..c3f44ca235 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch | |||
@@ -0,0 +1,101 @@ | |||
1 | From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Mon, 7 Jan 2019 15:55:03 +0800 | ||
4 | Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432) | ||
5 | |||
6 | i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN | ||
7 | properly, leading to buffer underflow. INT_MIN is a special value | ||
8 | since - INT_MIN cannot be represented as int. | ||
9 | |||
10 | In this case round - INT_MIN to INT_MAX and proceed as usual. | ||
11 | |||
12 | f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN | ||
13 | properly, leading to null pointer dereference. | ||
14 | |||
15 | In this case, arbitrarily set the buffer value to 0. | ||
16 | |||
17 | This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and | ||
18 | fixes #344 (CVE-2017-17456 and CVE-2017-17457). | ||
19 | |||
20 | Upstream-Status: Backport[https://github.com/erikd/libsndfile/ | ||
21 | commit/585cc28a93be27d6938f276af0011401b9f7c0ca] | ||
22 | |||
23 | CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662 | ||
24 | |||
25 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
26 | --- | ||
27 | src/alaw.c | 9 +++++++-- | ||
28 | src/ulaw.c | 9 +++++++-- | ||
29 | 2 files changed, 14 insertions(+), 4 deletions(-) | ||
30 | |||
31 | diff --git a/src/alaw.c b/src/alaw.c | ||
32 | index 063fd1a..4220224 100644 | ||
33 | --- a/src/alaw.c | ||
34 | +++ b/src/alaw.c | ||
35 | @@ -19,6 +19,7 @@ | ||
36 | #include "sfconfig.h" | ||
37 | |||
38 | #include <math.h> | ||
39 | +#include <limits.h> | ||
40 | |||
41 | #include "sndfile.h" | ||
42 | #include "common.h" | ||
43 | @@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) | ||
44 | static inline void | ||
45 | i2alaw_array (const int *ptr, int count, unsigned char *buffer) | ||
46 | { while (--count >= 0) | ||
47 | - { if (ptr [count] >= 0) | ||
48 | + { if (ptr [count] == INT_MIN) | ||
49 | + buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; | ||
50 | + else if (ptr [count] >= 0) | ||
51 | buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; | ||
52 | else | ||
53 | buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; | ||
54 | @@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact | ||
55 | static inline void | ||
56 | d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) | ||
57 | { while (--count >= 0) | ||
58 | - { if (ptr [count] >= 0) | ||
59 | + { if (!isfinite (ptr [count])) | ||
60 | + buffer [count] = 0 ; | ||
61 | + else if (ptr [count] >= 0) | ||
62 | buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; | ||
63 | else | ||
64 | buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; | ||
65 | diff --git a/src/ulaw.c b/src/ulaw.c | ||
66 | index e50b4cb..b6070ad 100644 | ||
67 | --- a/src/ulaw.c | ||
68 | +++ b/src/ulaw.c | ||
69 | @@ -19,6 +19,7 @@ | ||
70 | #include "sfconfig.h" | ||
71 | |||
72 | #include <math.h> | ||
73 | +#include <limits.h> | ||
74 | |||
75 | #include "sndfile.h" | ||
76 | #include "common.h" | ||
77 | @@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) | ||
78 | static inline void | ||
79 | i2ulaw_array (const int *ptr, int count, unsigned char *buffer) | ||
80 | { while (--count >= 0) | ||
81 | - { if (ptr [count] >= 0) | ||
82 | + { if (ptr [count] == INT_MIN) | ||
83 | + buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; | ||
84 | + else if (ptr [count] >= 0) | ||
85 | buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; | ||
86 | else | ||
87 | buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; | ||
88 | @@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact | ||
89 | static inline void | ||
90 | d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) | ||
91 | { while (--count >= 0) | ||
92 | - { if (ptr [count] >= 0) | ||
93 | + { if (!isfinite (ptr [count])) | ||
94 | + buffer [count] = 0 ; | ||
95 | + else if (ptr [count] >= 0) | ||
96 | buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; | ||
97 | else | ||
98 | buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; | ||
99 | -- | ||
100 | 2.7.4 | ||
101 | |||
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index b28f675286..13248f5cb7 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | |||
@@ -13,6 +13,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ | |||
13 | file://CVE-2017-14245-14246.patch \ | 13 | file://CVE-2017-14245-14246.patch \ |
14 | file://CVE-2017-14634.patch \ | 14 | file://CVE-2017-14634.patch \ |
15 | file://CVE-2018-13139.patch \ | 15 | file://CVE-2018-13139.patch \ |
16 | file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \ | ||
16 | " | 17 | " |
17 | 18 | ||
18 | SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" | 19 | SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" |