libsndfile1: Security fix CVE-2017-17456/17457 CVE-2018-19661/19662

fix 4 CVEs, which is backport from https://github.com/erikd/libsndfile/commit/585cc28a93be27d6938f276af0011401b9f7c0ca (From OE-Core rev: 8f4af329df5373db8910726a6b954652623003dd) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2019-01-07 16:06:32 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-01-08 11:16:44 +0000
commit: 7bb927d65f0c35a9de71573a575a24544f64cf23 (patch)
tree: 24f4e250f0e02aa0e410144dfbf28a18b5690add /meta/recipes-multimedia/libsndfile/libsndfile1
parent: 06adfa26963880be08674393db3a6463d59769e0 (diff)
download: poky-7bb927d65f0c35a9de71573a575a24544f64cf23.tar.gz
1 files changed, 101 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
new file mode 100644
index 0000000000..c3f44ca235
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
@@ -0,0 +1,101 @@
+From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Mon, 7 Jan 2019 15:55:03 +0800
+Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432)
+i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
+properly, leading to buffer underflow. INT_MIN is a special value
+since - INT_MIN cannot be represented as int.
+In this case round - INT_MIN to INT_MAX and proceed as usual.
+f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
+properly, leading to null pointer dereference.
+In this case, arbitrarily set the buffer value to 0.
+This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
+fixes #344 (CVE-2017-17456 and CVE-2017-17457).
+Upstream-Status: Backport[https://github.com/erikd/libsndfile/
+commit/585cc28a93be27d6938f276af0011401b9f7c0ca]
+CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/alaw.c | 9 +++++++--
+ src/ulaw.c | 9 +++++++--
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+diff --git a/src/alaw.c b/src/alaw.c
+index 063fd1a..4220224 100644
+--- a/src/alaw.c
+++ b/src/alaw.c
+@@ -19,6 +19,7 @@
+ #include       "sfconfig.h"
+ 
+ #include       <math.h>
+#include       <limits.h>
+ 
+ #include       "sndfile.h"
+ #include       "common.h"
+@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2alaw_array (const int *ptr, int count, unsigned char *buffer)
+ {      while (--count >= 0)
+-       {       if (ptr [count] >= 0)
+       {       if (ptr [count] == INT_MIN)
+                       buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
+               else if (ptr [count] >= 0)
+                        buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
+                else
+                        buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
+@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ {      while (--count >= 0)
+-       {       if (ptr [count] >= 0)
+       {       if (!isfinite (ptr [count]))
+                       buffer [count] = 0 ;
+               else if (ptr [count] >= 0)
+                        buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
+                else
+                        buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
+diff --git a/src/ulaw.c b/src/ulaw.c
+index e50b4cb..b6070ad 100644
+--- a/src/ulaw.c
+++ b/src/ulaw.c
+@@ -19,6 +19,7 @@
+ #include       "sfconfig.h"
+ 
+ #include       <math.h>
+#include       <limits.h>
+ 
+ #include       "sndfile.h"
+ #include       "common.h"
+@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
+ {      while (--count >= 0)
+-       {       if (ptr [count] >= 0)
+       {       if (ptr [count] == INT_MIN)
+                       buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
+               else if (ptr [count] >= 0)
+                        buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
+                else
+                        buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
+@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ {      while (--count >= 0)
+-       {       if (ptr [count] >= 0)
+       {       if (!isfinite (ptr [count]))
+                       buffer [count] = 0 ;
+               else if (ptr [count] >= 0)
+                        buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
+                else
+                        buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;
+-- 
+2.7.4
author	Changqing Li <changqing.li@windriver.com>	2019-01-07 16:06:32 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-01-08 11:16:44 +0000
commit	7bb927d65f0c35a9de71573a575a24544f64cf23 (patch)
tree	24f4e250f0e02aa0e410144dfbf28a18b5690add /meta/recipes-multimedia/libsndfile/libsndfile1
parent	06adfa26963880be08674393db3a6463d59769e0 (diff)
download	poky-7bb927d65f0c35a9de71573a575a24544f64cf23.tar.gz

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch new file mode 100644 index 0000000000..c3f44ca235 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
@@ -0,0 +1,101 @@
	1	From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001
	2	From: Changqing Li <changqing.li@windriver.com>
	3	Date: Mon, 7 Jan 2019 15:55:03 +0800
	4	Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432)
	5
	6	i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
	7	properly, leading to buffer underflow. INT_MIN is a special value
	8	since - INT_MIN cannot be represented as int.
	9
	10	In this case round - INT_MIN to INT_MAX and proceed as usual.
	11
	12	f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
	13	properly, leading to null pointer dereference.
	14
	15	In this case, arbitrarily set the buffer value to 0.
	16
	17	This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
	18	fixes #344 (CVE-2017-17456 and CVE-2017-17457).
	19
	20	Upstream-Status: Backport[https://github.com/erikd/libsndfile/
	21	commit/585cc28a93be27d6938f276af0011401b9f7c0ca]
	22
	23	CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662
	24
	25	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	26	---
	27	src/alaw.c \| 9 +++++++--
	28	src/ulaw.c \| 9 +++++++--
	29	2 files changed, 14 insertions(+), 4 deletions(-)
	30
	31	diff --git a/src/alaw.c b/src/alaw.c
	32	index 063fd1a..4220224 100644
	33	--- a/src/alaw.c
	34	+++ b/src/alaw.c
	35	@@ -19,6 +19,7 @@
	36	#include "sfconfig.h"
	37
	38	#include <math.h>
	39	+#include <limits.h>
	40
	41	#include "sndfile.h"
	42	#include "common.h"
	43	@@ -326,7 +327,9 @@ s2alaw_array (const short ptr, int count, unsigned char buffer)
	44	static inline void
	45	i2alaw_array (const int ptr, int count, unsigned char buffer)
	46	{ while (--count >= 0)
	47	- { if (ptr [count] >= 0)
	48	+ { if (ptr [count] == INT_MIN)
	49	+ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
	50	+ else if (ptr [count] >= 0)
	51	buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
	52	else
	53	buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
	54	@@ -346,7 +349,9 @@ f2alaw_array (const float ptr, int count, unsigned char buffer, float normfact
	55	static inline void
	56	d2alaw_array (const double ptr, int count, unsigned char buffer, double normfact)
	57	{ while (--count >= 0)
	58	- { if (ptr [count] >= 0)
	59	+ { if (!isfinite (ptr [count]))
	60	+ buffer [count] = 0 ;
	61	+ else if (ptr [count] >= 0)
	62	buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
	63	else
	64	buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
	65	diff --git a/src/ulaw.c b/src/ulaw.c
	66	index e50b4cb..b6070ad 100644
	67	--- a/src/ulaw.c
	68	+++ b/src/ulaw.c
	69	@@ -19,6 +19,7 @@
	70	#include "sfconfig.h"
	71
	72	#include <math.h>
	73	+#include <limits.h>
	74
	75	#include "sndfile.h"
	76	#include "common.h"
	77	@@ -827,7 +828,9 @@ s2ulaw_array (const short ptr, int count, unsigned char buffer)
	78	static inline void
	79	i2ulaw_array (const int ptr, int count, unsigned char buffer)
	80	{ while (--count >= 0)
	81	- { if (ptr [count] >= 0)
	82	+ { if (ptr [count] == INT_MIN)
	83	+ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
	84	+ else if (ptr [count] >= 0)
	85	buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
	86	else
	87	buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
	88	@@ -847,7 +850,9 @@ f2ulaw_array (const float ptr, int count, unsigned char buffer, float normfact
	89	static inline void
	90	d2ulaw_array (const double ptr, int count, unsigned char buffer, double normfact)
	91	{ while (--count >= 0)
	92	- { if (ptr [count] >= 0)
	93	+ { if (!isfinite (ptr [count]))
	94	+ buffer [count] = 0 ;
	95	+ else if (ptr [count] >= 0)
	96	buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
	97	else
	98	buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;
	99	--
	100	2.7.4
	101