summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libsndfile/libsndfile1
diff options
context:
space:
mode:
authorAlexandru Ardelean <ardeleanalex@gmail.com>2022-02-24 17:30:33 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-02-25 12:41:24 +0000
commitfd2c86b06963345683ac5dc4f47f9da8e0c8c69d (patch)
treee360ee3b3b03d5a3df55aec435b29b0d4b4f669f /meta/recipes-multimedia/libsndfile/libsndfile1
parente62965346314544919e4a529ca860a242d76b303 (diff)
downloadpoky-fd2c86b06963345683ac5dc4f47f9da8e0c8c69d.tar.gz
libsndfile1: bump to version 1.0.31
It seems that the homepage has moved (for a while now) from http://www.mega-nerd.com/libsndfile/ to https://libsndfile.github.io/libsndfile/ On Github, the development group seems to include Erik de Castro Lopo (the original author of libsndfile1). Link: https://github.com/orgs/libsndfile/people All backported CVE patches are in version 1.0.31 (I've checked). The supported format page [1], mentions that Ogg/Opus is supported since 1.0.29, however that isn't currently added in this patch. And it may require libopus. And mp3 is supported at around version 1.1.0, but that version is in beta. This change focuses solely on updating to 1.0.31 and removing all backported patches. [1] https://libsndfile.github.io/libsndfile/formats.html (From OE-Core rev: 6e12ee5f7871150c11dac754145d146ed364b506) Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libsndfile/libsndfile1')
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch107
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch96
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch42
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-6892.patch34
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8361-8365.patch73
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8362.patch59
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8363.patch37
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch37
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch115
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch34
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch37
11 files changed, 0 insertions, 671 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
deleted file mode 100644
index a4679cef2a..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
+++ /dev/null
@@ -1,107 +0,0 @@
1This patch fixes #429 (CVE-2018-19661 CVE-2018-19662) and #344 (CVE-2017-17456
2CVE-2017-17457). As per
3https://github.com/erikd/libsndfile/issues/344#issuecomment-448504425 it also
4fixes #317 (CVE-2017-14245 CVE-2017-14246).
5
6CVE: CVE-2017-14245 CVE-2017-14246
7CVE: CVE-2017-17456 CVE-2017-17457
8CVE: CVE-2018-19661 CVE-2018-19662
9
10Upstream-Status: Backport [8ddc442d539ca775d80cdbc7af17a718634a743f]
11Signed-off-by: Ross Burton <ross.burton@intel.com>
12
13From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001
14From: Changqing Li <changqing.li@windriver.com>
15Date: Mon, 7 Jan 2019 15:55:03 +0800
16Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432)
17
18i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
19properly, leading to buffer underflow. INT_MIN is a special value
20since - INT_MIN cannot be represented as int.
21
22In this case round - INT_MIN to INT_MAX and proceed as usual.
23
24f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
25properly, leading to null pointer dereference.
26
27In this case, arbitrarily set the buffer value to 0.
28
29This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
30fixes #344 (CVE-2017-17456 and CVE-2017-17457).
31
32---
33 src/alaw.c | 9 +++++++--
34 src/ulaw.c | 9 +++++++--
35 2 files changed, 14 insertions(+), 4 deletions(-)
36
37diff --git a/src/alaw.c b/src/alaw.c
38index 063fd1a..4220224 100644
39--- a/src/alaw.c
40+++ b/src/alaw.c
41@@ -19,6 +19,7 @@
42 #include "sfconfig.h"
43
44 #include <math.h>
45+#include <limits.h>
46
47 #include "sndfile.h"
48 #include "common.h"
49@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
50 static inline void
51 i2alaw_array (const int *ptr, int count, unsigned char *buffer)
52 { while (--count >= 0)
53- { if (ptr [count] >= 0)
54+ { if (ptr [count] == INT_MIN)
55+ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
56+ else if (ptr [count] >= 0)
57 buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
58 else
59 buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
60@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
61 static inline void
62 d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
63 { while (--count >= 0)
64- { if (ptr [count] >= 0)
65+ { if (!isfinite (ptr [count]))
66+ buffer [count] = 0 ;
67+ else if (ptr [count] >= 0)
68 buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
69 else
70 buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
71diff --git a/src/ulaw.c b/src/ulaw.c
72index e50b4cb..b6070ad 100644
73--- a/src/ulaw.c
74+++ b/src/ulaw.c
75@@ -19,6 +19,7 @@
76 #include "sfconfig.h"
77
78 #include <math.h>
79+#include <limits.h>
80
81 #include "sndfile.h"
82 #include "common.h"
83@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
84 static inline void
85 i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
86 { while (--count >= 0)
87- { if (ptr [count] >= 0)
88+ { if (ptr [count] == INT_MIN)
89+ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
90+ else if (ptr [count] >= 0)
91 buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
92 else
93 buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
94@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
95 static inline void
96 d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
97 { while (--count >= 0)
98- { if (ptr [count] >= 0)
99+ { if (!isfinite (ptr [count]))
100+ buffer [count] = 0 ;
101+ else if (ptr [count] >= 0)
102 buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
103 else
104 buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;
105--
1062.7.4
107
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch
deleted file mode 100644
index 491dae3114..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch
+++ /dev/null
@@ -1,96 +0,0 @@
1Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in
2libsndfile through 1.0.28 allows remote attackers to cause a denial of service
3(application crash) or possibly have unspecified other impact.
4
5CVE: CVE-2017-12562
6Upstream-Status: Backport [cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8]
7Signed-off-by: Ross Burton <ross.burton@intel.com>
8
9From b6a9d7e95888ffa77d8c75ce3f03e6c7165587cd Mon Sep 17 00:00:00 2001
10From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
11Date: Wed, 14 Jun 2017 12:25:40 +0200
12Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
13 in binheader
14
15Fixes the following problems:
16 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
17 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
18 big switch statement by an amount (16 bytes) which is enough for all cases
19 where only a single value gets added. Cases 's', 'S', 'p' however
20 additionally write an arbitrary length block of data and again enlarge the
21 buffer to the required amount. However, the required space calculation does
22 not take into account the size of the length field which gets output before
23 the data.
24 3. Buffer size requirement calculation in case 'S' does not account for the
25 padding byte ("size += (size & 1) ;" happens after the calculation which
26 uses "size").
27 4. Case 'S' can overrun the header buffer by 1 byte when no padding is
28 involved
29 ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
30 the buffer is only guaranteed to have "size" space available).
31 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
32 beyond the space which is guaranteed to be allocated in the header buffer.
33 6. Case 's' can overrun the provided source string by 1 byte if padding is
34 involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
35 where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
36 plus optionally another 1 which is padding and not guaranteed to be
37 readable via the source string pointer).
38
39Closes: https://github.com/erikd/libsndfile/issues/292
40---
41 src/common.c | 15 +++++++--------
42 1 file changed, 7 insertions(+), 8 deletions(-)
43
44diff --git a/src/common.c b/src/common.c
45index 1a6204ca..6b2a2ee9 100644
46--- a/src/common.c
47+++ b/src/common.c
48@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
49 /* Write a C string (guaranteed to have a zero terminator). */
50 strptr = va_arg (argptr, char *) ;
51 size = strlen (strptr) + 1 ;
52- size += (size & 1) ;
53
54- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
55+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
56 return count ;
57
58 if (psf->rwf_endian == SF_ENDIAN_BIG)
59- header_put_be_int (psf, size) ;
60+ header_put_be_int (psf, size + (size & 1)) ;
61 else
62- header_put_le_int (psf, size) ;
63+ header_put_le_int (psf, size + (size & 1)) ;
64 memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
65+ size += (size & 1) ;
66 psf->header.indx += size ;
67 psf->header.ptr [psf->header.indx - 1] = 0 ;
68 count += 4 + size ;
69@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
70 */
71 strptr = va_arg (argptr, char *) ;
72 size = strlen (strptr) ;
73- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
74+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
75 return count ;
76 if (psf->rwf_endian == SF_ENDIAN_BIG)
77 header_put_be_int (psf, size) ;
78 else
79 header_put_le_int (psf, size) ;
80- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
81+ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
82 size += (size & 1) ;
83 psf->header.indx += size ;
84- psf->header.ptr [psf->header.indx] = 0 ;
85 count += 4 + size ;
86 break ;
87
88@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
89 size = (size & 1) ? size : size + 1 ;
90 size = (size > 254) ? 254 : size ;
91
92- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
93+ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
94 return count ;
95
96 header_put_byte (psf, size) ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch
deleted file mode 100644
index 39b4ec1101..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch
+++ /dev/null
@@ -1,42 +0,0 @@
1From 85c877d5072866aadbe8ed0c3e0590fbb5e16788 Mon Sep 17 00:00:00 2001
2From: Fabian Greffrath <fabian@greffrath.com>
3Date: Thu, 28 Sep 2017 12:15:04 +0200
4Subject: [PATCH] double64_init: Check psf->sf.channels against upper bound
5
6This prevents division by zero later in the code.
7
8While the trivial case to catch this (i.e. sf.channels < 1) has already
9been covered, a crafted file may report a number of channels that is
10so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
11miscalculated to zero (if this makes sense) in the determination of the
12blockwidth. Since we only support a limited number of channels anyway,
13make sure to check here as well.
14
15CVE: CVE-2017-14634
16
17Closes: https://github.com/erikd/libsndfile/issues/318
18
19Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788]
20
21Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
22Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
23---
24 src/double64.c | 2 +-
25 1 file changed, 1 insertion(+), 1 deletion(-)
26
27diff --git a/src/double64.c b/src/double64.c
28index b318ea8..78dfef7 100644
29--- a/src/double64.c
30+++ b/src/double64.c
31@@ -91,7 +91,7 @@ int
32 double64_init (SF_PRIVATE *psf)
33 { static int double64_caps ;
34
35- if (psf->sf.channels < 1)
36+ if (psf->sf.channels < 1 || psf->sf.channels > SF_MAX_CHANNELS)
37 { psf_log_printf (psf, "double64_init : internal error : channels = %d\n", psf->sf.channels) ;
38 return SFE_INTERNAL ;
39 } ;
40--
412.13.3
42
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-6892.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-6892.patch
deleted file mode 100644
index 89552ac2d9..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-6892.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1From f833c53cb596e9e1792949f762e0b33661822748 Mon Sep 17 00:00:00 2001
2From: Erik de Castro Lopo <erikd@mega-nerd.com>
3Date: Tue, 23 May 2017 20:15:24 +1000
4Subject: [PATCH] src/aiff.c: Fix a buffer read overflow
5
6Secunia Advisory SA76717.
7
8Found by: Laurent Delosieres, Secunia Research at Flexera Software
9
10CVE: CVE-2017-6892
11Upstream-Status: Backport
12
13Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
14
15---
16 src/aiff.c | 2 +-
17 1 file changed, 1 insertion(+), 1 deletion(-)
18
19diff --git a/src/aiff.c b/src/aiff.c
20index 5b5f9f5..45864b7 100644
21--- a/src/aiff.c
22+++ b/src/aiff.c
23@@ -1759,7 +1759,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword)
24 psf_binheader_readf (psf, "j", dword - bytesread) ;
25
26 if (map_info->channel_map != NULL)
27- { size_t chanmap_size = psf->sf.channels * sizeof (psf->channel_map [0]) ;
28+ { size_t chanmap_size = SF_MIN (psf->sf.channels, layout_tag & 0xffff) * sizeof (psf->channel_map [0]) ;
29
30 free (psf->channel_map) ;
31
32--
331.9.1
34
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8361-8365.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8361-8365.patch
deleted file mode 100644
index ac99516bb3..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8361-8365.patch
+++ /dev/null
@@ -1,73 +0,0 @@
1From fd0484aba8e51d16af1e3a880f9b8b857b385eb3 Mon Sep 17 00:00:00 2001
2From: Erik de Castro Lopo <erikd@mega-nerd.com>
3Date: Wed, 12 Apr 2017 19:45:30 +1000
4Subject: [PATCH] FLAC: Fix a buffer read overrun
5
6Buffer read overrun occurs when reading a FLAC file that switches
7from 2 channels to one channel mid-stream. Only option is to
8abort the read.
9
10Closes: https://github.com/erikd/libsndfile/issues/230
11
12CVE: CVE-2017-8361 CVE-2017-8365
13
14Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3]
15
16Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
17---
18 src/common.h | 1 +
19 src/flac.c | 13 +++++++++++++
20 src/sndfile.c | 1 +
21 3 files changed, 15 insertions(+)
22
23diff --git a/src/common.h b/src/common.h
24index 0bd810c..e2669b6 100644
25--- a/src/common.h
26+++ b/src/common.h
27@@ -725,6 +725,7 @@ enum
28 SFE_FLAC_INIT_DECODER,
29 SFE_FLAC_LOST_SYNC,
30 SFE_FLAC_BAD_SAMPLE_RATE,
31+ SFE_FLAC_CHANNEL_COUNT_CHANGED,
32 SFE_FLAC_UNKOWN_ERROR,
33
34 SFE_WVE_NOT_WVE,
35diff --git a/src/flac.c b/src/flac.c
36index 84de0e2..986a7b8 100644
37--- a/src/flac.c
38+++ b/src/flac.c
39@@ -434,6 +434,19 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_
40
41 switch (metadata->type)
42 { case FLAC__METADATA_TYPE_STREAMINFO :
43+ if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
44+ { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
45+ "Nothing to be but to error out.\n" ,
46+ psf->sf.channels, metadata->data.stream_info.channels) ;
47+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
48+ return ;
49+ } ;
50+
51+ if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate)
52+ { psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n"
53+ "Carrying on as if nothing happened.",
54+ psf->sf.samplerate, metadata->data.stream_info.sample_rate) ;
55+ } ;
56 psf->sf.channels = metadata->data.stream_info.channels ;
57 psf->sf.samplerate = metadata->data.stream_info.sample_rate ;
58 psf->sf.frames = metadata->data.stream_info.total_samples ;
59diff --git a/src/sndfile.c b/src/sndfile.c
60index 4187561..e2a87be 100644
61--- a/src/sndfile.c
62+++ b/src/sndfile.c
63@@ -245,6 +245,7 @@ ErrorStruct SndfileErrors [] =
64 { SFE_FLAC_INIT_DECODER , "Error : problem with initialization of the flac decoder." },
65 { SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." },
66 { SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." },
67+ { SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." },
68 { SFE_FLAC_UNKOWN_ERROR , "Error : unknown error in flac decoder." },
69
70 { SFE_WVE_NOT_WVE , "Error : not a WVE file." },
71--
722.7.4
73
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8362.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8362.patch
deleted file mode 100644
index 9ee7e46a6d..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8362.patch
+++ /dev/null
@@ -1,59 +0,0 @@
1From ef1dbb2df1c0e741486646de40bd638a9c4cd808 Mon Sep 17 00:00:00 2001
2From: Erik de Castro Lopo <erikd@mega-nerd.com>
3Date: Fri, 14 Apr 2017 15:19:16 +1000
4Subject: [PATCH] src/flac.c: Fix a buffer read overflow
5
6A file (generated by a fuzzer) which increased the number of channels
7from one frame to the next could cause a read beyond the end of the
8buffer provided by libFLAC. Only option is to abort the read.
9
10Closes: https://github.com/erikd/libsndfile/issues/231
11
12CVE: CVE-2017-8362
13
14Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808]
15
16Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
17---
18 src/flac.c | 11 +++++++++--
19 1 file changed, 9 insertions(+), 2 deletions(-)
20
21diff --git a/src/flac.c b/src/flac.c
22index 5a4f8c2..e4f9aaa 100644
23--- a/src/flac.c
24+++ b/src/flac.c
25@@ -169,6 +169,14 @@ flac_buffer_copy (SF_PRIVATE *psf)
26 const int32_t* const *buffer = pflac->wbuffer ;
27 unsigned i = 0, j, offset, channels, len ;
28
29+ if (psf->sf.channels != (int) frame->header.channels)
30+ { psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n"
31+ "Nothing to do but to error out.\n" ,
32+ psf->sf.channels, frame->header.channels) ;
33+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
34+ return 0 ;
35+ } ;
36+
37 /*
38 ** frame->header.blocksize is variable and we're using a constant blocksize
39 ** of FLAC__MAX_BLOCK_SIZE.
40@@ -202,7 +210,6 @@ flac_buffer_copy (SF_PRIVATE *psf)
41 return 0 ;
42 } ;
43
44-
45 len = SF_MIN (pflac->len, frame->header.blocksize) ;
46
47 if (pflac->remain % channels != 0)
48@@ -436,7 +443,7 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_
49 { case FLAC__METADATA_TYPE_STREAMINFO :
50 if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
51 { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
52- "Nothing to be but to error out.\n" ,
53+ "Nothing to do but to error out.\n" ,
54 psf->sf.channels, metadata->data.stream_info.channels) ;
55 psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
56 return ;
57--
582.7.4
59
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8363.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8363.patch
deleted file mode 100644
index e526e5a346..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8363.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1From cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 Mon Sep 17 00:00:00 2001
2From: Erik de Castro Lopo <erikd@mega-nerd.com>
3Date: Wed, 12 Apr 2017 20:19:34 +1000
4Subject: [PATCH] src/flac.c: Fix another memory leak
5
6When the FLAC decoder was passed a malformed file, the associated
7`FLAC__StreamDecoder` object was not getting released.
8
9Closes: https://github.com/erikd/libsndfile/issues/233
10
11CVE: CVE-2017-8363
12
13Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8]
14
15Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
16---
17 src/flac.c | 4 +++-
18 1 file changed, 3 insertions(+), 1 deletion(-)
19
20diff --git a/src/flac.c b/src/flac.c
21index 986a7b8..5a4f8c2 100644
22--- a/src/flac.c
23+++ b/src/flac.c
24@@ -841,7 +841,9 @@ flac_read_header (SF_PRIVATE *psf)
25
26 psf_log_printf (psf, "End\n") ;
27
28- if (psf->error == 0)
29+ if (psf->error != 0)
30+ FLAC__stream_decoder_delete (pflac->fsd) ;
31+ else
32 { FLAC__uint64 position ;
33
34 FLAC__stream_decoder_get_decode_position (pflac->fsd, &position) ;
35--
362.7.4
37
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch
deleted file mode 100644
index 707373d414..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1CVE: CVE-2018-13139
2Upstream-Status: Backport [9dc989eb89cd697e19897afa616d6ab0debe4822]
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 9dc989eb89cd697e19897afa616d6ab0debe4822 Mon Sep 17 00:00:00 2001
6From: "Brett T. Warden" <brett.t.warden@intel.com>
7Date: Tue, 28 Aug 2018 12:01:17 -0700
8Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave
9
10Allocated buffer has space for only 16 channels. Verify that input file
11meets this limit.
12
13Fixes #397
14---
15 programs/sndfile-deinterleave.c | 7 +++++++
16 1 file changed, 7 insertions(+)
17
18diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c
19index e27593e2..cb497e1f 100644
20--- a/programs/sndfile-deinterleave.c
21+++ b/programs/sndfile-deinterleave.c
22@@ -89,6 +89,13 @@ main (int argc, char **argv)
23 exit (1) ;
24 } ;
25
26+ if (sfinfo.channels > MAX_CHANNELS)
27+ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n",
28+ argv [1], sfinfo.channels, MAX_CHANNELS) ;
29+ exit (1) ;
30+ } ;
31+
32+
33 state.channels = sfinfo.channels ;
34 sfinfo.channels = 1 ;
35
36--
372.11.0
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
deleted file mode 100644
index 8ded2c0f85..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
+++ /dev/null
@@ -1,115 +0,0 @@
1From 6f3266277bed16525f0ac2f0f03ff4626f1923e5 Mon Sep 17 00:00:00 2001
2From: Erik de Castro Lopo <erikd@mega-nerd.com>
3Date: Thu, 8 Mar 2018 18:00:21 +1100
4Subject: [PATCH] Fix max channel count bug
5
6The code was allowing files to be written with a channel count of exactly
7`SF_MAX_CHANNELS` but was failing to read some file formats with the same
8channel count.
9
10Upstream-Status: Backport [https://github.com/erikd/libsndfile/
11commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5]
12
13CVE: CVE-2018-19432
14
15Signed-off-by: Changqing Li <changqing.li@windriver.com>
16
17---
18 src/aiff.c | 6 +++---
19 src/rf64.c | 4 ++--
20 src/w64.c | 4 ++--
21 src/wav.c | 4 ++--
22 4 files changed, 9 insertions(+), 9 deletions(-)
23
24diff --git a/src/aiff.c b/src/aiff.c
25index fbd43cb..6386bce 100644
26--- a/src/aiff.c
27+++ b/src/aiff.c
28@@ -1,5 +1,5 @@
29 /*
30-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
31+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
32 ** Copyright (C) 2005 David Viens <davidv@plogue.com>
33 **
34 ** This program is free software; you can redistribute it and/or modify
35@@ -950,7 +950,7 @@ aiff_read_header (SF_PRIVATE *psf, COMM_
36 if (psf->sf.channels < 1)
37 return SFE_CHANNEL_COUNT_ZERO ;
38
39- if (psf->sf.channels >= SF_MAX_CHANNELS)
40+ if (psf->sf.channels > SF_MAX_CHANNELS)
41 return SFE_CHANNEL_COUNT ;
42
43 if (! (found_chunk & HAVE_FORM))
44@@ -1030,7 +1030,7 @@ aiff_read_comm_chunk (SF_PRIVATE *psf, C
45 psf_log_printf (psf, " Sample Rate : %d\n", samplerate) ;
46 psf_log_printf (psf, " Frames : %u%s\n", comm_fmt->numSampleFrames, (comm_fmt->numSampleFrames == 0 && psf->filelength > 104) ? " (Should not be 0)" : "") ;
47
48- if (comm_fmt->numChannels < 1 || comm_fmt->numChannels >= SF_MAX_CHANNELS)
49+ if (comm_fmt->numChannels < 1 || comm_fmt->numChannels > SF_MAX_CHANNELS)
50 { psf_log_printf (psf, " Channels : %d (should be >= 1 and < %d)\n", comm_fmt->numChannels, SF_MAX_CHANNELS) ;
51 return SFE_CHANNEL_COUNT_BAD ;
52 } ;
53diff --git a/src/rf64.c b/src/rf64.c
54index d57f0f3..876cd45 100644
55--- a/src/rf64.c
56+++ b/src/rf64.c
57@@ -1,5 +1,5 @@
58 /*
59-** Copyright (C) 2008-2017 Erik de Castro Lopo <erikd@mega-nerd.com>
60+** Copyright (C) 2008-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
61 ** Copyright (C) 2009 Uli Franke <cls@nebadje.org>
62 **
63 ** This program is free software; you can redistribute it and/or modify
64@@ -382,7 +382,7 @@ rf64_read_header (SF_PRIVATE *psf, int *
65 if (psf->sf.channels < 1)
66 return SFE_CHANNEL_COUNT_ZERO ;
67
68- if (psf->sf.channels >= SF_MAX_CHANNELS)
69+ if (psf->sf.channels > SF_MAX_CHANNELS)
70 return SFE_CHANNEL_COUNT ;
71
72 /* WAVs can be little or big endian */
73diff --git a/src/w64.c b/src/w64.c
74index 939b716..a37d2c5 100644
75--- a/src/w64.c
76+++ b/src/w64.c
77@@ -1,5 +1,5 @@
78 /*
79-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
80+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
81 **
82 ** This program is free software; you can redistribute it and/or modify
83 ** it under the terms of the GNU Lesser General Public License as published by
84@@ -383,7 +383,7 @@ w64_read_header (SF_PRIVATE *psf, int *b
85 if (psf->sf.channels < 1)
86 return SFE_CHANNEL_COUNT_ZERO ;
87
88- if (psf->sf.channels >= SF_MAX_CHANNELS)
89+ if (psf->sf.channels > SF_MAX_CHANNELS)
90 return SFE_CHANNEL_COUNT ;
91
92 psf->endian = SF_ENDIAN_LITTLE ; /* All W64 files are little endian. */
93diff --git a/src/wav.c b/src/wav.c
94index 7bd97bc..dc97545 100644
95--- a/src/wav.c
96+++ b/src/wav.c
97@@ -1,5 +1,5 @@
98 /*
99-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
100+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
101 ** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
102 **
103 ** This program is free software; you can redistribute it and/or modify
104@@ -627,7 +627,7 @@ wav_read_header (SF_PRIVATE *psf, int *b
105 if (psf->sf.channels < 1)
106 return SFE_CHANNEL_COUNT_ZERO ;
107
108- if (psf->sf.channels >= SF_MAX_CHANNELS)
109+ if (psf->sf.channels > SF_MAX_CHANNELS)
110 return SFE_CHANNEL_COUNT ;
111
112 if (format != WAVE_FORMAT_PCM && (parsestage & HAVE_fact) == 0)
113--
1141.7.9.5
115
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch
deleted file mode 100644
index c3586f9dfc..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1There is a heap-based buffer over-read at wav.c in wav_write_header in
2libsndfile 1.0.28 that will cause a denial of service.
3
4CVE: CVE-2018-19758
5Upstream-Status: Backport [42132c543358cee9f7c3e9e9b15bb6c1063a608e]
6Signed-off-by: Ross Burton <ross.burton@intel.com>
7
8From c12173b0197dd0c5cfa2cd27977e982d2ae59486 Mon Sep 17 00:00:00 2001
9From: Erik de Castro Lopo <erikd@mega-nerd.com>
10Date: Tue, 1 Jan 2019 20:11:46 +1100
11Subject: [PATCH] src/wav.c: Fix heap read overflow
12
13This is CVE-2018-19758.
14
15Closes: https://github.com/erikd/libsndfile/issues/435
16---
17 src/wav.c | 2 ++
18 1 file changed, 2 insertions(+)
19
20diff --git a/src/wav.c b/src/wav.c
21index e8405b55..6fb94ae8 100644
22--- a/src/wav.c
23+++ b/src/wav.c
24@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
25 psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
26 psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
27
28+ /* Loop count is signed 16 bit number so we limit it range to something sensible. */
29+ psf->instrument->loop_count &= 0x7fff ;
30 for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
31 { int type ;
32
33--
342.11.0
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
deleted file mode 100644
index ab37211399..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001
2From: Emilio Pozuelo Monfort <pochu27@gmail.com>
3Date: Tue, 5 Mar 2019 11:27:17 +0100
4Subject: [PATCH] wav_write_header: don't read past the array end
5
6CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder.
7
8CVE: CVE-2019-3832
9Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e]
10Signed-off-by: Ross Burton <ross.burton@intel.com>
11
12If loop_count is bigger than the array, truncate it to the array
13length (and not to 32k).
14
15CVE-2019-3832
16
17---
18 src/wav.c | 6 ++++--
19 1 file changed, 4 insertions(+), 2 deletions(-)
20
21diff --git a/src/wav.c b/src/wav.c
22index daae3cc..8851549 100644
23--- a/src/wav.c
24+++ b/src/wav.c
25@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
26 psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
27 psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
28
29- /* Loop count is signed 16 bit number so we limit it range to something sensible. */
30- psf->instrument->loop_count &= 0x7fff ;
31+ /* Make sure we don't read past the loops array end. */
32+ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
33+ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
34+
35 for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
36 { int type ;
37