speex: fix CVE-2020-23903

Backport patch to fix CVE-2020-23903. CVE: CVE-2020-23903 (From OE-Core rev: b8f56e5e9eef32c1e01742f913e205d93548de1f) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2022-01-17 00:23:58 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-01-17 11:49:12 +0000
commit: 310fe1261d273b58eb8bc0f7ab839c78ddfad245 (patch)
tree: c33779e950fa482483cbefd925a31624ec3eb7d3 /meta/recipes-multimedia/speex
parent: 63099553f607b34732ad0903651cf97fbebdc46f (diff)
download: poky-310fe1261d273b58eb8bc0f7ab839c78ddfad245.tar.gz
2 files changed, 33 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch
new file mode 100644
index 0000000000..eb16e95ffc
--- /dev/null
+++ b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch
@@ -0,0 +1,30 @@
+Backport patch to fix CVE-2020-23903.
+CVE: CVE-2020-23903
+Upstream-Status: Backport [https://github.com/xiph/speex/commit/870ff84]
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 870ff845b32f314aec0036641ffe18aba4916887 Mon Sep 17 00:00:00 2001
+From: Tristan Matthews <tmatth@videolan.org>
+Date: Mon, 13 Jul 2020 23:25:03 -0400
+Subject: [PATCH] wav_io: guard against invalid channel numbers
+Fixes #13
+---
+ src/wav_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/wav_io.c b/src/wav_io.c
+index b5183015..09d62eb0 100644
+--- a/src/wav_io.c
+++ b/src/wav_io.c
+@@ -111,7 +111,7 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32
+    stmp = le_short(stmp);
+    *channels = stmp;
+ 
+-   if (stmp>2)
+   if (stmp>2 || stmp<1)
+    {
+       fprintf (stderr, "Only mono and (intensity) stereo supported\n");
+       return -1;
diff --git a/meta/recipes-multimedia/speex/speex_1.2.0.bb b/meta/recipes-multimedia/speex/speex_1.2.0.bb
index 3a0911d6f8..ea475f0f1b 100644
--- a/meta/recipes-multimedia/speex/speex_1.2.0.bb
+++ b/meta/recipes-multimedia/speex/speex_1.2.0.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=314649d8ba9dd7045dfb6683f298d0a8 \
                    file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50"
 DEPENDS = "libogg speexdsp"
-SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz"
+SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz \
+           file://CVE-2020-23903.patch \
+           "
 UPSTREAM_CHECK_REGEX = "speex-(?P<pver>\d+(\.\d+)+)\.tar"
 SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c"
author	Kai Kang <kai.kang@windriver.com>	2022-01-17 00:23:58 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-01-17 11:49:12 +0000
commit	310fe1261d273b58eb8bc0f7ab839c78ddfad245 (patch)
tree	c33779e950fa482483cbefd925a31624ec3eb7d3 /meta/recipes-multimedia/speex
parent	63099553f607b34732ad0903651cf97fbebdc46f (diff)
download	poky-310fe1261d273b58eb8bc0f7ab839c78ddfad245.tar.gz

diff --git a/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch new file mode 100644 index 0000000000..eb16e95ffc --- /dev/null +++ b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch
@@ -0,0 +1,30 @@
		1	Backport patch to fix CVE-2020-23903.
		2
		3	CVE: CVE-2020-23903
		4	Upstream-Status: Backport [https://github.com/xiph/speex/commit/870ff84]
		5
		6	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		7
		8	From 870ff845b32f314aec0036641ffe18aba4916887 Mon Sep 17 00:00:00 2001
		9	From: Tristan Matthews <tmatth@videolan.org>
		10	Date: Mon, 13 Jul 2020 23:25:03 -0400
		11	Subject: [PATCH] wav_io: guard against invalid channel numbers
		12
		13	Fixes #13
		14	---
		15	src/wav_io.c \| 2 +-
		16	1 file changed, 1 insertion(+), 1 deletion(-)
		17
		18	diff --git a/src/wav_io.c b/src/wav_io.c
		19	index b5183015..09d62eb0 100644
		20	--- a/src/wav_io.c
		21	+++ b/src/wav_io.c
		22	@@ -111,7 +111,7 @@ int read_wav_header(FILE file, int rate, int channels, int format, spx_int32
		23	stmp = le_short(stmp);
		24	*channels = stmp;
		25
		26	- if (stmp>2)
		27	+ if (stmp>2 \|\| stmp<1)
		28	{
		29	fprintf (stderr, "Only mono and (intensity) stereo supported\n");
		30	return -1;


diff --git a/meta/recipes-multimedia/speex/speex_1.2.0.bb b/meta/recipes-multimedia/speex/speex_1.2.0.bb index 3a0911d6f8..ea475f0f1b 100644 --- a/meta/recipes-multimedia/speex/speex_1.2.0.bb +++ b/meta/recipes-multimedia/speex/speex_1.2.0.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=314649d8ba9dd7045dfb6683f298d0a8 \
7	file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50"	7	file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50"
8	DEPENDS = "libogg speexdsp"	8	DEPENDS = "libogg speexdsp"
9		9
10	SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz"	10	SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz \
		11	file://CVE-2020-23903.patch \
		12	"
11	UPSTREAM_CHECK_REGEX = "speex-(?P<pver>\d+(\.\d+)+)\.tar"	13	UPSTREAM_CHECK_REGEX = "speex-(?P<pver>\d+(\.\d+)+)\.tar"
12		14
13	SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c"	15	SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c"