libsndfile1: Security fix CVE-2017-17456/17457 CVE-2018-19661/19662

fix 4 CVEs, which is backport from https://github.com/erikd/libsndfile/commit/585cc28a93be27d6938f276af0011401b9f7c0ca (From OE-Core rev: 8f4af329df5373db8910726a6b954652623003dd) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2019-01-07 16:06:32 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-01-08 11:16:44 +0000
commit: 7bb927d65f0c35a9de71573a575a24544f64cf23 (patch)
tree: 24f4e250f0e02aa0e410144dfbf28a18b5690add /meta/recipes-multimedia
parent: 06adfa26963880be08674393db3a6463d59769e0 (diff)
download: poky-7bb927d65f0c35a9de71573a575a24544f64cf23.tar.gz
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
new file mode 100644
index 0000000000..c3f44ca235
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
@@ -0,0 +1,101 @@
+From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Mon, 7 Jan 2019 15:55:03 +0800
+Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432)
+i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
+properly, leading to buffer underflow. INT_MIN is a special value
+since - INT_MIN cannot be represented as int.
+In this case round - INT_MIN to INT_MAX and proceed as usual.
+f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
+properly, leading to null pointer dereference.
+In this case, arbitrarily set the buffer value to 0.
+This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
+fixes #344 (CVE-2017-17456 and CVE-2017-17457).
+Upstream-Status: Backport[https://github.com/erikd/libsndfile/
+commit/585cc28a93be27d6938f276af0011401b9f7c0ca]
+CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/alaw.c | 9 +++++++--
+ src/ulaw.c | 9 +++++++--
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+diff --git a/src/alaw.c b/src/alaw.c
+index 063fd1a..4220224 100644
+--- a/src/alaw.c
+++ b/src/alaw.c
+@@ -19,6 +19,7 @@
+ #include       "sfconfig.h"
+ 
+ #include       <math.h>
+#include       <limits.h>
+ 
+ #include       "sndfile.h"
+ #include       "common.h"
+@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2alaw_array (const int *ptr, int count, unsigned char *buffer)
+ {      while (--count >= 0)
+-       {       if (ptr [count] >= 0)
+       {       if (ptr [count] == INT_MIN)
+                       buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
+               else if (ptr [count] >= 0)
+                        buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
+                else
+                        buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
+@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ {      while (--count >= 0)
+-       {       if (ptr [count] >= 0)
+       {       if (!isfinite (ptr [count]))
+                       buffer [count] = 0 ;
+               else if (ptr [count] >= 0)
+                        buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
+                else
+                        buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
+diff --git a/src/ulaw.c b/src/ulaw.c
+index e50b4cb..b6070ad 100644
+--- a/src/ulaw.c
+++ b/src/ulaw.c
+@@ -19,6 +19,7 @@
+ #include       "sfconfig.h"
+ 
+ #include       <math.h>
+#include       <limits.h>
+ 
+ #include       "sndfile.h"
+ #include       "common.h"
+@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
+ {      while (--count >= 0)
+-       {       if (ptr [count] >= 0)
+       {       if (ptr [count] == INT_MIN)
+                       buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
+               else if (ptr [count] >= 0)
+                        buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
+                else
+                        buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
+@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ {      while (--count >= 0)
+-       {       if (ptr [count] >= 0)
+       {       if (!isfinite (ptr [count]))
+                       buffer [count] = 0 ;
+               else if (ptr [count] >= 0)
+                        buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
+                else
+                        buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index b28f675286..13248f5cb7 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
           file://CVE-2017-14245-14246.patch \
           file://CVE-2017-14634.patch \
           file://CVE-2018-13139.patch \
+           file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
          "
 SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
author	Changqing Li <changqing.li@windriver.com>	2019-01-07 16:06:32 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-01-08 11:16:44 +0000
commit	7bb927d65f0c35a9de71573a575a24544f64cf23 (patch)
tree	24f4e250f0e02aa0e410144dfbf28a18b5690add /meta/recipes-multimedia
parent	06adfa26963880be08674393db3a6463d59769e0 (diff)
download	poky-7bb927d65f0c35a9de71573a575a24544f64cf23.tar.gz

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch new file mode 100644 index 0000000000..c3f44ca235 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
@@ -0,0 +1,101 @@
		1	From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Mon, 7 Jan 2019 15:55:03 +0800
		4	Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432)
		5
		6	i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
		7	properly, leading to buffer underflow. INT_MIN is a special value
		8	since - INT_MIN cannot be represented as int.
		9
		10	In this case round - INT_MIN to INT_MAX and proceed as usual.
		11
		12	f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
		13	properly, leading to null pointer dereference.
		14
		15	In this case, arbitrarily set the buffer value to 0.
		16
		17	This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
		18	fixes #344 (CVE-2017-17456 and CVE-2017-17457).
		19
		20	Upstream-Status: Backport[https://github.com/erikd/libsndfile/
		21	commit/585cc28a93be27d6938f276af0011401b9f7c0ca]
		22
		23	CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662
		24
		25	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		26	---
		27	src/alaw.c \| 9 +++++++--
		28	src/ulaw.c \| 9 +++++++--
		29	2 files changed, 14 insertions(+), 4 deletions(-)
		30
		31	diff --git a/src/alaw.c b/src/alaw.c
		32	index 063fd1a..4220224 100644
		33	--- a/src/alaw.c
		34	+++ b/src/alaw.c
		35	@@ -19,6 +19,7 @@
		36	#include "sfconfig.h"
		37
		38	#include <math.h>
		39	+#include <limits.h>
		40
		41	#include "sndfile.h"
		42	#include "common.h"
		43	@@ -326,7 +327,9 @@ s2alaw_array (const short ptr, int count, unsigned char buffer)
		44	static inline void
		45	i2alaw_array (const int ptr, int count, unsigned char buffer)
		46	{ while (--count >= 0)
		47	- { if (ptr [count] >= 0)
		48	+ { if (ptr [count] == INT_MIN)
		49	+ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
		50	+ else if (ptr [count] >= 0)
		51	buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
		52	else
		53	buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
		54	@@ -346,7 +349,9 @@ f2alaw_array (const float ptr, int count, unsigned char buffer, float normfact
		55	static inline void
		56	d2alaw_array (const double ptr, int count, unsigned char buffer, double normfact)
		57	{ while (--count >= 0)
		58	- { if (ptr [count] >= 0)
		59	+ { if (!isfinite (ptr [count]))
		60	+ buffer [count] = 0 ;
		61	+ else if (ptr [count] >= 0)
		62	buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
		63	else
		64	buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
		65	diff --git a/src/ulaw.c b/src/ulaw.c
		66	index e50b4cb..b6070ad 100644
		67	--- a/src/ulaw.c
		68	+++ b/src/ulaw.c
		69	@@ -19,6 +19,7 @@
		70	#include "sfconfig.h"
		71
		72	#include <math.h>
		73	+#include <limits.h>
		74
		75	#include "sndfile.h"
		76	#include "common.h"
		77	@@ -827,7 +828,9 @@ s2ulaw_array (const short ptr, int count, unsigned char buffer)
		78	static inline void
		79	i2ulaw_array (const int ptr, int count, unsigned char buffer)
		80	{ while (--count >= 0)
		81	- { if (ptr [count] >= 0)
		82	+ { if (ptr [count] == INT_MIN)
		83	+ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
		84	+ else if (ptr [count] >= 0)
		85	buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
		86	else
		87	buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
		88	@@ -847,7 +850,9 @@ f2ulaw_array (const float ptr, int count, unsigned char buffer, float normfact
		89	static inline void
		90	d2ulaw_array (const double ptr, int count, unsigned char buffer, double normfact)
		91	{ while (--count >= 0)
		92	- { if (ptr [count] >= 0)
		93	+ { if (!isfinite (ptr [count]))
		94	+ buffer [count] = 0 ;
		95	+ else if (ptr [count] >= 0)
		96	buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
		97	else
		98	buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;
		99	--
		100	2.7.4
		101


diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index b28f675286..13248f5cb7 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
13	file://CVE-2017-14245-14246.patch \	13	file://CVE-2017-14245-14246.patch \
14	file://CVE-2017-14634.patch \	14	file://CVE-2017-14634.patch \
15	file://CVE-2018-13139.patch \	15	file://CVE-2018-13139.patch \
		16	file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
16	"	17	"
17		18
18	SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"	19	SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"