libsndfile1: Security fix CVE-2018-19432

(From OE-Core rev: 6f010c9b7777aae5ce2108122d0c6d3b1d630a21) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2019-02-20 16:54:20 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-02-25 16:35:33 +0000
commit: ae9160e099e9b23f1b756020d78db46052a1dca6 (patch)
tree: 34e3b1b764d28e423447fda832557db5b7bad26e /meta/recipes-multimedia
parent: 1efe414a67de27ac2e045e0ed6209e33cdeb7ec0 (diff)
download: poky-ae9160e099e9b23f1b756020d78db46052a1dca6.tar.gz
2 files changed, 116 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
new file mode 100644
index 0000000000..8ded2c0f85
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
@@ -0,0 +1,115 @@
+From 6f3266277bed16525f0ac2f0f03ff4626f1923e5 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Thu, 8 Mar 2018 18:00:21 +1100
+Subject: [PATCH] Fix max channel count bug
+The code was allowing files to be written with a channel count of exactly
+`SF_MAX_CHANNELS` but was failing to read some file formats with the same
+channel count.
+Upstream-Status: Backport [https://github.com/erikd/libsndfile/
+commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5]
+CVE: CVE-2018-19432
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/aiff.c |    6 +++---
+ src/rf64.c |    4 ++--
+ src/w64.c  |    4 ++--
+ src/wav.c  |    4 ++--
+ 4 files changed, 9 insertions(+), 9 deletions(-)
+diff --git a/src/aiff.c b/src/aiff.c
+index fbd43cb..6386bce 100644
+--- a/src/aiff.c
+++ b/src/aiff.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
+ ** Copyright (C) 2005 David Viens <davidv@plogue.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -950,7 +950,7 @@ aiff_read_header (SF_PRIVATE *psf, COMM_
+        if (psf->sf.channels < 1)
+                return SFE_CHANNEL_COUNT_ZERO ;
+ 
+-       if (psf->sf.channels >= SF_MAX_CHANNELS)
+       if (psf->sf.channels > SF_MAX_CHANNELS)
+                return SFE_CHANNEL_COUNT ;
+ 
+        if (! (found_chunk & HAVE_FORM))
+@@ -1030,7 +1030,7 @@ aiff_read_comm_chunk (SF_PRIVATE *psf, C
+        psf_log_printf (psf, "  Sample Rate : %d\n", samplerate) ;
+        psf_log_printf (psf, "  Frames      : %u%s\n", comm_fmt->numSampleFrames, (comm_fmt->numSampleFrames == 0 && psf->filelength > 104) ? " (Should not be 0)" : "") ;
+ 
+-       if (comm_fmt->numChannels < 1 || comm_fmt->numChannels >= SF_MAX_CHANNELS)
+       if (comm_fmt->numChannels < 1 || comm_fmt->numChannels > SF_MAX_CHANNELS)
+        {       psf_log_printf (psf, "  Channels    : %d (should be >= 1 and < %d)\n", comm_fmt->numChannels, SF_MAX_CHANNELS) ;
+                return SFE_CHANNEL_COUNT_BAD ;
+                } ;
+diff --git a/src/rf64.c b/src/rf64.c
+index d57f0f3..876cd45 100644
+--- a/src/rf64.c
+++ b/src/rf64.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 2008-2017 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 2008-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
+ ** Copyright (C) 2009      Uli Franke <cls@nebadje.org>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -382,7 +382,7 @@ rf64_read_header (SF_PRIVATE *psf, int *
+        if (psf->sf.channels < 1)
+                return SFE_CHANNEL_COUNT_ZERO ;
+ 
+-       if (psf->sf.channels >= SF_MAX_CHANNELS)
+       if (psf->sf.channels > SF_MAX_CHANNELS)
+                return SFE_CHANNEL_COUNT ;
+ 
+        /* WAVs can be little or big endian */
+diff --git a/src/w64.c b/src/w64.c
+index 939b716..a37d2c5 100644
+--- a/src/w64.c
+++ b/src/w64.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+ ** it under the terms of the GNU Lesser General Public License as published by
+@@ -383,7 +383,7 @@ w64_read_header     (SF_PRIVATE *psf, int *b
+        if (psf->sf.channels < 1)
+                return SFE_CHANNEL_COUNT_ZERO ;
+ 
+-       if (psf->sf.channels >= SF_MAX_CHANNELS)
+       if (psf->sf.channels > SF_MAX_CHANNELS)
+                return SFE_CHANNEL_COUNT ;
+ 
+        psf->endian = SF_ENDIAN_LITTLE ;                /* All W64 files are little endian. */
+diff --git a/src/wav.c b/src/wav.c
+index 7bd97bc..dc97545 100644
+--- a/src/wav.c
+++ b/src/wav.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
+ ** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -627,7 +627,7 @@ wav_read_header     (SF_PRIVATE *psf, int *b
+        if (psf->sf.channels < 1)
+                return SFE_CHANNEL_COUNT_ZERO ;
+ 
+-       if (psf->sf.channels >= SF_MAX_CHANNELS)
+       if (psf->sf.channels > SF_MAX_CHANNELS)
+                return SFE_CHANNEL_COUNT ;
+ 
+        if (format != WAVE_FORMAT_PCM && (parsestage & HAVE_fact) == 0)
+-- 
+1.7.9.5
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 13248f5cb7..9700f4a6e7 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
           file://CVE-2017-14634.patch \
           file://CVE-2018-13139.patch \
           file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
+           file://CVE-2018-19432.patch \
          "
 SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
author	Changqing Li <changqing.li@windriver.com>	2019-02-20 16:54:20 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-02-25 16:35:33 +0000
commit	ae9160e099e9b23f1b756020d78db46052a1dca6 (patch)
tree	34e3b1b764d28e423447fda832557db5b7bad26e /meta/recipes-multimedia
parent	1efe414a67de27ac2e045e0ed6209e33cdeb7ec0 (diff)
download	poky-ae9160e099e9b23f1b756020d78db46052a1dca6.tar.gz

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch new file mode 100644 index 0000000000..8ded2c0f85 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
@@ -0,0 +1,115 @@
		1	From 6f3266277bed16525f0ac2f0f03ff4626f1923e5 Mon Sep 17 00:00:00 2001
		2	From: Erik de Castro Lopo <erikd@mega-nerd.com>
		3	Date: Thu, 8 Mar 2018 18:00:21 +1100
		4	Subject: [PATCH] Fix max channel count bug
		5
		6	The code was allowing files to be written with a channel count of exactly
		7	`SF_MAX_CHANNELS` but was failing to read some file formats with the same
		8	channel count.
		9
		10	Upstream-Status: Backport [https://github.com/erikd/libsndfile/
		11	commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5]
		12
		13	CVE: CVE-2018-19432
		14
		15	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		16
		17	---
		18	src/aiff.c \| 6 +++---
		19	src/rf64.c \| 4 ++--
		20	src/w64.c \| 4 ++--
		21	src/wav.c \| 4 ++--
		22	4 files changed, 9 insertions(+), 9 deletions(-)
		23
		24	diff --git a/src/aiff.c b/src/aiff.c
		25	index fbd43cb..6386bce 100644
		26	--- a/src/aiff.c
		27	+++ b/src/aiff.c
		28	@@ -1,5 +1,5 @@
		29	/*
		30	-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
		31	+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
		32	** Copyright (C) 2005 David Viens <davidv@plogue.com>
		33	**
		34	** This program is free software; you can redistribute it and/or modify
		35	@@ -950,7 +950,7 @@ aiff_read_header (SF_PRIVATE *psf, COMM_
		36	if (psf->sf.channels < 1)
		37	return SFE_CHANNEL_COUNT_ZERO ;
		38
		39	- if (psf->sf.channels >= SF_MAX_CHANNELS)
		40	+ if (psf->sf.channels > SF_MAX_CHANNELS)
		41	return SFE_CHANNEL_COUNT ;
		42
		43	if (! (found_chunk & HAVE_FORM))
		44	@@ -1030,7 +1030,7 @@ aiff_read_comm_chunk (SF_PRIVATE *psf, C
		45	psf_log_printf (psf, " Sample Rate : %d\n", samplerate) ;
		46	psf_log_printf (psf, " Frames : %u%s\n", comm_fmt->numSampleFrames, (comm_fmt->numSampleFrames == 0 && psf->filelength > 104) ? " (Should not be 0)" : "") ;
		47
		48	- if (comm_fmt->numChannels < 1 \|\| comm_fmt->numChannels >= SF_MAX_CHANNELS)
		49	+ if (comm_fmt->numChannels < 1 \|\| comm_fmt->numChannels > SF_MAX_CHANNELS)
		50	{ psf_log_printf (psf, " Channels : %d (should be >= 1 and < %d)\n", comm_fmt->numChannels, SF_MAX_CHANNELS) ;
		51	return SFE_CHANNEL_COUNT_BAD ;
		52	} ;
		53	diff --git a/src/rf64.c b/src/rf64.c
		54	index d57f0f3..876cd45 100644
		55	--- a/src/rf64.c
		56	+++ b/src/rf64.c
		57	@@ -1,5 +1,5 @@
		58	/*
		59	-** Copyright (C) 2008-2017 Erik de Castro Lopo <erikd@mega-nerd.com>
		60	+** Copyright (C) 2008-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
		61	** Copyright (C) 2009 Uli Franke <cls@nebadje.org>
		62	**
		63	** This program is free software; you can redistribute it and/or modify
		64	@@ -382,7 +382,7 @@ rf64_read_header (SF_PRIVATE psf, int
		65	if (psf->sf.channels < 1)
		66	return SFE_CHANNEL_COUNT_ZERO ;
		67
		68	- if (psf->sf.channels >= SF_MAX_CHANNELS)
		69	+ if (psf->sf.channels > SF_MAX_CHANNELS)
		70	return SFE_CHANNEL_COUNT ;
		71
		72	/* WAVs can be little or big endian */
		73	diff --git a/src/w64.c b/src/w64.c
		74	index 939b716..a37d2c5 100644
		75	--- a/src/w64.c
		76	+++ b/src/w64.c
		77	@@ -1,5 +1,5 @@
		78	/*
		79	-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
		80	+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
		81	**
		82	** This program is free software; you can redistribute it and/or modify
		83	** it under the terms of the GNU Lesser General Public License as published by
		84	@@ -383,7 +383,7 @@ w64_read_header (SF_PRIVATE psf, int b
		85	if (psf->sf.channels < 1)
		86	return SFE_CHANNEL_COUNT_ZERO ;
		87
		88	- if (psf->sf.channels >= SF_MAX_CHANNELS)
		89	+ if (psf->sf.channels > SF_MAX_CHANNELS)
		90	return SFE_CHANNEL_COUNT ;
		91
		92	psf->endian = SF_ENDIAN_LITTLE ; /* All W64 files are little endian. */
		93	diff --git a/src/wav.c b/src/wav.c
		94	index 7bd97bc..dc97545 100644
		95	--- a/src/wav.c
		96	+++ b/src/wav.c
		97	@@ -1,5 +1,5 @@
		98	/*
		99	-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
		100	+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
		101	** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
		102	**
		103	** This program is free software; you can redistribute it and/or modify
		104	@@ -627,7 +627,7 @@ wav_read_header (SF_PRIVATE psf, int b
		105	if (psf->sf.channels < 1)
		106	return SFE_CHANNEL_COUNT_ZERO ;
		107
		108	- if (psf->sf.channels >= SF_MAX_CHANNELS)
		109	+ if (psf->sf.channels > SF_MAX_CHANNELS)
		110	return SFE_CHANNEL_COUNT ;
		111
		112	if (format != WAVE_FORMAT_PCM && (parsestage & HAVE_fact) == 0)
		113	--
		114	1.7.9.5
		115


diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index 13248f5cb7..9700f4a6e7 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
14	file://CVE-2017-14634.patch \	14	file://CVE-2017-14634.patch \
15	file://CVE-2018-13139.patch \	15	file://CVE-2018-13139.patch \
16	file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \	16	file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
		17	file://CVE-2018-19432.patch \
17	"	18	"
18		19
19	SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"	20	SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"