libsndfile1: CVE-2017-14245 CVE-2017-14246

sfe_copy_data_fp: check value of "max" variable for being normal and check elements of the data[] array for being finite. Both checks use functions provided by the <math.h> header as declared by the C99 standard. Fixes #317 CVE-2017-14245 CVE-2017-14246 Affects libsndfile1 = 1.0.28 (From OE-Core rev: 39b1dc89ce2870d1a2630b2319783a6203cbcb08) Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> 2018-08-22 18:49:51 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-29 15:23:51 +0100
commit: 3c38e696391284f07915f503ef9ee7f8569d224a (patch)
tree: 960baeaf8402e177c9c876219ec5ec8f9d7938f2 /meta/recipes-multimedia
parent: c9b7487d4aee81ce68e484738a47c6188d495475 (diff)
download: poky-3c38e696391284f07915f503ef9ee7f8569d224a.tar.gz
2 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
new file mode 100644
index 0000000000..a17ec21f98
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
@@ -0,0 +1,121 @@
+From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Wed, 27 Sep 2017 14:46:17 +0200
+Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being
+ normal
+and check elements of the data[] array for being finite.
+Both checks use functions provided by the <math.h> header as declared
+by the C99 standard.
+Fixes #317
+CVE: CVE-2017-14245
+CVE: CVE-2017-14246
+Upstream-Status: Backport [https://github.com/fabiangreffrath/libsndfile/commit/2d54514a4f6437b67829717c05472d2e3300a258]
+Signed-off-by: Fabian Greffrath <fabian@greffrath.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ programs/common.c          | 20 ++++++++++++++++----
+ programs/common.h          |  2 +-
+ programs/sndfile-convert.c |  6 +++++-
+ 3 files changed, 22 insertions(+), 6 deletions(-)
+diff --git a/programs/common.c b/programs/common.c
+index a21e62c..a249a58 100644
+--- a/programs/common.c
+++ b/programs/common.c
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include <ctype.h>
+ #include <stdint.h>
+#include <math.h>
+ 
+ #include <sndfile.h>
+ 
+@@ -45,7 +46,7 @@
+ 
+ #define        MIN(x, y)       ((x) < (y) ? (x) : (y))
+ 
+-void
+int
+ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize)
+ {      static double   data [BUFFER_LEN], max ;
+        int             frames, readcount, k ;
+@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
+        readcount = frames ;
+ 
+        sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ;
+       if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */
+               return 1 ;
+ 
+        if (!normalize && max < 1.0)
+        {       while (readcount > 0)
+@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
+                while (readcount > 0)
+                {       readcount = sf_readf_double (infile, data, frames) ;
+                        for (k = 0 ; k < readcount * channels ; k++)
+-                               data [k] /= max ;
+                       {       data [k] /= max ;
+
+                               if (!isfinite (data [k])) /* infinite or NaN */
+                                       return 1;
+                               }
+                        sf_writef_double (outfile, data, readcount) ;
+                        } ;
+                } ;
+ 
+-       return ;
+       return 0 ;
+ } /* sfe_copy_data_fp */
+ 
+ void
+@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * in
+ 
+                /* If the input file is not the same as the output file, copy the data. */
+                if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT))
+-                       sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ;
+               {       if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0)
+                       {       printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ;
+                               error_code = 1 ;
+                               goto cleanup_exit ;
+                               } ;
+                       }
+                else
+                        sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
+                } ;
+diff --git a/programs/common.h b/programs/common.h
+index eda2d7d..986277e 100644
+--- a/programs/common.h
+++ b/programs/common.h
+@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ;
+ 
+ void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ;
+ 
+-void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
+int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
+ 
+ void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ;
+ 
+diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c
+index dff7f79..e6de593 100644
+--- a/programs/sndfile-convert.c
+++ b/programs/sndfile-convert.c
+@@ -335,7 +335,11 @@ main (int argc, char * argv [])
+                        || (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT)
+                        || (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)
+                        || (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS))
+-               sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ;
+       {       if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0)
+               {       printf ("Error : Not able to decode input file %s.\n", infilename) ;
+                       return 1 ;
+                       } ;
+               }
+        else
+                sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
+ 
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 281ac82e39..c6f2a460b2 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
           file://CVE-2017-8361-8365.patch \
           file://CVE-2017-8362.patch \
           file://CVE-2017-8363.patch \
+           file://CVE-2017-14245-14246.patch \
          "
 SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
author	Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>	2018-08-22 18:49:51 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-29 15:23:51 +0100
commit	3c38e696391284f07915f503ef9ee7f8569d224a (patch)
tree	960baeaf8402e177c9c876219ec5ec8f9d7938f2 /meta/recipes-multimedia
parent	c9b7487d4aee81ce68e484738a47c6188d495475 (diff)
download	poky-3c38e696391284f07915f503ef9ee7f8569d224a.tar.gz

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch new file mode 100644 index 0000000000..a17ec21f98 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
@@ -0,0 +1,121 @@
		1	From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001
		2	From: Fabian Greffrath <fabian@greffrath.com>
		3	Date: Wed, 27 Sep 2017 14:46:17 +0200
		4	Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being
		5	normal
		6
		7	and check elements of the data[] array for being finite.
		8
		9	Both checks use functions provided by the <math.h> header as declared
		10	by the C99 standard.
		11
		12	Fixes #317
		13	CVE: CVE-2017-14245
		14	CVE: CVE-2017-14246
		15
		16	Upstream-Status: Backport [https://github.com/fabiangreffrath/libsndfile/commit/2d54514a4f6437b67829717c05472d2e3300a258]
		17
		18	Signed-off-by: Fabian Greffrath <fabian@greffrath.com>
		19	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
		20	---
		21	programs/common.c \| 20 ++++++++++++++++----
		22	programs/common.h \| 2 +-
		23	programs/sndfile-convert.c \| 6 +++++-
		24	3 files changed, 22 insertions(+), 6 deletions(-)
		25
		26	diff --git a/programs/common.c b/programs/common.c
		27	index a21e62c..a249a58 100644
		28	--- a/programs/common.c
		29	+++ b/programs/common.c
		30	@@ -36,6 +36,7 @@
		31	#include <string.h>
		32	#include <ctype.h>
		33	#include <stdint.h>
		34	+#include <math.h>
		35
		36	#include <sndfile.h>
		37
		38	@@ -45,7 +46,7 @@
		39
		40	#define MIN(x, y) ((x) < (y) ? (x) : (y))
		41
		42	-void
		43	+int
		44	sfe_copy_data_fp (SNDFILE outfile, SNDFILE infile, int channels, int normalize)
		45	{ static double data [BUFFER_LEN], max ;
		46	int frames, readcount, k ;
		47	@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE outfile, SNDFILE infile, int channels, int normalize
		48	readcount = frames ;
		49
		50	sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ;
		51	+ if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */
		52	+ return 1 ;
		53
		54	if (!normalize && max < 1.0)
		55	{ while (readcount > 0)
		56	@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE outfile, SNDFILE infile, int channels, int normalize
		57	while (readcount > 0)
		58	{ readcount = sf_readf_double (infile, data, frames) ;
		59	for (k = 0 ; k < readcount * channels ; k++)
		60	- data [k] /= max ;
		61	+ { data [k] /= max ;
		62	+
		63	+ if (!isfinite (data [k])) /* infinite or NaN */
		64	+ return 1;
		65	+ }
		66	sf_writef_double (outfile, data, readcount) ;
		67	} ;
		68	} ;
		69
		70	- return ;
		71	+ return 0 ;
		72	} /* sfe_copy_data_fp */
		73
		74	void
		75	@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * in
		76
		77	/* If the input file is not the same as the output file, copy the data. */
		78	if ((infileminor == SF_FORMAT_DOUBLE) \|\| (infileminor == SF_FORMAT_FLOAT))
		79	- sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ;
		80	+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0)
		81	+ { printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ;
		82	+ error_code = 1 ;
		83	+ goto cleanup_exit ;
		84	+ } ;
		85	+ }
		86	else
		87	sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
		88	} ;
		89	diff --git a/programs/common.h b/programs/common.h
		90	index eda2d7d..986277e 100644
		91	--- a/programs/common.h
		92	+++ b/programs/common.h
		93	@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ;
		94
		95	void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ;
		96
		97	-void sfe_copy_data_fp (SNDFILE outfile, SNDFILE infile, int channels, int normalize) ;
		98	+int sfe_copy_data_fp (SNDFILE outfile, SNDFILE infile, int channels, int normalize) ;
		99
		100	void sfe_copy_data_int (SNDFILE outfile, SNDFILE infile, int channels) ;
		101
		102	diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c
		103	index dff7f79..e6de593 100644
		104	--- a/programs/sndfile-convert.c
		105	+++ b/programs/sndfile-convert.c
		106	@@ -335,7 +335,11 @@ main (int argc, char * argv [])
		107	\|\| (outfileminor == SF_FORMAT_DOUBLE) \|\| (outfileminor == SF_FORMAT_FLOAT)
		108	\|\| (infileminor == SF_FORMAT_DOUBLE) \|\| (infileminor == SF_FORMAT_FLOAT)
		109	\|\| (infileminor == SF_FORMAT_VORBIS) \|\| (outfileminor == SF_FORMAT_VORBIS))
		110	- sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ;
		111	+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0)
		112	+ { printf ("Error : Not able to decode input file %s.\n", infilename) ;
		113	+ return 1 ;
		114	+ } ;
		115	+ }
		116	else
		117	sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
		118
		119	--
		120	2.7.4
		121


diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index 281ac82e39..c6f2a460b2 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
10	file://CVE-2017-8361-8365.patch \	10	file://CVE-2017-8361-8365.patch \
11	file://CVE-2017-8362.patch \	11	file://CVE-2017-8362.patch \
12	file://CVE-2017-8363.patch \	12	file://CVE-2017-8363.patch \
		13	file://CVE-2017-14245-14246.patch \
13	"	14	"
14		15
15	SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"	16	SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"