taglib: Security fix CVE-2018-11439

CVE-2018-11439: The TagLib::Ogg::FLAC::File::scan function in
oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause
information disclosure (heap-based buffer over-read) via a crafted audio
file.

References:
https://nvd.nist.gov/vuln/detail/CVE-2018-11439

Patch from:
https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278

(From OE-Core rev: a300c4917b6c22ef039158be7ae92055c35658d4)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

2 files changed, 52 insertions, 0 deletions

diff --git a/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch b/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch
new file mode 100644
index 0000000000..cdd66e67f7
--- /dev/null
+++ b/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch
@@ -0,0 +1,51 @@
+From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Mon, 4 Jun 2018 11:34:36 -0400
+Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
+
+This CVE is caused by a failure to check the minimum length
+of a ogg flac header. This header is detailed in full at:
+https://xiph.org/flac/ogg_mapping.html. Added more strict checking
+for entire header.
+
+Upstream-Status: Backport
+[https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278]
+
+CVE: CVE-2018-11439
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
+index 53d0450..07ea9dc 100644
+--- a/taglib/ogg/flac/oggflacfile.cpp
++++ b/taglib/ogg/flac/oggflacfile.cpp
+@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
+ 
+   if(!metadataHeader.startsWith("fLaC"))  {
+     // FLAC 1.1.2+
++    // See https://xiph.org/flac/ogg_mapping.html for the header specification.
++    if(metadataHeader.size() < 13)
++      return;
++
++    if(metadataHeader[0] != 0x7f)
++      return;
++
+     if(metadataHeader.mid(1, 4) != "FLAC")
+       return;
+ 
+-    if(metadataHeader[5] != 1)
+-      return; // not version 1
++    if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
++      return; // not version 1.0
++
++    if(metadataHeader.mid(9, 4) != "fLaC")
++      return;
+ 
+     metadataHeader = metadataHeader.mid(13);
+   }
+-- 
+2.7.4
+
diff --git a/meta/recipes-support/taglib/taglib_1.11.1.bb b/meta/recipes-support/taglib/taglib_1.11.1.bb
index 50439bc14f..01dcf66d1e 100644
--- a/meta/recipes-support/taglib/taglib_1.11.1.bb
+++ b/meta/recipes-support/taglib/taglib_1.11.1.bb
@@ -10,6 +10,7 @@ DEPENDS = "zlib"
 
 SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \
            file://CVE-2017-12678.patch \
+           file://CVE-2018-11439.patch \
           "
 
 SRC_URI[md5sum] = "cee7be0ccfc892fa433d6c837df9522a"