diff options
author | Vivek Kumbhar <vkumbhar@mvista.com> | 2023-11-30 13:01:01 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-12-08 11:45:59 -1000 |
commit | 97b8007eff7c72dcc01cae6fc376f514f201c9e5 (patch) | |
tree | 68476013b69e6d96541ff3b52074b9bb17592f73 /meta | |
parent | 59f99476d85205d97018641290b839ccfe72b134 (diff) | |
download | poky-97b8007eff7c72dcc01cae6fc376f514f201c9e5.tar.gz |
libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.c
(From OE-Core rev: f9cc32ed3c67c8fe60debbc23b579e120038b2e9)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch | 46 | ||||
-rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | 3 |
2 files changed, 48 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch new file mode 100644 index 0000000000..e22b4e9389 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001 | ||
2 | From: Alex Stewart <alex.stewart@ni.com> | ||
3 | Date: Tue, 10 Oct 2023 16:10:34 -0400 | ||
4 | Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation | ||
5 | |||
6 | The clang sanitizer warns of a possible signed integer overflow when | ||
7 | calculating the `dataend` value in `mat4_read_header()`. | ||
8 | |||
9 | ``` | ||
10 | src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' | ||
11 | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in | ||
12 | src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' | ||
13 | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in | ||
14 | ``` | ||
15 | |||
16 | Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of | ||
17 | `dataend` before performing the calculation, to avoid the issue. | ||
18 | |||
19 | CVE: CVE-2022-33065 | ||
20 | Fixes: https://github.com/libsndfile/libsndfile/issues/789 | ||
21 | Fixes: https://github.com/libsndfile/libsndfile/issues/833 | ||
22 | |||
23 | Signed-off-by: Alex Stewart <alex.stewart@ni.com> | ||
24 | |||
25 | Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c] | ||
26 | CVE: CVE-2022-33065 | ||
27 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
28 | --- | ||
29 | src/mat4.c | 2 +- | ||
30 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
31 | |||
32 | diff --git a/src/mat4.c b/src/mat4.c | ||
33 | index 3c73680..e2f98b7 100644 | ||
34 | --- a/src/mat4.c | ||
35 | +++ b/src/mat4.c | ||
36 | @@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf) | ||
37 | psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ; | ||
38 | } | ||
39 | else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth) | ||
40 | - psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ; | ||
41 | + psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ; | ||
42 | |||
43 | psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ; | ||
44 | |||
45 | -- | ||
46 | 2.40.1 | ||
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index 2525af8fe0..32b678ce90 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | |||
@@ -22,7 +22,8 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ | |||
22 | file://CVE-2019-3832.patch \ | 22 | file://CVE-2019-3832.patch \ |
23 | file://CVE-2021-3246_1.patch \ | 23 | file://CVE-2021-3246_1.patch \ |
24 | file://CVE-2021-3246_2.patch \ | 24 | file://CVE-2021-3246_2.patch \ |
25 | " | 25 | file://CVE-2022-33065.patch \ |
26 | " | ||
26 | 27 | ||
27 | SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" | 28 | SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" |
28 | SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9" | 29 | SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9" |