diff options
Diffstat (limited to 'meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch')
-rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch | 107 |
1 files changed, 0 insertions, 107 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch deleted file mode 100644 index a4679cef2a..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch +++ /dev/null | |||
@@ -1,107 +0,0 @@ | |||
1 | This patch fixes #429 (CVE-2018-19661 CVE-2018-19662) and #344 (CVE-2017-17456 | ||
2 | CVE-2017-17457). As per | ||
3 | https://github.com/erikd/libsndfile/issues/344#issuecomment-448504425 it also | ||
4 | fixes #317 (CVE-2017-14245 CVE-2017-14246). | ||
5 | |||
6 | CVE: CVE-2017-14245 CVE-2017-14246 | ||
7 | CVE: CVE-2017-17456 CVE-2017-17457 | ||
8 | CVE: CVE-2018-19661 CVE-2018-19662 | ||
9 | |||
10 | Upstream-Status: Backport [8ddc442d539ca775d80cdbc7af17a718634a743f] | ||
11 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
12 | |||
13 | From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001 | ||
14 | From: Changqing Li <changqing.li@windriver.com> | ||
15 | Date: Mon, 7 Jan 2019 15:55:03 +0800 | ||
16 | Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432) | ||
17 | |||
18 | i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN | ||
19 | properly, leading to buffer underflow. INT_MIN is a special value | ||
20 | since - INT_MIN cannot be represented as int. | ||
21 | |||
22 | In this case round - INT_MIN to INT_MAX and proceed as usual. | ||
23 | |||
24 | f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN | ||
25 | properly, leading to null pointer dereference. | ||
26 | |||
27 | In this case, arbitrarily set the buffer value to 0. | ||
28 | |||
29 | This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and | ||
30 | fixes #344 (CVE-2017-17456 and CVE-2017-17457). | ||
31 | |||
32 | --- | ||
33 | src/alaw.c | 9 +++++++-- | ||
34 | src/ulaw.c | 9 +++++++-- | ||
35 | 2 files changed, 14 insertions(+), 4 deletions(-) | ||
36 | |||
37 | diff --git a/src/alaw.c b/src/alaw.c | ||
38 | index 063fd1a..4220224 100644 | ||
39 | --- a/src/alaw.c | ||
40 | +++ b/src/alaw.c | ||
41 | @@ -19,6 +19,7 @@ | ||
42 | #include "sfconfig.h" | ||
43 | |||
44 | #include <math.h> | ||
45 | +#include <limits.h> | ||
46 | |||
47 | #include "sndfile.h" | ||
48 | #include "common.h" | ||
49 | @@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) | ||
50 | static inline void | ||
51 | i2alaw_array (const int *ptr, int count, unsigned char *buffer) | ||
52 | { while (--count >= 0) | ||
53 | - { if (ptr [count] >= 0) | ||
54 | + { if (ptr [count] == INT_MIN) | ||
55 | + buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; | ||
56 | + else if (ptr [count] >= 0) | ||
57 | buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; | ||
58 | else | ||
59 | buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; | ||
60 | @@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact | ||
61 | static inline void | ||
62 | d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) | ||
63 | { while (--count >= 0) | ||
64 | - { if (ptr [count] >= 0) | ||
65 | + { if (!isfinite (ptr [count])) | ||
66 | + buffer [count] = 0 ; | ||
67 | + else if (ptr [count] >= 0) | ||
68 | buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; | ||
69 | else | ||
70 | buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; | ||
71 | diff --git a/src/ulaw.c b/src/ulaw.c | ||
72 | index e50b4cb..b6070ad 100644 | ||
73 | --- a/src/ulaw.c | ||
74 | +++ b/src/ulaw.c | ||
75 | @@ -19,6 +19,7 @@ | ||
76 | #include "sfconfig.h" | ||
77 | |||
78 | #include <math.h> | ||
79 | +#include <limits.h> | ||
80 | |||
81 | #include "sndfile.h" | ||
82 | #include "common.h" | ||
83 | @@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) | ||
84 | static inline void | ||
85 | i2ulaw_array (const int *ptr, int count, unsigned char *buffer) | ||
86 | { while (--count >= 0) | ||
87 | - { if (ptr [count] >= 0) | ||
88 | + { if (ptr [count] == INT_MIN) | ||
89 | + buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; | ||
90 | + else if (ptr [count] >= 0) | ||
91 | buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; | ||
92 | else | ||
93 | buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; | ||
94 | @@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact | ||
95 | static inline void | ||
96 | d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) | ||
97 | { while (--count >= 0) | ||
98 | - { if (ptr [count] >= 0) | ||
99 | + { if (!isfinite (ptr [count])) | ||
100 | + buffer [count] = 0 ; | ||
101 | + else if (ptr [count] >= 0) | ||
102 | buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; | ||
103 | else | ||
104 | buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; | ||
105 | -- | ||
106 | 2.7.4 | ||
107 | |||