diff options
Diffstat (limited to 'meta/recipes-multimedia/libsndfile')
5 files changed, 164 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch new file mode 100644 index 0000000000..6354f856cb --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001 | ||
2 | From: bobsayshilol <bobsayshilol@live.co.uk> | ||
3 | Date: Wed, 17 Feb 2021 23:21:48 +0000 | ||
4 | Subject: [PATCH 1/2] wavlike: Fix incorrect size check | ||
5 | |||
6 | The SF_CART_INFO_16K struct has an additional 4 byte field to hold | ||
7 | the size of 'tag_text' which the file header doesn't, so don't | ||
8 | include it as part of the check when looking for the max length. | ||
9 | |||
10 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026 | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2021-3246 patch 1 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | src/wavlike.c | 6 +++++- | ||
18 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
19 | |||
20 | Index: libsndfile-1.0.28/src/wavlike.c | ||
21 | =================================================================== | ||
22 | --- libsndfile-1.0.28.orig/src/wavlike.c | ||
23 | +++ libsndfile-1.0.28/src/wavlike.c | ||
24 | @@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf | ||
25 | return 0 ; | ||
26 | } ; | ||
27 | |||
28 | - if (chunksize >= sizeof (SF_CART_INFO_16K)) | ||
29 | + /* | ||
30 | + ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part | ||
31 | + ** of the chunk, so don't include it in the size check. | ||
32 | + */ | ||
33 | + if (chunksize >= sizeof (SF_CART_INFO_16K) - 4) | ||
34 | { psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ; | ||
35 | psf_binheader_readf (psf, "j", chunksize) ; | ||
36 | return 0 ; | ||
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch new file mode 100644 index 0000000000..d6b03d7d4d --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001 | ||
2 | From: bobsayshilol <bobsayshilol@live.co.uk> | ||
3 | Date: Thu, 18 Feb 2021 21:52:09 +0000 | ||
4 | Subject: [PATCH 2/2] ms_adpcm: Fix and extend size checks | ||
5 | |||
6 | 'blockalign' is the size of a block, and each block contains 7 samples | ||
7 | per channel as part of the preamble, so check against 'samplesperblock' | ||
8 | rather than 'blockalign'. Also add an additional check that the block | ||
9 | is big enough to hold the samples it claims to hold. | ||
10 | |||
11 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803 | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2021-3246 patch 2 | ||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | src/ms_adpcm.c | 10 ++++++++-- | ||
19 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
20 | |||
21 | diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c | ||
22 | index 5e8f1a31..a21cb994 100644 | ||
23 | --- a/src/ms_adpcm.c | ||
24 | +++ b/src/ms_adpcm.c | ||
25 | @@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) | ||
26 | if (psf->file.mode == SFM_WRITE) | ||
27 | samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ; | ||
28 | |||
29 | - if (blockalign < 7 * psf->sf.channels) | ||
30 | - { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ; | ||
31 | + /* There's 7 samples per channel in the preamble of each block */ | ||
32 | + if (samplesperblock < 7 * psf->sf.channels) | ||
33 | + { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; | ||
34 | + return SFE_INTERNAL ; | ||
35 | + } ; | ||
36 | + | ||
37 | + if (2 * blockalign < samplesperblock * psf->sf.channels) | ||
38 | + { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; | ||
39 | return SFE_INTERNAL ; | ||
40 | } ; | ||
41 | |||
42 | -- | ||
43 | 2.25.1 | ||
44 | |||
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch new file mode 100644 index 0000000000..f7ae82588f --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From ced91d7b971be6173b604154c39279ce90ad87cc Mon Sep 17 00:00:00 2001 | ||
2 | From: yuan <ssspeed00@gmail.com> | ||
3 | Date: Tue, 20 Apr 2021 16:16:32 +0800 | ||
4 | Subject: [PATCH] flac: Fix improper buffer reusing (#732) | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc] | ||
7 | CVE: CVE-2021-4156 | ||
8 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
9 | --- | ||
10 | src/flac.c | 4 ++++ | ||
11 | 1 file changed, 4 insertions(+) | ||
12 | |||
13 | diff --git a/src/flac.c b/src/flac.c | ||
14 | index 0be82ac..4fa5cfa 100644 | ||
15 | --- a/src/flac.c | ||
16 | +++ b/src/flac.c | ||
17 | @@ -952,7 +952,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len) | ||
18 | /* Decode some more. */ | ||
19 | while (pflac->pos < pflac->len) | ||
20 | { if (FLAC__stream_decoder_process_single (pflac->fsd) == 0) | ||
21 | + { psf_log_printf (psf, "FLAC__stream_decoder_process_single returned false\n") ; | ||
22 | + /* Current frame is busted, so NULL the pointer. */ | ||
23 | + pflac->frame = NULL ; | ||
24 | break ; | ||
25 | + } ; | ||
26 | state = FLAC__stream_decoder_get_state (pflac->fsd) ; | ||
27 | if (state >= FLAC__STREAM_DECODER_END_OF_STREAM) | ||
28 | { psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ; | ||
29 | -- | ||
30 | 2.40.1 | ||
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch new file mode 100644 index 0000000000..e22b4e9389 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001 | ||
2 | From: Alex Stewart <alex.stewart@ni.com> | ||
3 | Date: Tue, 10 Oct 2023 16:10:34 -0400 | ||
4 | Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation | ||
5 | |||
6 | The clang sanitizer warns of a possible signed integer overflow when | ||
7 | calculating the `dataend` value in `mat4_read_header()`. | ||
8 | |||
9 | ``` | ||
10 | src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' | ||
11 | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in | ||
12 | src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' | ||
13 | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in | ||
14 | ``` | ||
15 | |||
16 | Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of | ||
17 | `dataend` before performing the calculation, to avoid the issue. | ||
18 | |||
19 | CVE: CVE-2022-33065 | ||
20 | Fixes: https://github.com/libsndfile/libsndfile/issues/789 | ||
21 | Fixes: https://github.com/libsndfile/libsndfile/issues/833 | ||
22 | |||
23 | Signed-off-by: Alex Stewart <alex.stewart@ni.com> | ||
24 | |||
25 | Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c] | ||
26 | CVE: CVE-2022-33065 | ||
27 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
28 | --- | ||
29 | src/mat4.c | 2 +- | ||
30 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
31 | |||
32 | diff --git a/src/mat4.c b/src/mat4.c | ||
33 | index 3c73680..e2f98b7 100644 | ||
34 | --- a/src/mat4.c | ||
35 | +++ b/src/mat4.c | ||
36 | @@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf) | ||
37 | psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ; | ||
38 | } | ||
39 | else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth) | ||
40 | - psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ; | ||
41 | + psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ; | ||
42 | |||
43 | psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ; | ||
44 | |||
45 | -- | ||
46 | 2.40.1 | ||
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index b100108766..fb7d94ab75 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | |||
@@ -1,4 +1,7 @@ | |||
1 | SUMMARY = "Audio format Conversion library" | 1 | SUMMARY = "Audio format Conversion library" |
2 | DESCRIPTION = "Library for reading and writing files containing sampled \ | ||
3 | sound (such as MS Windows WAV and the Apple/SGI AIFF format) through \ | ||
4 | one standard library interface." | ||
2 | HOMEPAGE = "http://www.mega-nerd.com/libsndfile" | 5 | HOMEPAGE = "http://www.mega-nerd.com/libsndfile" |
3 | AUTHOR = "Erik de Castro Lopo" | 6 | AUTHOR = "Erik de Castro Lopo" |
4 | DEPENDS = "flac libogg libvorbis" | 7 | DEPENDS = "flac libogg libvorbis" |
@@ -17,7 +20,11 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ | |||
17 | file://CVE-2017-12562.patch \ | 20 | file://CVE-2017-12562.patch \ |
18 | file://CVE-2018-19758.patch \ | 21 | file://CVE-2018-19758.patch \ |
19 | file://CVE-2019-3832.patch \ | 22 | file://CVE-2019-3832.patch \ |
20 | " | 23 | file://CVE-2021-3246_1.patch \ |
24 | file://CVE-2021-3246_2.patch \ | ||
25 | file://CVE-2022-33065.patch \ | ||
26 | file://CVE-2021-4156.patch \ | ||
27 | " | ||
21 | 28 | ||
22 | SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" | 29 | SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" |
23 | SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9" | 30 | SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9" |