5 files changed, 164 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
new file mode 100644
index 0000000000..6354f856cb
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
@@ -0,0 +1,36 @@
+From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Wed, 17 Feb 2021 23:21:48 +0000
+Subject: [PATCH 1/2] wavlike: Fix incorrect size check
+The SF_CART_INFO_16K struct has an additional 4 byte field to hold
+the size of 'tag_text' which the file header doesn't, so don't
+include it as part of the check when looking for the max length.
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
+Upstream-Status: Backport
+CVE: CVE-2021-3246 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/wavlike.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+Index: libsndfile-1.0.28/src/wavlike.c
+===================================================================
+--- libsndfile-1.0.28.orig/src/wavlike.c
+++ libsndfile-1.0.28/src/wavlike.c
+@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
+                return 0 ;
+                } ;
+ 
+-       if (chunksize >= sizeof (SF_CART_INFO_16K))
+       /*
+       **      SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
+       **      of the chunk, so don't include it in the size check.
+       */
+       if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
+        {       psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
+                psf_binheader_readf (psf, "j", chunksize) ;
+                return 0 ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
new file mode 100644
index 0000000000..d6b03d7d4d
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
@@ -0,0 +1,44 @@
+From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Thu, 18 Feb 2021 21:52:09 +0000
+Subject: [PATCH 2/2] ms_adpcm: Fix and extend size checks
+'blockalign' is the size of a block, and each block contains 7 samples
+per channel as part of the preamble, so check against 'samplesperblock'
+rather than 'blockalign'. Also add an additional check that the block
+is big enough to hold the samples it claims to hold.
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
+Upstream-Status: Backport
+CVE: CVE-2021-3246 patch 2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/ms_adpcm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
+index 5e8f1a31..a21cb994 100644
+--- a/src/ms_adpcm.c
+++ b/src/ms_adpcm.c
+@@ -128,8 +128,14 @@ wavlike_msadpcm_init       (SF_PRIVATE *psf, int blockalign, int samplesperblock)
+        if (psf->file.mode == SFM_WRITE)
+                samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
+ 
+-       if (blockalign < 7 * psf->sf.channels)
+-       {       psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
+       /* There's 7 samples per channel in the preamble of each block */
+       if (samplesperblock < 7 * psf->sf.channels)
+       {       psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
+               return SFE_INTERNAL ;
+               } ;
+
+       if (2 * blockalign < samplesperblock * psf->sf.channels)
+       {       psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
+                return SFE_INTERNAL ;
+                } ;
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch
new file mode 100644
index 0000000000..f7ae82588f
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch
@@ -0,0 +1,30 @@
+From ced91d7b971be6173b604154c39279ce90ad87cc Mon Sep 17 00:00:00 2001
+From: yuan <ssspeed00@gmail.com>
+Date: Tue, 20 Apr 2021 16:16:32 +0800
+Subject: [PATCH] flac: Fix improper buffer reusing (#732)
+Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc]
+CVE: CVE-2021-4156
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/flac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/flac.c b/src/flac.c
+index 0be82ac..4fa5cfa 100644
+--- a/src/flac.c
+++ b/src/flac.c
+@@ -952,7 +952,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len)
+        /* Decode some more. */
+        while (pflac->pos < pflac->len)
+        {       if (FLAC__stream_decoder_process_single (pflac->fsd) == 0)
+               {       psf_log_printf (psf, "FLAC__stream_decoder_process_single returned false\n") ;
+                       /* Current frame is busted, so NULL the pointer. */
+                       pflac->frame = NULL ;
+                        break ;
+                       } ;
+                state = FLAC__stream_decoder_get_state (pflac->fsd) ;
+                if (state >= FLAC__STREAM_DECODER_END_OF_STREAM)
+                {       psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
+--
+2.40.1
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
new file mode 100644
index 0000000000..e22b4e9389
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
@@ -0,0 +1,46 @@
+From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 10 Oct 2023 16:10:34 -0400
+Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
+The clang sanitizer warns of a possible signed integer overflow when
+calculating the `dataend` value in `mat4_read_header()`.
+```
+src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
+src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
+```
+Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
+`dataend` before performing the calculation, to avoid the issue.
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/789
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c]
+CVE: CVE-2022-33065
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/mat4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/mat4.c b/src/mat4.c
+index 3c73680..e2f98b7 100644
+--- a/src/mat4.c
+++ b/src/mat4.c
+@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
+                                psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
+                }
+        else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
+-               psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
+               psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
+        psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
+--
+2.40.1
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index b100108766..fb7d94ab75 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -1,4 +1,7 @@
 SUMMARY = "Audio format Conversion library"
+DESCRIPTION = "Library for reading and writing files containing sampled \
+sound (such as MS Windows WAV and the Apple/SGI AIFF format) through \
+one standard library interface."
 HOMEPAGE = "http://www.mega-nerd.com/libsndfile"
 AUTHOR = "Erik de Castro Lopo"
 DEPENDS = "flac libogg libvorbis"
@@ -17,7 +20,11 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
           file://CVE-2017-12562.patch \
           file://CVE-2018-19758.patch \
           file://CVE-2019-3832.patch \
-          "
+           file://CVE-2021-3246_1.patch \
+           file://CVE-2021-3246_2.patch \
+           file://CVE-2022-33065.patch \
+           file://CVE-2021-4156.patch \
+           "
 SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
 SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9"

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch new file mode 100644 index 0000000000..6354f856cb --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
@@ -0,0 +1,36 @@
		1	From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001
		2	From: bobsayshilol <bobsayshilol@live.co.uk>
		3	Date: Wed, 17 Feb 2021 23:21:48 +0000
		4	Subject: [PATCH 1/2] wavlike: Fix incorrect size check
		5
		6	The SF_CART_INFO_16K struct has an additional 4 byte field to hold
		7	the size of 'tag_text' which the file header doesn't, so don't
		8	include it as part of the check when looking for the max length.
		9
		10	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
		11
		12	Upstream-Status: Backport
		13	CVE: CVE-2021-3246 patch 1
		14	Signed-off-by: Armin Kuster <akuster@mvista.com>
		15
		16	---
		17	src/wavlike.c \| 6 +++++-
		18	1 file changed, 5 insertions(+), 1 deletion(-)
		19
		20	Index: libsndfile-1.0.28/src/wavlike.c
		21	===================================================================
		22	--- libsndfile-1.0.28.orig/src/wavlike.c
		23	+++ libsndfile-1.0.28/src/wavlike.c
		24	@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
		25	return 0 ;
		26	} ;
		27
		28	- if (chunksize >= sizeof (SF_CART_INFO_16K))
		29	+ /*
		30	+ ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
		31	+ ** of the chunk, so don't include it in the size check.
		32	+ */
		33	+ if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
		34	{ psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
		35	psf_binheader_readf (psf, "j", chunksize) ;
		36	return 0 ;


diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch new file mode 100644 index 0000000000..d6b03d7d4d --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
@@ -0,0 +1,44 @@
		1	From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001
		2	From: bobsayshilol <bobsayshilol@live.co.uk>
		3	Date: Thu, 18 Feb 2021 21:52:09 +0000
		4	Subject: [PATCH 2/2] ms_adpcm: Fix and extend size checks
		5
		6	'blockalign' is the size of a block, and each block contains 7 samples
		7	per channel as part of the preamble, so check against 'samplesperblock'
		8	rather than 'blockalign'. Also add an additional check that the block
		9	is big enough to hold the samples it claims to hold.
		10
		11	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
		12
		13	Upstream-Status: Backport
		14	CVE: CVE-2021-3246 patch 2
		15	Signed-off-by: Armin Kuster <akuster@mvista.com>
		16
		17	---
		18	src/ms_adpcm.c \| 10 ++++++++--
		19	1 file changed, 8 insertions(+), 2 deletions(-)
		20
		21	diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
		22	index 5e8f1a31..a21cb994 100644
		23	--- a/src/ms_adpcm.c
		24	+++ b/src/ms_adpcm.c
		25	@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
		26	if (psf->file.mode == SFM_WRITE)
		27	samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
		28
		29	- if (blockalign < 7 * psf->sf.channels)
		30	- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
		31	+ /* There's 7 samples per channel in the preamble of each block */
		32	+ if (samplesperblock < 7 * psf->sf.channels)
		33	+ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
		34	+ return SFE_INTERNAL ;
		35	+ } ;
		36	+
		37	+ if (2 * blockalign < samplesperblock * psf->sf.channels)
		38	+ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
		39	return SFE_INTERNAL ;
		40	} ;
		41
		42	--
		43	2.25.1
		44


diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch new file mode 100644 index 0000000000..f7ae82588f --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch
@@ -0,0 +1,30 @@
		1	From ced91d7b971be6173b604154c39279ce90ad87cc Mon Sep 17 00:00:00 2001
		2	From: yuan <ssspeed00@gmail.com>
		3	Date: Tue, 20 Apr 2021 16:16:32 +0800
		4	Subject: [PATCH] flac: Fix improper buffer reusing (#732)
		5
		6	Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc]
		7	CVE: CVE-2021-4156
		8	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		9	---
		10	src/flac.c \| 4 ++++
		11	1 file changed, 4 insertions(+)
		12
		13	diff --git a/src/flac.c b/src/flac.c
		14	index 0be82ac..4fa5cfa 100644
		15	--- a/src/flac.c
		16	+++ b/src/flac.c
		17	@@ -952,7 +952,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len)
		18	/* Decode some more. */
		19	while (pflac->pos < pflac->len)
		20	{ if (FLAC__stream_decoder_process_single (pflac->fsd) == 0)
		21	+ { psf_log_printf (psf, "FLAC__stream_decoder_process_single returned false\n") ;
		22	+ /* Current frame is busted, so NULL the pointer. */
		23	+ pflac->frame = NULL ;
		24	break ;
		25	+ } ;
		26	state = FLAC__stream_decoder_get_state (pflac->fsd) ;
		27	if (state >= FLAC__STREAM_DECODER_END_OF_STREAM)
		28	{ psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
		29	--
		30	2.40.1


diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch new file mode 100644 index 0000000000..e22b4e9389 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
@@ -0,0 +1,46 @@
		1	From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001
		2	From: Alex Stewart <alex.stewart@ni.com>
		3	Date: Tue, 10 Oct 2023 16:10:34 -0400
		4	Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
		5
		6	The clang sanitizer warns of a possible signed integer overflow when
		7	calculating the `dataend` value in `mat4_read_header()`.
		8
		9	```
		10	src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
		11	SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
		12	src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
		13	SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
		14	```
		15
		16	Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
		17	`dataend` before performing the calculation, to avoid the issue.
		18
		19	CVE: CVE-2022-33065
		20	Fixes: https://github.com/libsndfile/libsndfile/issues/789
		21	Fixes: https://github.com/libsndfile/libsndfile/issues/833
		22
		23	Signed-off-by: Alex Stewart <alex.stewart@ni.com>
		24
		25	Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c]
		26	CVE: CVE-2022-33065
		27	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		28	---
		29	src/mat4.c \| 2 +-
		30	1 file changed, 1 insertion(+), 1 deletion(-)
		31
		32	diff --git a/src/mat4.c b/src/mat4.c
		33	index 3c73680..e2f98b7 100644
		34	--- a/src/mat4.c
		35	+++ b/src/mat4.c
		36	@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
		37	psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
		38	}
		39	else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
		40	- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
		41	+ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
		42
		43	psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
		44
		45	--
		46	2.40.1


diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index b100108766..fb7d94ab75 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -1,4 +1,7 @@
1	SUMMARY = "Audio format Conversion library"	1	SUMMARY = "Audio format Conversion library"
		2	DESCRIPTION = "Library for reading and writing files containing sampled \
		3	sound (such as MS Windows WAV and the Apple/SGI AIFF format) through \
		4	one standard library interface."
2	HOMEPAGE = "http://www.mega-nerd.com/libsndfile"	5	HOMEPAGE = "http://www.mega-nerd.com/libsndfile"
3	AUTHOR = "Erik de Castro Lopo"	6	AUTHOR = "Erik de Castro Lopo"
4	DEPENDS = "flac libogg libvorbis"	7	DEPENDS = "flac libogg libvorbis"
@@ -17,7 +20,11 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
17	file://CVE-2017-12562.patch \	20	file://CVE-2017-12562.patch \
18	file://CVE-2018-19758.patch \	21	file://CVE-2018-19758.patch \
19	file://CVE-2019-3832.patch \	22	file://CVE-2019-3832.patch \
20	"	23	file://CVE-2021-3246_1.patch \
		24	file://CVE-2021-3246_2.patch \
		25	file://CVE-2022-33065.patch \
		26	file://CVE-2021-4156.patch \
		27	"
21		28
22	SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"	29	SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
23	SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9"	30	SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9"