diff options
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r-- | meta/recipes-multimedia/flac/files/CVE-2020-22219.patch | 197 | ||||
-rw-r--r-- | meta/recipes-multimedia/flac/flac_1.3.3.bb | 1 |
2 files changed, 198 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch new file mode 100644 index 0000000000..e042872dc0 --- /dev/null +++ b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch | |||
@@ -0,0 +1,197 @@ | |||
1 | From 579ff6922089cbbbd179619e40e622e279bd719f Mon Sep 17 00:00:00 2001 | ||
2 | From: Martijn van Beurden <mvanb1@gmail.com> | ||
3 | Date: Wed, 3 Aug 2022 13:52:19 +0200 | ||
4 | Subject: [PATCH] flac: Add and use _nofree variants of safe_realloc functions | ||
5 | |||
6 | Parts of the code use realloc like | ||
7 | |||
8 | x = safe_realloc(x, somesize); | ||
9 | |||
10 | when this is the case, the safe_realloc variant used must free the | ||
11 | old memory block in case it fails, otherwise it will leak. However, | ||
12 | there are also instances in the code where handling is different: | ||
13 | |||
14 | if (0 == (x = safe_realloc(y, somesize))) | ||
15 | return false | ||
16 | |||
17 | in this case, y should not be freed, as y is not set to NULL we | ||
18 | could encounter double frees. Here the safe_realloc_nofree | ||
19 | functions are used. | ||
20 | |||
21 | Upstream-Status: Backport [https://github.com/xiph/flac/commit/21fe95ee828b0b9b944f6aa0bb02d24fbb981815] | ||
22 | CVE: CVE-2020-22219 | ||
23 | |||
24 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
25 | --- | ||
26 | include/share/alloc.h | 41 +++++++++++++++++++++++++++++++---- | ||
27 | src/flac/encode.c | 4 ++-- | ||
28 | src/flac/foreign_metadata.c | 2 +- | ||
29 | src/libFLAC/bitwriter.c | 2 +- | ||
30 | src/libFLAC/metadata_object.c | 2 +- | ||
31 | src/plugin_common/tags.c | 2 +- | ||
32 | src/share/utf8/iconvert.c | 2 +- | ||
33 | 7 files changed, 44 insertions(+), 11 deletions(-) | ||
34 | |||
35 | diff --git a/include/share/alloc.h b/include/share/alloc.h | ||
36 | index 914de9b..55bdd1d 100644 | ||
37 | --- a/include/share/alloc.h | ||
38 | +++ b/include/share/alloc.h | ||
39 | @@ -161,17 +161,30 @@ static inline void *safe_realloc_(void *ptr, size_t size) | ||
40 | free(oldptr); | ||
41 | return newptr; | ||
42 | } | ||
43 | -static inline void *safe_realloc_add_2op_(void *ptr, size_t size1, size_t size2) | ||
44 | +static inline void *safe_realloc_nofree_add_2op_(void *ptr, size_t size1, size_t size2) | ||
45 | +{ | ||
46 | + size2 += size1; | ||
47 | + if(size2 < size1) | ||
48 | + return 0; | ||
49 | + return realloc(ptr, size2); | ||
50 | +} | ||
51 | + | ||
52 | +static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3) | ||
53 | { | ||
54 | size2 += size1; | ||
55 | if(size2 < size1) { | ||
56 | free(ptr); | ||
57 | return 0; | ||
58 | } | ||
59 | - return realloc(ptr, size2); | ||
60 | + size3 += size2; | ||
61 | + if(size3 < size2) { | ||
62 | + free(ptr); | ||
63 | + return 0; | ||
64 | + } | ||
65 | + return safe_realloc_(ptr, size3); | ||
66 | } | ||
67 | |||
68 | -static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3) | ||
69 | +static inline void *safe_realloc_nofree_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3) | ||
70 | { | ||
71 | size2 += size1; | ||
72 | if(size2 < size1) | ||
73 | @@ -182,7 +195,7 @@ static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, | ||
74 | return realloc(ptr, size3); | ||
75 | } | ||
76 | |||
77 | -static inline void *safe_realloc_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4) | ||
78 | +static inline void *safe_realloc_nofree_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4) | ||
79 | { | ||
80 | size2 += size1; | ||
81 | if(size2 < size1) | ||
82 | @@ -205,6 +218,15 @@ static inline void *safe_realloc_mul_2op_(void *ptr, size_t size1, size_t size2) | ||
83 | return safe_realloc_(ptr, size1*size2); | ||
84 | } | ||
85 | |||
86 | +static inline void *safe_realloc_nofree_mul_2op_(void *ptr, size_t size1, size_t size2) | ||
87 | +{ | ||
88 | + if(!size1 || !size2) | ||
89 | + return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */ | ||
90 | + if(size1 > SIZE_MAX / size2) | ||
91 | + return 0; | ||
92 | + return realloc(ptr, size1*size2); | ||
93 | +} | ||
94 | + | ||
95 | /* size1 * (size2 + size3) */ | ||
96 | static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3) | ||
97 | { | ||
98 | @@ -216,4 +238,15 @@ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, | ||
99 | return safe_realloc_mul_2op_(ptr, size1, size2); | ||
100 | } | ||
101 | |||
102 | +/* size1 * (size2 + size3) */ | ||
103 | +static inline void *safe_realloc_nofree_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3) | ||
104 | +{ | ||
105 | + if(!size1 || (!size2 && !size3)) | ||
106 | + return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */ | ||
107 | + size2 += size3; | ||
108 | + if(size2 < size3) | ||
109 | + return 0; | ||
110 | + return safe_realloc_nofree_mul_2op_(ptr, size1, size2); | ||
111 | +} | ||
112 | + | ||
113 | #endif | ||
114 | diff --git a/src/flac/encode.c b/src/flac/encode.c | ||
115 | index a9b907f..f87250c 100644 | ||
116 | --- a/src/flac/encode.c | ||
117 | +++ b/src/flac/encode.c | ||
118 | @@ -1743,10 +1743,10 @@ static void static_metadata_clear(static_metadata_t *m) | ||
119 | static FLAC__bool static_metadata_append(static_metadata_t *m, FLAC__StreamMetadata *d, FLAC__bool needs_delete) | ||
120 | { | ||
121 | void *x; | ||
122 | - if(0 == (x = safe_realloc_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/))) | ||
123 | + if(0 == (x = safe_realloc_nofree_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/))) | ||
124 | return false; | ||
125 | m->metadata = (FLAC__StreamMetadata**)x; | ||
126 | - if(0 == (x = safe_realloc_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/))) | ||
127 | + if(0 == (x = safe_realloc_nofree_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/))) | ||
128 | return false; | ||
129 | m->needs_delete = (FLAC__bool*)x; | ||
130 | m->metadata[m->num_metadata] = d; | ||
131 | diff --git a/src/flac/foreign_metadata.c b/src/flac/foreign_metadata.c | ||
132 | index 9ad9c18..fdfb3cf 100644 | ||
133 | --- a/src/flac/foreign_metadata.c | ||
134 | +++ b/src/flac/foreign_metadata.c | ||
135 | @@ -75,7 +75,7 @@ static FLAC__bool copy_data_(FILE *fin, FILE *fout, size_t size, const char **er | ||
136 | |||
137 | static FLAC__bool append_block_(foreign_metadata_t *fm, FLAC__off_t offset, FLAC__uint32 size, const char **error) | ||
138 | { | ||
139 | - foreign_block_t *fb = safe_realloc_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/); | ||
140 | + foreign_block_t *fb = safe_realloc_nofree_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/); | ||
141 | if(fb) { | ||
142 | fb[fm->num_blocks].offset = offset; | ||
143 | fb[fm->num_blocks].size = size; | ||
144 | diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c | ||
145 | index 6e86585..a510b0d 100644 | ||
146 | --- a/src/libFLAC/bitwriter.c | ||
147 | +++ b/src/libFLAC/bitwriter.c | ||
148 | @@ -124,7 +124,7 @@ FLAC__bool bitwriter_grow_(FLAC__BitWriter *bw, uint32_t bits_to_add) | ||
149 | FLAC__ASSERT(new_capacity > bw->capacity); | ||
150 | FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD)); | ||
151 | |||
152 | - new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity); | ||
153 | + new_buffer = safe_realloc_nofree_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity); | ||
154 | if(new_buffer == 0) | ||
155 | return false; | ||
156 | bw->buffer = new_buffer; | ||
157 | diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c | ||
158 | index de8e513..aef65be 100644 | ||
159 | --- a/src/libFLAC/metadata_object.c | ||
160 | +++ b/src/libFLAC/metadata_object.c | ||
161 | @@ -98,7 +98,7 @@ static FLAC__bool free_copy_bytes_(FLAC__byte **to, const FLAC__byte *from, uint | ||
162 | /* realloc() failure leaves entry unchanged */ | ||
163 | static FLAC__bool ensure_null_terminated_(FLAC__byte **entry, uint32_t length) | ||
164 | { | ||
165 | - FLAC__byte *x = safe_realloc_add_2op_(*entry, length, /*+*/1); | ||
166 | + FLAC__byte *x = safe_realloc_nofree_add_2op_(*entry, length, /*+*/1); | ||
167 | if (x != NULL) { | ||
168 | x[length] = '\0'; | ||
169 | *entry = x; | ||
170 | diff --git a/src/plugin_common/tags.c b/src/plugin_common/tags.c | ||
171 | index ae440c5..dfa10d3 100644 | ||
172 | --- a/src/plugin_common/tags.c | ||
173 | +++ b/src/plugin_common/tags.c | ||
174 | @@ -317,7 +317,7 @@ FLAC__bool FLAC_plugin__tags_add_tag_utf8(FLAC__StreamMetadata *tags, const char | ||
175 | const size_t value_len = strlen(value); | ||
176 | const size_t separator_len = strlen(separator); | ||
177 | FLAC__byte *new_entry; | ||
178 | - if(0 == (new_entry = safe_realloc_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1))) | ||
179 | + if(0 == (new_entry = safe_realloc_nofree_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1))) | ||
180 | return false; | ||
181 | memcpy(new_entry+entry->length, separator, separator_len); | ||
182 | entry->length += separator_len; | ||
183 | diff --git a/src/share/utf8/iconvert.c b/src/share/utf8/iconvert.c | ||
184 | index 8ab53c1..876c06e 100644 | ||
185 | --- a/src/share/utf8/iconvert.c | ||
186 | +++ b/src/share/utf8/iconvert.c | ||
187 | @@ -149,7 +149,7 @@ int iconvert(const char *fromcode, const char *tocode, | ||
188 | iconv_close(cd1); | ||
189 | return ret; | ||
190 | } | ||
191 | - newbuf = safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1); | ||
192 | + newbuf = safe_realloc_nofree_add_2op_(utfbuf, (ob - utfbuf), /*+*/1); | ||
193 | if (!newbuf) | ||
194 | goto fail; | ||
195 | ob = (ob - utfbuf) + newbuf; | ||
196 | -- | ||
197 | 2.40.0 | ||
diff --git a/meta/recipes-multimedia/flac/flac_1.3.3.bb b/meta/recipes-multimedia/flac/flac_1.3.3.bb index cb6692aedf..ca04f36d1a 100644 --- a/meta/recipes-multimedia/flac/flac_1.3.3.bb +++ b/meta/recipes-multimedia/flac/flac_1.3.3.bb | |||
@@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \ | |||
15 | DEPENDS = "libogg" | 15 | DEPENDS = "libogg" |
16 | 16 | ||
17 | SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \ | 17 | SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \ |
18 | file://CVE-2020-22219.patch \ | ||
18 | " | 19 | " |
19 | 20 | ||
20 | SRC_URI[md5sum] = "26703ed2858c1fc9ffc05136d13daa69" | 21 | SRC_URI[md5sum] = "26703ed2858c1fc9ffc05136d13daa69" |