summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch101
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb1
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
new file mode 100644
index 0000000000..c3f44ca235
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
@@ -0,0 +1,101 @@
1From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 7 Jan 2019 15:55:03 +0800
4Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432)
5
6i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
7properly, leading to buffer underflow. INT_MIN is a special value
8since - INT_MIN cannot be represented as int.
9
10In this case round - INT_MIN to INT_MAX and proceed as usual.
11
12f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
13properly, leading to null pointer dereference.
14
15In this case, arbitrarily set the buffer value to 0.
16
17This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
18fixes #344 (CVE-2017-17456 and CVE-2017-17457).
19
20Upstream-Status: Backport[https://github.com/erikd/libsndfile/
21commit/585cc28a93be27d6938f276af0011401b9f7c0ca]
22
23CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662
24
25Signed-off-by: Changqing Li <changqing.li@windriver.com>
26---
27 src/alaw.c | 9 +++++++--
28 src/ulaw.c | 9 +++++++--
29 2 files changed, 14 insertions(+), 4 deletions(-)
30
31diff --git a/src/alaw.c b/src/alaw.c
32index 063fd1a..4220224 100644
33--- a/src/alaw.c
34+++ b/src/alaw.c
35@@ -19,6 +19,7 @@
36 #include "sfconfig.h"
37
38 #include <math.h>
39+#include <limits.h>
40
41 #include "sndfile.h"
42 #include "common.h"
43@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
44 static inline void
45 i2alaw_array (const int *ptr, int count, unsigned char *buffer)
46 { while (--count >= 0)
47- { if (ptr [count] >= 0)
48+ { if (ptr [count] == INT_MIN)
49+ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
50+ else if (ptr [count] >= 0)
51 buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
52 else
53 buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
54@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
55 static inline void
56 d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
57 { while (--count >= 0)
58- { if (ptr [count] >= 0)
59+ { if (!isfinite (ptr [count]))
60+ buffer [count] = 0 ;
61+ else if (ptr [count] >= 0)
62 buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
63 else
64 buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
65diff --git a/src/ulaw.c b/src/ulaw.c
66index e50b4cb..b6070ad 100644
67--- a/src/ulaw.c
68+++ b/src/ulaw.c
69@@ -19,6 +19,7 @@
70 #include "sfconfig.h"
71
72 #include <math.h>
73+#include <limits.h>
74
75 #include "sndfile.h"
76 #include "common.h"
77@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
78 static inline void
79 i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
80 { while (--count >= 0)
81- { if (ptr [count] >= 0)
82+ { if (ptr [count] == INT_MIN)
83+ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
84+ else if (ptr [count] >= 0)
85 buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
86 else
87 buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
88@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
89 static inline void
90 d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
91 { while (--count >= 0)
92- { if (ptr [count] >= 0)
93+ { if (!isfinite (ptr [count]))
94+ buffer [count] = 0 ;
95+ else if (ptr [count] >= 0)
96 buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
97 else
98 buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;
99--
1002.7.4
101
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index b28f675286..13248f5cb7 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
13 file://CVE-2017-14245-14246.patch \ 13 file://CVE-2017-14245-14246.patch \
14 file://CVE-2017-14634.patch \ 14 file://CVE-2017-14634.patch \
15 file://CVE-2018-13139.patch \ 15 file://CVE-2018-13139.patch \
16 file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
16 " 17 "
17 18
18SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" 19SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"