libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.c

(From OE-Core rev: 0dc086b37b1c333adf99c01ce4ecb717df48d6f9) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vivek Kumbhar <vkumbhar@mvista.com> 2023-11-30 11:35:21 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-12-12 04:20:34 -1000
commit: 006b4b976cae3f4c7a64c73983b7837832d2a3c7 (patch)
tree: d3fa678db7654dd5204f66f35f65915616176380
parent: d6385a54cb94f957ff9fa4f95b5b5fbac6823303 (diff)
download: poky-006b4b976cae3f4c7a64c73983b7837832d2a3c7.tar.gz
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
new file mode 100644
index 0000000000..c5fba4d6b5
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
@@ -0,0 +1,46 @@
+From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 10 Oct 2023 16:10:34 -0400
+Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
+The clang sanitizer warns of a possible signed integer overflow when
+calculating the `dataend` value in `mat4_read_header()`.
+```
+src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
+src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
+```
+Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
+`dataend` before performing the calculation, to avoid the issue.
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/789
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c]
+CVE: CVE-2022-33065
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/mat4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/mat4.c b/src/mat4.c
+index 0b1b414..575683b 100644
+--- a/src/mat4.c
+++ b/src/mat4.c
+@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
+                                psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
+                }
+        else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
+-               psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
+               psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
+        psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
+--
+2.40.1
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb
index f6ea585e34..0c654fd853 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb
@@ -11,6 +11,7 @@ LICENSE = "LGPL-2.1-only"
 SRC_URI = "https://github.com/libsndfile/libsndfile/releases/download/${PV}/libsndfile-${PV}.tar.bz2 \
           file://noopus.patch \
           file://0001-flac-Fix-improper-buffer-reusing-732.patch \
+           file://CVE-2022-33065.patch \
          "
 UPSTREAM_CHECK_URI = "https://github.com/libsndfile/libsndfile/releases/"
author	Vivek Kumbhar <vkumbhar@mvista.com>	2023-11-30 11:35:21 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-12-12 04:20:34 -1000
commit	006b4b976cae3f4c7a64c73983b7837832d2a3c7 (patch)
tree	d3fa678db7654dd5204f66f35f65915616176380
parent	d6385a54cb94f957ff9fa4f95b5b5fbac6823303 (diff)
download	poky-006b4b976cae3f4c7a64c73983b7837832d2a3c7.tar.gz

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch new file mode 100644 index 0000000000..c5fba4d6b5 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
@@ -0,0 +1,46 @@
		1	From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001
		2	From: Alex Stewart <alex.stewart@ni.com>
		3	Date: Tue, 10 Oct 2023 16:10:34 -0400
		4	Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
		5
		6	The clang sanitizer warns of a possible signed integer overflow when
		7	calculating the `dataend` value in `mat4_read_header()`.
		8
		9	```
		10	src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
		11	SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
		12	src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
		13	SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
		14	```
		15
		16	Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
		17	`dataend` before performing the calculation, to avoid the issue.
		18
		19	CVE: CVE-2022-33065
		20	Fixes: https://github.com/libsndfile/libsndfile/issues/789
		21	Fixes: https://github.com/libsndfile/libsndfile/issues/833
		22
		23	Signed-off-by: Alex Stewart <alex.stewart@ni.com>
		24
		25	Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c]
		26	CVE: CVE-2022-33065
		27	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		28	---
		29	src/mat4.c \| 2 +-
		30	1 file changed, 1 insertion(+), 1 deletion(-)
		31
		32	diff --git a/src/mat4.c b/src/mat4.c
		33	index 0b1b414..575683b 100644
		34	--- a/src/mat4.c
		35	+++ b/src/mat4.c
		36	@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
		37	psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
		38	}
		39	else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
		40	- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
		41	+ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
		42
		43	psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
		44
		45	--
		46	2.40.1


diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb index f6ea585e34..0c654fd853 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb
@@ -11,6 +11,7 @@ LICENSE = "LGPL-2.1-only"
11	SRC_URI = "https://github.com/libsndfile/libsndfile/releases/download/${PV}/libsndfile-${PV}.tar.bz2 \	11	SRC_URI = "https://github.com/libsndfile/libsndfile/releases/download/${PV}/libsndfile-${PV}.tar.bz2 \
12	file://noopus.patch \	12	file://noopus.patch \
13	file://0001-flac-Fix-improper-buffer-reusing-732.patch \	13	file://0001-flac-Fix-improper-buffer-reusing-732.patch \
		14	file://CVE-2022-33065.patch \
14	"	15	"
15	UPSTREAM_CHECK_URI = "https://github.com/libsndfile/libsndfile/releases/"	16	UPSTREAM_CHECK_URI = "https://github.com/libsndfile/libsndfile/releases/"
16		17