2 files changed, 198 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
new file mode 100644
index 0000000000..e042872dc0
--- /dev/null
+++ b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
@@ -0,0 +1,197 @@
+From 579ff6922089cbbbd179619e40e622e279bd719f Mon Sep 17 00:00:00 2001
+From: Martijn van Beurden <mvanb1@gmail.com>
+Date: Wed, 3 Aug 2022 13:52:19 +0200
+Subject: [PATCH] flac: Add and use _nofree variants of safe_realloc functions
+Parts of the code use realloc like
+x = safe_realloc(x, somesize);
+when this is the case, the safe_realloc variant used must free the
+old memory block in case it fails, otherwise it will leak. However,
+there are also instances in the code where handling is different:
+if (0 == (x = safe_realloc(y, somesize)))
+    return false
+in this case, y should not be freed, as y is not set to NULL we
+could encounter double frees. Here the safe_realloc_nofree
+functions are used.
+Upstream-Status: Backport [https://github.com/xiph/flac/commit/21fe95ee828b0b9b944f6aa0bb02d24fbb981815]
+CVE: CVE-2020-22219
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ include/share/alloc.h         | 41 +++++++++++++++++++++++++++++++----
+ src/flac/encode.c             |  4 ++--
+ src/flac/foreign_metadata.c   |  2 +-
+ src/libFLAC/bitwriter.c       |  2 +-
+ src/libFLAC/metadata_object.c |  2 +-
+ src/plugin_common/tags.c      |  2 +-
+ src/share/utf8/iconvert.c     |  2 +-
+ 7 files changed, 44 insertions(+), 11 deletions(-)
+diff --git a/include/share/alloc.h b/include/share/alloc.h
+index 914de9b..55bdd1d 100644
+--- a/include/share/alloc.h
+++ b/include/share/alloc.h
+@@ -161,17 +161,30 @@ static inline void *safe_realloc_(void *ptr, size_t size)
+                free(oldptr);
+        return newptr;
+ }
+-static inline void *safe_realloc_add_2op_(void *ptr, size_t size1, size_t size2)
+static inline void *safe_realloc_nofree_add_2op_(void *ptr, size_t size1, size_t size2)
+{
+       size2 += size1;
+       if(size2 < size1)
+               return 0;
+       return realloc(ptr, size2);
+}
+
+static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+        size2 += size1;
+        if(size2 < size1) {
+                free(ptr);
+                return 0;
+        }
+-       return realloc(ptr, size2);
+       size3 += size2;
+       if(size3 < size2) {
+               free(ptr);
+               return 0;
+       }
+       return safe_realloc_(ptr, size3);
+ }
+-static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
+static inline void *safe_realloc_nofree_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+        size2 += size1;
+        if(size2 < size1)
+@@ -182,7 +195,7 @@ static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2,
+        return realloc(ptr, size3);
+ }
+-static inline void *safe_realloc_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
+static inline void *safe_realloc_nofree_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
+ {
+        size2 += size1;
+        if(size2 < size1)
+@@ -205,6 +218,15 @@ static inline void *safe_realloc_mul_2op_(void *ptr, size_t size1, size_t size2)
+        return safe_realloc_(ptr, size1*size2);
+ }
+static inline void *safe_realloc_nofree_mul_2op_(void *ptr, size_t size1, size_t size2)
+{
+       if(!size1 || !size2)
+               return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
+       if(size1 > SIZE_MAX / size2)
+               return 0;
+       return realloc(ptr, size1*size2);
+}
+
+ /* size1 * (size2 + size3) */
+ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+@@ -216,4 +238,15 @@ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2,
+        return safe_realloc_mul_2op_(ptr, size1, size2);
+ }
+/* size1 * (size2 + size3) */
+static inline void *safe_realloc_nofree_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
+{
+       if(!size1 || (!size2 && !size3))
+               return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
+       size2 += size3;
+       if(size2 < size3)
+               return 0;
+       return safe_realloc_nofree_mul_2op_(ptr, size1, size2);
+}
+
+ #endif
+diff --git a/src/flac/encode.c b/src/flac/encode.c
+index a9b907f..f87250c 100644
+--- a/src/flac/encode.c
+++ b/src/flac/encode.c
+@@ -1743,10 +1743,10 @@ static void static_metadata_clear(static_metadata_t *m)
+ static FLAC__bool static_metadata_append(static_metadata_t *m, FLAC__StreamMetadata *d, FLAC__bool needs_delete)
+ {
+        void *x;
+-       if(0 == (x = safe_realloc_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+       if(0 == (x = safe_realloc_nofree_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+                return false;
+        m->metadata = (FLAC__StreamMetadata**)x;
+-       if(0 == (x = safe_realloc_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+       if(0 == (x = safe_realloc_nofree_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+                return false;
+        m->needs_delete = (FLAC__bool*)x;
+        m->metadata[m->num_metadata] = d;
+diff --git a/src/flac/foreign_metadata.c b/src/flac/foreign_metadata.c
+index 9ad9c18..fdfb3cf 100644
+--- a/src/flac/foreign_metadata.c
+++ b/src/flac/foreign_metadata.c
+@@ -75,7 +75,7 @@ static FLAC__bool copy_data_(FILE *fin, FILE *fout, size_t size, const char **er
+ static FLAC__bool append_block_(foreign_metadata_t *fm, FLAC__off_t offset, FLAC__uint32 size, const char **error)
+ {
+-       foreign_block_t *fb = safe_realloc_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
+       foreign_block_t *fb = safe_realloc_nofree_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
+        if(fb) {
+                fb[fm->num_blocks].offset = offset;
+                fb[fm->num_blocks].size = size;
+diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c
+index 6e86585..a510b0d 100644
+--- a/src/libFLAC/bitwriter.c
+++ b/src/libFLAC/bitwriter.c
+@@ -124,7 +124,7 @@ FLAC__bool bitwriter_grow_(FLAC__BitWriter *bw, uint32_t bits_to_add)
+        FLAC__ASSERT(new_capacity > bw->capacity);
+        FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
+-       new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
+       new_buffer = safe_realloc_nofree_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
+        if(new_buffer == 0)
+                return false;
+        bw->buffer = new_buffer;
+diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c
+index de8e513..aef65be 100644
+--- a/src/libFLAC/metadata_object.c
+++ b/src/libFLAC/metadata_object.c
+@@ -98,7 +98,7 @@ static FLAC__bool free_copy_bytes_(FLAC__byte **to, const FLAC__byte *from, uint
+ /* realloc() failure leaves entry unchanged */
+ static FLAC__bool ensure_null_terminated_(FLAC__byte **entry, uint32_t length)
+ {
+-       FLAC__byte *x = safe_realloc_add_2op_(*entry, length, /*+*/1);
+       FLAC__byte *x = safe_realloc_nofree_add_2op_(*entry, length, /*+*/1);
+        if (x != NULL) {
+                x[length] = '\0';
+                *entry = x;
+diff --git a/src/plugin_common/tags.c b/src/plugin_common/tags.c
+index ae440c5..dfa10d3 100644
+--- a/src/plugin_common/tags.c
+++ b/src/plugin_common/tags.c
+@@ -317,7 +317,7 @@ FLAC__bool FLAC_plugin__tags_add_tag_utf8(FLAC__StreamMetadata *tags, const char
+                const size_t value_len = strlen(value);
+                const size_t separator_len = strlen(separator);
+                FLAC__byte *new_entry;
+-               if(0 == (new_entry = safe_realloc_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
+               if(0 == (new_entry = safe_realloc_nofree_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
+                        return false;
+                memcpy(new_entry+entry->length, separator, separator_len);
+                entry->length += separator_len;
+diff --git a/src/share/utf8/iconvert.c b/src/share/utf8/iconvert.c
+index 8ab53c1..876c06e 100644
+--- a/src/share/utf8/iconvert.c
+++ b/src/share/utf8/iconvert.c
+@@ -149,7 +149,7 @@ int iconvert(const char *fromcode, const char *tocode,
+       iconv_close(cd1);
+       return ret;
+     }
+-    newbuf = safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
+    newbuf = safe_realloc_nofree_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
+     if (!newbuf)
+       goto fail;
+     ob = (ob - utfbuf) + newbuf;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/flac/flac_1.3.4.bb b/meta/recipes-multimedia/flac/flac_1.3.4.bb
index 012da0a0a0..1a44718bba 100644
--- a/meta/recipes-multimedia/flac/flac_1.3.4.bb
+++ b/meta/recipes-multimedia/flac/flac_1.3.4.bb
@@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \
 DEPENDS = "libogg"
 SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \
+           file://CVE-2020-22219.patch \
 "
 SRC_URI[sha256sum] = "8ff0607e75a322dd7cd6ec48f4f225471404ae2730d0ea945127b1355155e737"

diff --git a/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch new file mode 100644 index 0000000000..e042872dc0 --- /dev/null +++ b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
@@ -0,0 +1,197 @@
		1	From 579ff6922089cbbbd179619e40e622e279bd719f Mon Sep 17 00:00:00 2001
		2	From: Martijn van Beurden <mvanb1@gmail.com>
		3	Date: Wed, 3 Aug 2022 13:52:19 +0200
		4	Subject: [PATCH] flac: Add and use _nofree variants of safe_realloc functions
		5
		6	Parts of the code use realloc like
		7
		8	x = safe_realloc(x, somesize);
		9
		10	when this is the case, the safe_realloc variant used must free the
		11	old memory block in case it fails, otherwise it will leak. However,
		12	there are also instances in the code where handling is different:
		13
		14	if (0 == (x = safe_realloc(y, somesize)))
		15	return false
		16
		17	in this case, y should not be freed, as y is not set to NULL we
		18	could encounter double frees. Here the safe_realloc_nofree
		19	functions are used.
		20
		21	Upstream-Status: Backport [https://github.com/xiph/flac/commit/21fe95ee828b0b9b944f6aa0bb02d24fbb981815]
		22	CVE: CVE-2020-22219
		23
		24	Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
		25	---
		26	include/share/alloc.h \| 41 +++++++++++++++++++++++++++++++----
		27	src/flac/encode.c \| 4 ++--
		28	src/flac/foreign_metadata.c \| 2 +-
		29	src/libFLAC/bitwriter.c \| 2 +-
		30	src/libFLAC/metadata_object.c \| 2 +-
		31	src/plugin_common/tags.c \| 2 +-
		32	src/share/utf8/iconvert.c \| 2 +-
		33	7 files changed, 44 insertions(+), 11 deletions(-)
		34
		35	diff --git a/include/share/alloc.h b/include/share/alloc.h
		36	index 914de9b..55bdd1d 100644
		37	--- a/include/share/alloc.h
		38	+++ b/include/share/alloc.h
		39	@@ -161,17 +161,30 @@ static inline void safe_realloc_(void ptr, size_t size)
		40	free(oldptr);
		41	return newptr;
		42	}
		43	-static inline void safe_realloc_add_2op_(void ptr, size_t size1, size_t size2)
		44	+static inline void safe_realloc_nofree_add_2op_(void ptr, size_t size1, size_t size2)
		45	+{
		46	+ size2 += size1;
		47	+ if(size2 < size1)
		48	+ return 0;
		49	+ return realloc(ptr, size2);
		50	+}
		51	+
		52	+static inline void safe_realloc_add_3op_(void ptr, size_t size1, size_t size2, size_t size3)
		53	{
		54	size2 += size1;
		55	if(size2 < size1) {
		56	free(ptr);
		57	return 0;
		58	}
		59	- return realloc(ptr, size2);
		60	+ size3 += size2;
		61	+ if(size3 < size2) {
		62	+ free(ptr);
		63	+ return 0;
		64	+ }
		65	+ return safe_realloc_(ptr, size3);
		66	}
		67
		68	-static inline void safe_realloc_add_3op_(void ptr, size_t size1, size_t size2, size_t size3)
		69	+static inline void safe_realloc_nofree_add_3op_(void ptr, size_t size1, size_t size2, size_t size3)
		70	{
		71	size2 += size1;
		72	if(size2 < size1)
		73	@@ -182,7 +195,7 @@ static inline void safe_realloc_add_3op_(void ptr, size_t size1, size_t size2,
		74	return realloc(ptr, size3);
		75	}
		76
		77	-static inline void safe_realloc_add_4op_(void ptr, size_t size1, size_t size2, size_t size3, size_t size4)
		78	+static inline void safe_realloc_nofree_add_4op_(void ptr, size_t size1, size_t size2, size_t size3, size_t size4)
		79	{
		80	size2 += size1;
		81	if(size2 < size1)
		82	@@ -205,6 +218,15 @@ static inline void safe_realloc_mul_2op_(void ptr, size_t size1, size_t size2)
		83	return safe_realloc_(ptr, size1*size2);
		84	}
		85
		86	+static inline void safe_realloc_nofree_mul_2op_(void ptr, size_t size1, size_t size2)
		87	+{
		88	+ if(!size1 \|\| !size2)
		89	+ return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
		90	+ if(size1 > SIZE_MAX / size2)
		91	+ return 0;
		92	+ return realloc(ptr, size1*size2);
		93	+}
		94	+
		95	/* size1 * (size2 + size3) */
		96	static inline void safe_realloc_muladd2_(void ptr, size_t size1, size_t size2, size_t size3)
		97	{
		98	@@ -216,4 +238,15 @@ static inline void safe_realloc_muladd2_(void ptr, size_t size1, size_t size2,
		99	return safe_realloc_mul_2op_(ptr, size1, size2);
		100	}
		101
		102	+/* size1 * (size2 + size3) */
		103	+static inline void safe_realloc_nofree_muladd2_(void ptr, size_t size1, size_t size2, size_t size3)
		104	+{
		105	+ if(!size1 \|\| (!size2 && !size3))
		106	+ return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
		107	+ size2 += size3;
		108	+ if(size2 < size3)
		109	+ return 0;
		110	+ return safe_realloc_nofree_mul_2op_(ptr, size1, size2);
		111	+}
		112	+
		113	#endif
		114	diff --git a/src/flac/encode.c b/src/flac/encode.c
		115	index a9b907f..f87250c 100644
		116	--- a/src/flac/encode.c
		117	+++ b/src/flac/encode.c
		118	@@ -1743,10 +1743,10 @@ static void static_metadata_clear(static_metadata_t *m)
		119	static FLAC__bool static_metadata_append(static_metadata_t m, FLAC__StreamMetadata d, FLAC__bool needs_delete)
		120	{
		121	void *x;
		122	- if(0 == (x = safe_realloc_muladd2_(m->metadata, sizeof(m->metadata), /times (/m->num_metadata, /+/1/)*/)))
		123	+ if(0 == (x = safe_realloc_nofree_muladd2_(m->metadata, sizeof(m->metadata), /times (/m->num_metadata, /+/1/)*/)))
		124	return false;
		125	m->metadata = (FLAC__StreamMetadata**)x;
		126	- if(0 == (x = safe_realloc_muladd2_(m->needs_delete, sizeof(m->needs_delete), /times (/m->num_metadata, /+/1/)*/)))
		127	+ if(0 == (x = safe_realloc_nofree_muladd2_(m->needs_delete, sizeof(m->needs_delete), /times (/m->num_metadata, /+/1/)*/)))
		128	return false;
		129	m->needs_delete = (FLAC__bool*)x;
		130	m->metadata[m->num_metadata] = d;
		131	diff --git a/src/flac/foreign_metadata.c b/src/flac/foreign_metadata.c
		132	index 9ad9c18..fdfb3cf 100644
		133	--- a/src/flac/foreign_metadata.c
		134	+++ b/src/flac/foreign_metadata.c
		135	@@ -75,7 +75,7 @@ static FLAC__bool copy_data_(FILE fin, FILE fout, size_t size, const char **er
		136
		137	static FLAC__bool append_block_(foreign_metadata_t fm, FLAC__off_t offset, FLAC__uint32 size, const char *error)
		138	{
		139	- foreign_block_t fb = safe_realloc_muladd2_(fm->blocks, sizeof(foreign_block_t), /times (/fm->num_blocks, /+/1/)*/);
		140	+ foreign_block_t fb = safe_realloc_nofree_muladd2_(fm->blocks, sizeof(foreign_block_t), /times (/fm->num_blocks, /+/1/)*/);
		141	if(fb) {
		142	fb[fm->num_blocks].offset = offset;
		143	fb[fm->num_blocks].size = size;
		144	diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c
		145	index 6e86585..a510b0d 100644
		146	--- a/src/libFLAC/bitwriter.c
		147	+++ b/src/libFLAC/bitwriter.c
		148	@@ -124,7 +124,7 @@ FLAC__bool bitwriter_grow_(FLAC__BitWriter *bw, uint32_t bits_to_add)
		149	FLAC__ASSERT(new_capacity > bw->capacity);
		150	FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
		151
		152	- new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /times/new_capacity);
		153	+ new_buffer = safe_realloc_nofree_mul_2op_(bw->buffer, sizeof(bwword), /times/new_capacity);
		154	if(new_buffer == 0)
		155	return false;
		156	bw->buffer = new_buffer;
		157	diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c
		158	index de8e513..aef65be 100644
		159	--- a/src/libFLAC/metadata_object.c
		160	+++ b/src/libFLAC/metadata_object.c
		161	@@ -98,7 +98,7 @@ static FLAC__bool free_copy_bytes_(FLAC__byte *to, const FLAC__byte from, uint
		162	/* realloc() failure leaves entry unchanged */
		163	static FLAC__bool ensure_null_terminated_(FLAC__byte **entry, uint32_t length)
		164	{
		165	- FLAC__byte x = safe_realloc_add_2op_(entry, length, /+/1);
		166	+ FLAC__byte x = safe_realloc_nofree_add_2op_(entry, length, /+/1);
		167	if (x != NULL) {
		168	x[length] = '\0';
		169	*entry = x;
		170	diff --git a/src/plugin_common/tags.c b/src/plugin_common/tags.c
		171	index ae440c5..dfa10d3 100644
		172	--- a/src/plugin_common/tags.c
		173	+++ b/src/plugin_common/tags.c
		174	@@ -317,7 +317,7 @@ FLAC__bool FLAC_plugin__tags_add_tag_utf8(FLAC__StreamMetadata *tags, const char
		175	const size_t value_len = strlen(value);
		176	const size_t separator_len = strlen(separator);
		177	FLAC__byte *new_entry;
		178	- if(0 == (new_entry = safe_realloc_add_4op_(entry->entry, entry->length, /+/value_len, /+/separator_len, /+/1)))
		179	+ if(0 == (new_entry = safe_realloc_nofree_add_4op_(entry->entry, entry->length, /+/value_len, /+/separator_len, /+/1)))
		180	return false;
		181	memcpy(new_entry+entry->length, separator, separator_len);
		182	entry->length += separator_len;
		183	diff --git a/src/share/utf8/iconvert.c b/src/share/utf8/iconvert.c
		184	index 8ab53c1..876c06e 100644
		185	--- a/src/share/utf8/iconvert.c
		186	+++ b/src/share/utf8/iconvert.c
		187	@@ -149,7 +149,7 @@ int iconvert(const char fromcode, const char tocode,
		188	iconv_close(cd1);
		189	return ret;
		190	}
		191	- newbuf = safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /+/1);
		192	+ newbuf = safe_realloc_nofree_add_2op_(utfbuf, (ob - utfbuf), /+/1);
		193	if (!newbuf)
		194	goto fail;
		195	ob = (ob - utfbuf) + newbuf;
		196	--
		197	2.40.0


diff --git a/meta/recipes-multimedia/flac/flac_1.3.4.bb b/meta/recipes-multimedia/flac/flac_1.3.4.bb index 012da0a0a0..1a44718bba 100644 --- a/meta/recipes-multimedia/flac/flac_1.3.4.bb +++ b/meta/recipes-multimedia/flac/flac_1.3.4.bb
@@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \
15	DEPENDS = "libogg"	15	DEPENDS = "libogg"
16		16
17	SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \	17	SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \
		18	file://CVE-2020-22219.patch \
18	"	19	"
19		20
20	SRC_URI[sha256sum] = "8ff0607e75a322dd7cd6ec48f4f225471404ae2730d0ea945127b1355155e737"	21	SRC_URI[sha256sum] = "8ff0607e75a322dd7cd6ec48f4f225471404ae2730d0ea945127b1355155e737"