Date: Tue, 12 Mar 2019 06:12:04 +0000 (UTC) From: Thomas Zander <riggs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r495441 - in branches/2019Q1/audio/libsndfile: . files Message-ID: <201903120612.x2C6C4NS017116@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: riggs Date: Tue Mar 12 06:12:04 2019 New Revision: 495441 URL: https://svnweb.freebsd.org/changeset/ports/495441 Log: MFH: r495440 Backport patches from upstream against all currently known CVEs PR: 227669 Submitted by: p5B2E9A8F@t-online.de Security: CVE-2018-19661 CVE-2018-19662 CVE-2017-17456 CVE-2017-17457 CVE-2018-19758 Approved by: ports-secteam (riggs) Added: branches/2019Q1/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662 - copied unchanged from r495440, head/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662 branches/2019Q1/audio/libsndfile/files/patch-CVE-2018-19758 - copied unchanged from r495440, head/audio/libsndfile/files/patch-CVE-2018-19758 branches/2019Q1/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave - copied unchanged from r495440, head/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave branches/2019Q1/audio/libsndfile/files/patch-rf64_arm - copied unchanged from r495440, head/audio/libsndfile/files/patch-rf64_arm branches/2019Q1/audio/libsndfile/files/patch-typos - copied unchanged from r495440, head/audio/libsndfile/files/patch-typos Modified: branches/2019Q1/audio/libsndfile/Makefile Directory Properties: branches/2019Q1/ (props changed) Modified: branches/2019Q1/audio/libsndfile/Makefile ============================================================================== --- branches/2019Q1/audio/libsndfile/Makefile Tue Mar 12 06:10:24 2019 (r495440) +++ branches/2019Q1/audio/libsndfile/Makefile Tue Mar 12 06:12:04 2019 (r495441) @@ -3,7 +3,7 @@ PORTNAME= libsndfile PORTVERSION= 1.0.28 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio MASTER_SITES= http://www.mega-nerd.com/libsndfile/files/ Copied: branches/2019Q1/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662 (from r495440, head/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2019Q1/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662 Tue Mar 12 06:12:04 2019 (r495441, copy of r495440, head/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662) @@ -0,0 +1,90 @@ +From: Hugo Lefeuvre <hle@owl.eu.com> +Date: Mon, 24 Dec 2018 06:43:48 +0100 +Subject: a/ulaw: fix multiple buffer overflows (#432) + +i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN +properly, leading to buffer underflow. INT_MIN is a special value +since - INT_MIN cannot be represented as int. + +In this case round - INT_MIN to INT_MAX and proceed as usual. + +f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN +properly, leading to null pointer dereference. + +In this case, arbitrarily set the buffer value to 0. + +This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and +fixes #344 (CVE-2017-17456 and CVE-2017-17457). +--- + src/alaw.c | 9 +++++++-- + src/ulaw.c | 9 +++++++-- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/src/alaw.c b/src/alaw.c +index 063fd1a..4220224 100644 +--- src/alaw.c ++++ src/alaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include <math.h> ++#include <limits.h> + + #include "sndfile.h" + #include "common.h" +@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2alaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; + else + buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; +@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; +diff --git a/src/ulaw.c b/src/ulaw.c +index e50b4cb..b6070ad 100644 +--- src/ulaw.c ++++ src/ulaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include <math.h> ++#include <limits.h> + + #include "sndfile.h" + #include "common.h" +@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2ulaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; + else + buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; +@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; Copied: branches/2019Q1/audio/libsndfile/files/patch-CVE-2018-19758 (from r495440, head/audio/libsndfile/files/patch-CVE-2018-19758) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2019Q1/audio/libsndfile/files/patch-CVE-2018-19758 Tue Mar 12 06:12:04 2019 (r495441, copy of r495440, head/audio/libsndfile/files/patch-CVE-2018-19758) @@ -0,0 +1,31 @@ +From: Erik de Castro Lopo <erikd@mega-nerd.com> +Date: Tue, 1 Jan 2019 20:11:46 +1100 +Subject: src/wav.c: Fix heap read overflow + +This is CVE-2018-19758. + +Closes: https://github.com/erikd/libsndfile/issues/435 +--- + src/wav.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/wav.c b/src/wav.c +index 4b943dc..59015a1 100644 +--- src/wav.c ++++ src/wav.c +@@ -1,5 +1,5 @@ + /* +-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com> ++** Copyright (C) 1999-2019 Erik de Castro Lopo <erikd@mega-nerd.com> + ** Copyright (C) 2004-2005 David Viens <davidv@plogue.com> + ** + ** This program is free software; you can redistribute it and/or modify +@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) + psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ + psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; + ++ /* Loop count is signed 16 bit number so we limit it range to something sensible. */ ++ psf->instrument->loop_count &= 0x7fff ; + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + Copied: branches/2019Q1/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave (from r495440, head/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2019Q1/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave Tue Mar 12 06:12:04 2019 (r495441, copy of r495440, head/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave) @@ -0,0 +1,30 @@ +From: "Brett T. Warden" <brett.t.warden@intel.com> +Date: Tue, 28 Aug 2018 12:01:17 -0700 +Subject: Check MAX_CHANNELS in sndfile-deinterleave + +Allocated buffer has space for only 16 channels. Verify that input file +meets this limit. + +Fixes #397 +--- + programs/sndfile-deinterleave.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c +index e27593e..cb497e1 100644 +--- programs/sndfile-deinterleave.c ++++ programs/sndfile-deinterleave.c +@@ -89,6 +89,13 @@ main (int argc, char **argv) + exit (1) ; + } ; + ++ if (sfinfo.channels > MAX_CHANNELS) ++ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n", ++ argv [1], sfinfo.channels, MAX_CHANNELS) ; ++ exit (1) ; ++ } ; ++ ++ + state.channels = sfinfo.channels ; + sfinfo.channels = 1 ; + Copied: branches/2019Q1/audio/libsndfile/files/patch-rf64_arm (from r495440, head/audio/libsndfile/files/patch-rf64_arm) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2019Q1/audio/libsndfile/files/patch-rf64_arm Tue Mar 12 06:12:04 2019 (r495441, copy of r495440, head/audio/libsndfile/files/patch-rf64_arm) @@ -0,0 +1,49 @@ +From: Erik de Castro Lopez <erikd@mega-nerd.com> +Date: Tue, 20 Jun 2017 00:00:00 +0200 +Subject: fix RF64 on armel/armhf archs + +Origin: upstream +Applied-Upstream: 9d470ee5577d3ccedb1c28c7e0a7295ba17feaf5 +Last-Update: 2017-06-20 +--- + src/rf64.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/rf64.c b/src/rf64.c +index c373bb0..60a3309 100644 +--- src/rf64.c ++++ src/rf64.c +@@ -339,6 +339,12 @@ rf64_read_header (SF_PRIVATE *psf, int *blockalign, int *framesperblock) + } ; + break ; + ++ case JUNK_MARKER : ++ case PAD_MARKER : ++ psf_log_printf (psf, "%M : %d\n", marker, chunk_size) ; ++ psf_binheader_readf (psf, "j", chunk_size) ; ++ break ; ++ + default : + if (chunk_size >= 0xffff0000) + { psf_log_printf (psf, "*** Unknown chunk marker (%X) at position %D with length %u. Exiting parser.\n", marker, psf_ftell (psf) - 8, chunk_size) ; +@@ -659,7 +665,7 @@ rf64_write_header (SF_PRIVATE *psf, int calc_length) + + if (wpriv->rf64_downgrade && psf->filelength < RIFF_DOWNGRADE_BYTES) + { psf_binheader_writef (psf, "etm8m", RIFF_MARKER, (psf->filelength < 8) ? 8 : psf->filelength - 8, WAVE_MARKER) ; +- psf_binheader_writef (psf, "m4884", JUNK_MARKER, 20, 0, 0, 0, 0) ; ++ psf_binheader_writef (psf, "m4z", JUNK_MARKER, 24, 24) ; + add_fact_chunk = 1 ; + } + else +@@ -735,9 +741,10 @@ rf64_write_header (SF_PRIVATE *psf, int calc_length) + + #endif + ++ /* Padding may be needed if string data sizes change. */ + pad_size = psf->dataoffset - 16 - psf->header.indx ; + if (pad_size >= 0) +- psf_binheader_writef (psf, "m4z", PAD_MARKER, pad_size, make_size_t (pad_size)) ; ++ psf_binheader_writef (psf, "m4z", PAD_MARKER, (unsigned int) pad_size, make_size_t (pad_size)) ; + + if (wpriv->rf64_downgrade && (psf->filelength < RIFF_DOWNGRADE_BYTES)) + psf_binheader_writef (psf, "tm8", data_MARKER, psf->datalength) ; Copied: branches/2019Q1/audio/libsndfile/files/patch-typos (from r495440, head/audio/libsndfile/files/patch-typos) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2019Q1/audio/libsndfile/files/patch-typos Tue Mar 12 06:12:04 2019 (r495441, copy of r495440, head/audio/libsndfile/files/patch-typos) @@ -0,0 +1,67 @@ +From: IOhannes m zmoelnig <umlaeute@debian.org> +Date: Wed, 5 Oct 2016 00:00:00 +0200 +Subject: fixed spelling errors + +Forwarded: yes +Last-Update: 2016-10-05 + +discovered by lintian +--- + doc/bugs.html | 2 +- + programs/sndfile-convert.c | 2 +- + src/ogg.c | 2 +- + src/wavlike.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/doc/bugs.html b/doc/bugs.html +index 3a441fe..addedb8 100644 +--- doc/bugs.html ++++ doc/bugs.html +@@ -31,7 +31,7 @@ + <UL> + <LI> Compilation problems on new platforms. + <LI> Errors being detected during the `make check' process. +- <LI> Segmentation faults occuring inside libsndfile. ++ <LI> Segmentation faults occurring inside libsndfile. + <LI> libsndfile hanging when opening a file. + <LI> Supported sound file types being incorrectly read or written. + <LI> Omissions, errors or spelling mistakes in the documentation. +diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c +index dff7f79..896838f 100644 +--- programs/sndfile-convert.c ++++ programs/sndfile-convert.c +@@ -317,7 +317,7 @@ main (int argc, char * argv []) + if ((sfinfo.format & SF_FORMAT_SUBMASK) == SF_FORMAT_GSM610 && sfinfo.samplerate != 8000) + { printf ( + "WARNING: GSM 6.10 data format only supports 8kHz sample rate. The converted\n" +- "ouput file will contain the input data converted to the GSM 6.10 data format\n" ++ "output file will contain the input data converted to the GSM 6.10 data format\n" + "but not re-sampled.\n" + ) ; + } ; +diff --git a/src/ogg.c b/src/ogg.c +index 0856f77..e01ebe1 100644 +--- src/ogg.c ++++ src/ogg.c +@@ -193,7 +193,7 @@ ogg_stream_classify (SF_PRIVATE *psf, OGG_PRIVATE* odata) + break ; + } ; + +- psf_log_printf (psf, "This Ogg bitstream contains some uknown data type.\n") ; ++ psf_log_printf (psf, "This Ogg bitstream contains some unknown data type.\n") ; + return SFE_UNIMPLEMENTED ; + } /* ogg_stream_classify */ + +diff --git a/src/wavlike.c b/src/wavlike.c +index 86ebf01..c053da3 100644 +--- src/wavlike.c ++++ src/wavlike.c +@@ -161,7 +161,7 @@ wavlike_read_fmt_chunk (SF_PRIVATE *psf, int fmtsize) + { psf_log_printf (psf, " Bit Width : 24\n") ; + + psf_log_printf (psf, "\n" +- " Ambiguous information in 'fmt ' chunk. Possibile file types:\n" ++ " Ambiguous information in 'fmt ' chunk. Possible file types:\n" + " 0) Invalid IEEE float file generated by Syntrillium's Cooledit!\n" + " 1) File generated by ALSA's arecord containing 24 bit samples in 32 bit containers.\n" + " 2) 24 bit file with incorrect Block Align value.\n"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903120612.x2C6C4NS017116>