From owner-svn-ports-branches@freebsd.org Fri Sep 11 15:01:54 2015 Return-Path: Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9E5B8A01EC0; Fri, 11 Sep 2015 15:01:54 +0000 (UTC) (envelope-from naddy@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8A8601046; Fri, 11 Sep 2015 15:01:54 +0000 (UTC) (envelope-from naddy@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t8BF1sY9092837; Fri, 11 Sep 2015 15:01:54 GMT (envelope-from naddy@FreeBSD.org) Received: (from naddy@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t8BF1s8g092835; Fri, 11 Sep 2015 15:01:54 GMT (envelope-from naddy@FreeBSD.org) Message-Id: <201509111501.t8BF1s8g092835@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: naddy set sender to naddy@FreeBSD.org using -f From: Christian Weisgerber Date: Fri, 11 Sep 2015 15:01:54 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r396674 - in branches/2015Q3/audio/opus-tools: . files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2015 15:01:54 -0000 Author: naddy Date: Fri Sep 11 15:01:53 2015 New Revision: 396674 URL: https://svnweb.freebsd.org/changeset/ports/396674 Log: MFH: r396600 Fix opusenc buffer overflow, channel integer overflow, and division by zero. (Same code as vorbis-tools oggenc.) PR: 202941 Obtained from: https://trac.xiph.org/ticket/2212 Obtained from: https://trac.xiph.org/changeset/19117 Obtained from: Fedora vorbis-tools Git (commit 63a1a62d) Security: CVE-2015-6749 Security: CVE-2014-9638 Security: CVE-2014-9639 Security: a35f415d-572a-11e5-b0a4-f8b156b6dcc8 Approved by: ports-secteam Added: branches/2015Q3/audio/opus-tools/files/patch-src_audio-in.c - copied unchanged from r396600, head/audio/opus-tools/files/patch-src_audio-in.c Modified: branches/2015Q3/audio/opus-tools/Makefile Directory Properties: branches/2015Q3/ (props changed) Modified: branches/2015Q3/audio/opus-tools/Makefile ============================================================================== --- branches/2015Q3/audio/opus-tools/Makefile Fri Sep 11 14:59:04 2015 (r396673) +++ branches/2015Q3/audio/opus-tools/Makefile Fri Sep 11 15:01:53 2015 (r396674) @@ -2,7 +2,7 @@ PORTNAME= opus-tools PORTVERSION= 0.1.9 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio MASTER_SITES= http://downloads.xiph.org/releases/opus/ \ MOZILLA/opus Copied: branches/2015Q3/audio/opus-tools/files/patch-src_audio-in.c (from r396600, head/audio/opus-tools/files/patch-src_audio-in.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q3/audio/opus-tools/files/patch-src_audio-in.c Fri Sep 11 15:01:53 2015 (r396674, copy of r396600, head/audio/opus-tools/files/patch-src_audio-in.c) @@ -0,0 +1,85 @@ +--- src/audio-in.c.orig 2014-02-26 00:55:47 UTC ++++ src/audio-in.c +@@ -42,6 +42,7 @@ + # define _FILE_OFFSET_BITS 64 + #endif + ++#include + #include + #include + #include +@@ -287,13 +288,14 @@ static int aiff_permute_matrix[6][6] = + int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) + { + int aifc; /* AIFC or AIFF? */ +- unsigned int len; +- unsigned char *buffer; ++ unsigned int len, readlen; ++ unsigned char buffer[22]; + unsigned char buf2[8]; + int bigendian = 1; + aiff_fmt format; + aifffile *aiff; + int i; ++ long channels; + (void)buflen;/*unused*/ + + if(buf[11]=='C') +@@ -313,19 +315,25 @@ int aiff_open(FILE *in, oe_enc_opt *opt, + return 0; /* Weird common chunk */ + } + +- buffer = alloca(len); +- +- if(fread(buffer,1,len,in) < len) ++ readlen = len < sizeof(buffer) ? len : sizeof(buffer); ++ if(fread(buffer,1,readlen,in) < readlen || ++ (len > readlen && !seek_forward(in, len-readlen))) + { + fprintf(stderr, _("Warning: Unexpected EOF reading AIFF header\n")); + return 0; + } + +- format.channels = READ_U16_BE(buffer); ++ format.channels = channels = READ_U16_BE(buffer); + format.totalframes = READ_U32_BE(buffer+2); + format.samplesize = READ_U16_BE(buffer+6); + format.rate = (int)read_IEEE80(buffer+8); + ++ if(channels <= 0L || SHRT_MAX < channels) ++ { ++ fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n")); ++ return 0; ++ } ++ + if(aifc) + { + if(len < 22) +@@ -442,6 +450,7 @@ int wav_open(FILE *in, oe_enc_opt *opt, + wav_fmt format; + wavfile *wav; + int i; ++ long channels; + (void)buflen;/*unused*/ + (void)oldbuf;/*unused*/ + +@@ -481,12 +490,18 @@ int wav_open(FILE *in, oe_enc_opt *opt, + } + + format.format = READ_U16_LE(buf); +- format.channels = READ_U16_LE(buf+2); ++ format.channels = channels = READ_U16_LE(buf+2); + format.samplerate = READ_U32_LE(buf+4); + format.bytespersec = READ_U32_LE(buf+8); + format.align = READ_U16_LE(buf+12); + format.samplesize = READ_U16_LE(buf+14); + ++ if(channels <= 0L || SHRT_MAX < channels) ++ { ++ fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n")); ++ return 0; ++ } ++ + if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */ + { + if(len<40)