1 |
commit: ab144c7631ebe685ffec603e48824403fcd00cdd |
2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Jun 10 23:45:11 2018 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jun 11 00:04:20 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab144c76 |
7 |
|
8 |
media-sound/sox: A truckload of security |
9 |
|
10 |
Kindly provided by Debian packaging... |
11 |
|
12 |
Bug: https://bugs.gentoo.org/627570 |
13 |
Bug: https://bugs.gentoo.org/626702 |
14 |
Bug: https://bugs.gentoo.org/634814 |
15 |
Bug: https://bugs.gentoo.org/634450 |
16 |
Package-Manager: Portage-2.3.40, Repoman-2.3.9 |
17 |
|
18 |
.../sox/files/sox-14.4.2-CVE-2017-11332.patch | 25 ++++++ |
19 |
.../sox/files/sox-14.4.2-CVE-2017-11333.patch | 43 ++++++++++ |
20 |
.../sox/files/sox-14.4.2-CVE-2017-11358.patch | 26 ++++++ |
21 |
.../sox/files/sox-14.4.2-CVE-2017-11359.patch | 27 ++++++ |
22 |
.../sox/files/sox-14.4.2-CVE-2017-15370.patch | 25 ++++++ |
23 |
.../sox/files/sox-14.4.2-CVE-2017-15371.patch | 37 +++++++++ |
24 |
.../sox/files/sox-14.4.2-CVE-2017-15372.patch | 97 ++++++++++++++++++++++ |
25 |
.../sox/files/sox-14.4.2-CVE-2017-15642.patch | 28 +++++++ |
26 |
.../sox/files/sox-14.4.2-CVE-2017-18189.patch | 30 +++++++ |
27 |
.../sox-14.4.2-wavpack-chk-errors-on-init.patch | 35 ++++++++ |
28 |
media-sound/sox/sox-14.4.2-r1.ebuild | 13 +++ |
29 |
11 files changed, 386 insertions(+) |
30 |
|
31 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch |
32 |
new file mode 100644 |
33 |
index 00000000000..2b4448ed2d7 |
34 |
--- /dev/null |
35 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch |
36 |
@@ -0,0 +1,25 @@ |
37 |
+From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001 |
38 |
+From: Mans Rullgard <mans@×××××.com> |
39 |
+Date: Sun, 5 Nov 2017 16:29:28 +0000 |
40 |
+Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332) |
41 |
+ |
42 |
+--- |
43 |
+ src/wav.c | 5 +++++ |
44 |
+ 1 file changed, 5 insertions(+) |
45 |
+ |
46 |
+diff --git a/src/wav.c b/src/wav.c |
47 |
+index 3e80e692..3eaebfa7 100644 |
48 |
+--- a/src/wav.c |
49 |
++++ b/src/wav.c |
50 |
+@@ -712,6 +712,11 @@ static int startread(sox_format_t * ft) |
51 |
+ else |
52 |
+ lsx_report("User options overriding channels read in .wav header"); |
53 |
+ |
54 |
++ if (ft->signal.channels == 0) { |
55 |
++ lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero"); |
56 |
++ return SOX_EOF; |
57 |
++ } |
58 |
++ |
59 |
+ if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond) |
60 |
+ ft->signal.rate = dwSamplesPerSecond; |
61 |
+ else |
62 |
|
63 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch |
64 |
new file mode 100644 |
65 |
index 00000000000..a9a5b276219 |
66 |
--- /dev/null |
67 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch |
68 |
@@ -0,0 +1,43 @@ |
69 |
+From 93b6e4b5b0efa47b318151d39c35277fc06525f1 Mon Sep 17 00:00:00 2001 |
70 |
+Message-Id: <93b6e4b5b0efa47b318151d39c35277fc06525f1.1511192342.git.agx@×××××××.org> |
71 |
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@×××××××.org> |
72 |
+Date: Wed, 15 Nov 2017 18:36:58 +0100 |
73 |
+Subject: [PATCH] Handle vorbis_analysis_headerout errors |
74 |
+ |
75 |
+This is related to |
76 |
+ |
77 |
+ https://github.com/xiph/vorbis/pull/34 |
78 |
+ |
79 |
+but could also happen today with on other errors in the called function. |
80 |
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882236 |
81 |
+Forwarded: sox-devel@×××××××××××××××××.net |
82 |
+--- |
83 |
+ src/vorbis.c | 8 ++++++-- |
84 |
+ 1 file changed, 6 insertions(+), 2 deletions(-) |
85 |
+ |
86 |
+Index: sox/src/vorbis.c |
87 |
+=================================================================== |
88 |
+--- sox.orig/src/vorbis.c |
89 |
++++ sox/src/vorbis.c |
90 |
+@@ -270,8 +270,11 @@ static int write_vorbis_header(sox_forma |
91 |
+ vc.comment_lengths[i] = strlen(text); |
92 |
+ } |
93 |
+ } |
94 |
+- vorbis_analysis_headerout( /* Build the packets */ |
95 |
+- &ve->vd, &vc, &header_main, &header_comments, &header_codebooks); |
96 |
++ if (vorbis_analysis_headerout( /* Build the packets */ |
97 |
++ &ve->vd, &vc, &header_main, &header_comments, &header_codebooks) < 0) { |
98 |
++ ret = HEADER_ERROR; |
99 |
++ goto cleanup; |
100 |
++ } |
101 |
+ |
102 |
+ ogg_stream_packetin(&ve->os, &header_main); /* And stream them out */ |
103 |
+ ogg_stream_packetin(&ve->os, &header_comments); |
104 |
+@@ -280,6 +283,7 @@ static int write_vorbis_header(sox_forma |
105 |
+ while (ogg_stream_flush(&ve->os, &ve->og) && ret == HEADER_OK) |
106 |
+ if (!oe_write_page(&ve->og, ft)) |
107 |
+ ret = HEADER_ERROR; |
108 |
++cleanup: |
109 |
+ for (i = 0; i < vc.comments; ++i) |
110 |
+ free(vc.user_comments[i]); |
111 |
+ free(vc.user_comments); |
112 |
|
113 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch |
114 |
new file mode 100644 |
115 |
index 00000000000..6cd8c2bb15f |
116 |
--- /dev/null |
117 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch |
118 |
@@ -0,0 +1,26 @@ |
119 |
+From 6cb44a44b9eda6b321ccdbf6483348d4a9798b00 Mon Sep 17 00:00:00 2001 |
120 |
+From: Mans Rullgard <mans@×××××.com> |
121 |
+Date: Sun, 5 Nov 2017 16:43:35 +0000 |
122 |
+Subject: [PATCH] hcom: fix crash on input with corrupt dictionary |
123 |
+ (CVE-2017-11358) |
124 |
+ |
125 |
+--- |
126 |
+ src/hcom.c | 5 +++++ |
127 |
+ 1 file changed, 5 insertions(+) |
128 |
+ |
129 |
+diff --git a/src/hcom.c b/src/hcom.c |
130 |
+index c62b020c..1b0e09dd 100644 |
131 |
+--- a/src/hcom.c |
132 |
++++ b/src/hcom.c |
133 |
+@@ -150,6 +150,11 @@ static int startread(sox_format_t * ft) |
134 |
+ lsx_debug("%d %d", |
135 |
+ p->dictionary[i].dict_leftson, |
136 |
+ p->dictionary[i].dict_rightson); |
137 |
++ if ((unsigned) p->dictionary[i].dict_leftson >= dictsize || |
138 |
++ (unsigned) p->dictionary[i].dict_rightson >= dictsize) { |
139 |
++ lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); |
140 |
++ return SOX_EOF; |
141 |
++ } |
142 |
+ } |
143 |
+ rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */ |
144 |
+ if (rc) |
145 |
|
146 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch |
147 |
new file mode 100644 |
148 |
index 00000000000..180d7d1c867 |
149 |
--- /dev/null |
150 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch |
151 |
@@ -0,0 +1,27 @@ |
152 |
+From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001 |
153 |
+From: Mans Rullgard <mans@×××××.com> |
154 |
+Date: Sun, 5 Nov 2017 17:02:11 +0000 |
155 |
+Subject: [PATCH] wav: fix crash writing header when channel count >64k |
156 |
+ (CVE-2017-11359) |
157 |
+ |
158 |
+--- |
159 |
+ src/wav.c | 6 ++++++ |
160 |
+ 1 file changed, 6 insertions(+) |
161 |
+ |
162 |
+diff --git a/src/wav.c b/src/wav.c |
163 |
+index 3eaebfa7..fad334cf 100644 |
164 |
+--- a/src/wav.c |
165 |
++++ b/src/wav.c |
166 |
+@@ -1379,6 +1379,12 @@ static int wavwritehdr(sox_format_t * ft, int second_header) |
167 |
+ long blocksWritten = 0; |
168 |
+ sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */ |
169 |
+ |
170 |
++ if (ft->signal.channels > UINT16_MAX) { |
171 |
++ lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)", |
172 |
++ ft->signal.channels); |
173 |
++ return SOX_EOF; |
174 |
++ } |
175 |
++ |
176 |
+ dwSamplesPerSecond = ft->signal.rate; |
177 |
+ wChannels = ft->signal.channels; |
178 |
+ wBitsPerSample = ft->encoding.bits_per_sample; |
179 |
|
180 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch |
181 |
new file mode 100644 |
182 |
index 00000000000..473c383a663 |
183 |
--- /dev/null |
184 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch |
185 |
@@ -0,0 +1,25 @@ |
186 |
+From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001 |
187 |
+From: Mans Rullgard <mans@×××××.com> |
188 |
+Date: Sun, 5 Nov 2017 16:21:23 +0000 |
189 |
+Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input |
190 |
+ (CVE-2017-15370) |
191 |
+ |
192 |
+Add the same check bad block size as was done for MS adpcm in commit |
193 |
+f39c574b ("More checks for invalid MS ADPCM blocks"). |
194 |
+--- |
195 |
+ src/wav.c | 2 +- |
196 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
197 |
+ |
198 |
+diff --git a/src/wav.c b/src/wav.c |
199 |
+index 5202556c..3e80e692 100644 |
200 |
+--- a/src/wav.c |
201 |
++++ b/src/wav.c |
202 |
+@@ -127,7 +127,7 @@ static unsigned short ImaAdpcmReadBlock(sox_format_t * ft) |
203 |
+ /* work with partial blocks. Specs say it should be null */ |
204 |
+ /* padded but I guess this is better than trailing quiet. */ |
205 |
+ samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0); |
206 |
+- if (samplesThisBlock == 0) |
207 |
++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock) |
208 |
+ { |
209 |
+ lsx_warn("Premature EOF on .wav input file"); |
210 |
+ return 0; |
211 |
|
212 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch |
213 |
new file mode 100644 |
214 |
index 00000000000..cde253da4ec |
215 |
--- /dev/null |
216 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch |
217 |
@@ -0,0 +1,37 @@ |
218 |
+From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001 |
219 |
+From: Mans Rullgard <mans@×××××.com> |
220 |
+Date: Sun, 5 Nov 2017 15:57:48 +0000 |
221 |
+Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371) |
222 |
+ |
223 |
+--- |
224 |
+ src/flac.c | 8 +++++--- |
225 |
+ 1 file changed, 5 insertions(+), 3 deletions(-) |
226 |
+ |
227 |
+Index: sox/src/flac.c |
228 |
+=================================================================== |
229 |
+--- sox.orig/src/flac.c |
230 |
++++ sox/src/flac.c |
231 |
+@@ -119,9 +119,10 @@ static void decoder_metadata_callback(FL |
232 |
+ p->total_samples = metadata->data.stream_info.total_samples; |
233 |
+ } |
234 |
+ else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) { |
235 |
++ const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment; |
236 |
+ size_t i; |
237 |
+ |
238 |
+- if (metadata->data.vorbis_comment.num_comments == 0) |
239 |
++ if (vc->num_comments == 0) |
240 |
+ return; |
241 |
+ |
242 |
+ if (ft->oob.comments != NULL) { |
243 |
+@@ -129,8 +130,9 @@ static void decoder_metadata_callback(FL |
244 |
+ return; |
245 |
+ } |
246 |
+ |
247 |
+- for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i) |
248 |
+- sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry); |
249 |
++ for (i = 0; i < vc->num_comments; ++i) |
250 |
++ if (vc->comments[i].entry) |
251 |
++ sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry); |
252 |
+ } |
253 |
+ } |
254 |
+ |
255 |
|
256 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch |
257 |
new file mode 100644 |
258 |
index 00000000000..8671213a98f |
259 |
--- /dev/null |
260 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch |
261 |
@@ -0,0 +1,97 @@ |
262 |
+From 3f7ed312614649e2695b54b398475d32be4f64f3 Mon Sep 17 00:00:00 2001 |
263 |
+From: Mans Rullgard <mans@×××××.com> |
264 |
+Date: Wed, 8 Nov 2017 00:29:14 +0000 |
265 |
+Subject: adpcm: fix stack overflow with >4 channels (CVE-2017-15372) |
266 |
+ |
267 |
+--- |
268 |
+ src/adpcm.c | 8 +++++++- |
269 |
+ src/adpcm.h | 3 +++ |
270 |
+ src/wav.c | 5 ++++- |
271 |
+ 3 files changed, 14 insertions(+), 2 deletions(-) |
272 |
+ |
273 |
+Index: sox/src/adpcm.c |
274 |
+=================================================================== |
275 |
+--- sox.orig/src/adpcm.c |
276 |
++++ sox/src/adpcm.c |
277 |
+@@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] = |
278 |
+ { 392,-232} |
279 |
+ }; |
280 |
+ |
281 |
++extern void *lsx_ms_adpcm_alloc(unsigned chans) |
282 |
++{ |
283 |
++ return lsx_malloc(chans * sizeof(MsState_t)); |
284 |
++} |
285 |
++ |
286 |
+ static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state, |
287 |
+ sox_sample_t sample1, sox_sample_t sample2) |
288 |
+ { |
289 |
+@@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(s |
290 |
+ |
291 |
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ |
292 |
+ const char *lsx_ms_adpcm_block_expand_i( |
293 |
++ void *priv, |
294 |
+ unsigned chans, /* total channels */ |
295 |
+ int nCoef, |
296 |
+ const short *coef, |
297 |
+@@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i( |
298 |
+ const unsigned char *ip; |
299 |
+ unsigned ch; |
300 |
+ const char *errmsg = NULL; |
301 |
+- MsState_t state[4]; /* One decompressor state for each channel */ |
302 |
++ MsState_t *state = priv; /* One decompressor state for each channel */ |
303 |
+ |
304 |
+ /* Read the four-byte header for each channel */ |
305 |
+ ip = ibuff; |
306 |
+Index: sox/src/adpcm.h |
307 |
+=================================================================== |
308 |
+--- sox.orig/src/adpcm.h |
309 |
++++ sox/src/adpcm.h |
310 |
+@@ -29,8 +29,11 @@ |
311 |
+ /* default coef sets */ |
312 |
+ extern const short lsx_ms_adpcm_i_coef[7][2]; |
313 |
+ |
314 |
++extern void *lsx_ms_adpcm_alloc(unsigned chans); |
315 |
++ |
316 |
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ |
317 |
+ extern const char *lsx_ms_adpcm_block_expand_i( |
318 |
++ void *priv, |
319 |
+ unsigned chans, /* total channels */ |
320 |
+ int nCoef, |
321 |
+ const short *coef, |
322 |
+Index: sox/src/wav.c |
323 |
+=================================================================== |
324 |
+--- sox.orig/src/wav.c |
325 |
++++ sox/src/wav.c |
326 |
+@@ -82,6 +82,7 @@ typedef struct { |
327 |
+ /* following used by *ADPCM wav files */ |
328 |
+ unsigned short nCoefs; /* ADPCM: number of coef sets */ |
329 |
+ short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */ |
330 |
++ void *ms_adpcm_data; /* Private data of adpcm decoder */ |
331 |
+ unsigned char *packet; /* Temporary buffer for packets */ |
332 |
+ short *samples; /* interleaved samples buffer */ |
333 |
+ short *samplePtr; /* Pointer to current sample */ |
334 |
+@@ -175,7 +176,7 @@ static unsigned short AdpcmReadBlock(so |
335 |
+ } |
336 |
+ } |
337 |
+ |
338 |
+- errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); |
339 |
++ errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); |
340 |
+ |
341 |
+ if (errmsg) |
342 |
+ lsx_warn("%s", errmsg); |
343 |
+@@ -791,6 +792,7 @@ static int startread(sox_format_t * ft) |
344 |
+ |
345 |
+ /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */ |
346 |
+ wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short)); |
347 |
++ wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels); |
348 |
+ { |
349 |
+ int i, errct=0; |
350 |
+ for (i=0; len>=2 && i < 2*wav->nCoefs; i++) { |
351 |
+@@ -1216,6 +1218,7 @@ static int stopread(sox_format_t * ft) |
352 |
+ free(wav->packet); |
353 |
+ free(wav->samples); |
354 |
+ free(wav->lsx_ms_adpcm_i_coefs); |
355 |
++ free(wav->ms_adpcm_data); |
356 |
+ free(wav->comment); |
357 |
+ wav->comment = NULL; |
358 |
+ |
359 |
|
360 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch |
361 |
new file mode 100644 |
362 |
index 00000000000..d43ef50d101 |
363 |
--- /dev/null |
364 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch |
365 |
@@ -0,0 +1,28 @@ |
366 |
+Description: This fixes a use after free and double free if an empty comment |
367 |
+chunk follows a non-empty one. |
368 |
+Author: Mans Rullgard <mans@×××××.com> |
369 |
+Forwarded: not-needed |
370 |
+--- |
371 |
+ src/aiff.c | 2 +- |
372 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
373 |
+ |
374 |
+Index: sox/src/aiff.c |
375 |
+=================================================================== |
376 |
+--- sox.orig/src/aiff.c |
377 |
++++ sox/src/aiff.c |
378 |
+@@ -62,7 +62,6 @@ int lsx_aiffstartread(sox_format_t * ft) |
379 |
+ size_t ssndsize = 0; |
380 |
+ char *annotation; |
381 |
+ char *author; |
382 |
+- char *comment = NULL; |
383 |
+ char *copyright; |
384 |
+ char *nametext; |
385 |
+ |
386 |
+@@ -270,6 +269,7 @@ int lsx_aiffstartread(sox_format_t * ft) |
387 |
+ free(annotation); |
388 |
+ } |
389 |
+ else if (strncmp(buf, "COMT", (size_t)4) == 0) { |
390 |
++ char *comment = NULL; |
391 |
+ rc = commentChunk(&comment, "Comment:", ft); |
392 |
+ if (rc) { |
393 |
+ /* Fail already called in function */ |
394 |
|
395 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch |
396 |
new file mode 100644 |
397 |
index 00000000000..fd04bcdff13 |
398 |
--- /dev/null |
399 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch |
400 |
@@ -0,0 +1,30 @@ |
401 |
+Description: A corrupt header specifying zero channels would send read_channels() |
402 |
+into an infinite loop. Prevent this by sanity checking the channel |
403 |
+count in open_read(). Also add an upper bound to prevent overflow |
404 |
+in multiplication. |
405 |
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121 |
406 |
+Author: Mans Rullgard <mans@×××××.com> |
407 |
+ Jaromír Mikeš <mira.mikes@××××××.cz> |
408 |
+Forwarded: not-needed |
409 |
+ |
410 |
+--- |
411 |
+ src/xa.c | 6 ++++++ |
412 |
+ 1 file changed, 6 insertions(+) |
413 |
+ |
414 |
+Index: sox/src/xa.c |
415 |
+=================================================================== |
416 |
+--- sox.orig/src/xa.c |
417 |
++++ sox/src/xa.c |
418 |
+@@ -143,6 +143,12 @@ static int startread(sox_format_t * ft) |
419 |
+ lsx_report("User options overriding rate read in .xa header"); |
420 |
+ } |
421 |
+ |
422 |
++ if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) { |
423 |
++ lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d", |
424 |
++ ft->signal.channels); |
425 |
++ return SOX_EOF; |
426 |
++ } |
427 |
++ |
428 |
+ /* Check for supported formats */ |
429 |
+ if (ft->encoding.bits_per_sample != 16) { |
430 |
+ lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.", |
431 |
|
432 |
diff --git a/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch |
433 |
new file mode 100644 |
434 |
index 00000000000..4ebb31c0ae9 |
435 |
--- /dev/null |
436 |
+++ b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch |
437 |
@@ -0,0 +1,35 @@ |
438 |
+Description: wavpack: check errors when initializing |
439 |
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881145 |
440 |
+Author: Eric Wong <normalperson@××××.net> |
441 |
+ Jaromír Mikeš <mira.mikes@××××××.cz> |
442 |
+Forwarded: not-needed |
443 |
+ |
444 |
+ src/wavpack.c | 8 ++++++++ |
445 |
+ 1 file changed, 8 insertions(+) |
446 |
+ |
447 |
+diff --git a/src/wavpack.c b/src/wavpack.c |
448 |
+index 9e525cd4..b7e8dafa 100644 |
449 |
+--- a/src/wavpack.c |
450 |
++++ b/src/wavpack.c |
451 |
+@@ -65,6 +65,10 @@ static int start_read(sox_format_t * ft) |
452 |
+ char msg[80]; |
453 |
+ |
454 |
+ p->codec = WavpackOpenFileInputEx(&io_fns, ft, NULL, msg, OPEN_NORMALIZE, 0); |
455 |
++ if (!p->codec) { |
456 |
++ lsx_fail_errno(ft, SOX_EHDR, "%s", msg); |
457 |
++ return SOX_EOF; |
458 |
++ } |
459 |
+ ft->encoding.bits_per_sample = WavpackGetBytesPerSample(p->codec) << 3; |
460 |
+ ft->signal.channels = WavpackGetNumChannels(p->codec); |
461 |
+ if (WavpackGetSampleRate(p->codec) && ft->signal.rate && ft->signal.rate != WavpackGetSampleRate(p->codec)) |
462 |
+@@ -108,6 +112,10 @@ static int start_write(sox_format_t * ft) |
463 |
+ uint64_t size64; |
464 |
+ |
465 |
+ p->codec = WavpackOpenFileOutput(ft_write_b_buf, ft, NULL); |
466 |
++ if (!p->codec) { |
467 |
++ lsx_fail_errno(ft, SOX_ENOMEM, "WavPack error creating output instance"); |
468 |
++ return SOX_EOF; |
469 |
++ } |
470 |
+ memset(&config, 0, sizeof(config)); |
471 |
+ config.bytes_per_sample = ft->encoding.bits_per_sample >> 3; |
472 |
+ config.bits_per_sample = ft->encoding.bits_per_sample; |
473 |
|
474 |
diff --git a/media-sound/sox/sox-14.4.2-r1.ebuild b/media-sound/sox/sox-14.4.2-r1.ebuild |
475 |
index 8ebda3df10b..d757a4e70b4 100644 |
476 |
--- a/media-sound/sox/sox-14.4.2-r1.ebuild |
477 |
+++ b/media-sound/sox/sox-14.4.2-r1.ebuild |
478 |
@@ -46,6 +46,19 @@ DEPEND="${RDEPEND} |
479 |
|
480 |
DOCS=( AUTHORS ChangeLog NEWS README ) |
481 |
|
482 |
+PATCHES=( |
483 |
+ "${FILESDIR}"/${P}-CVE-2017-11332.patch |
484 |
+ "${FILESDIR}"/${P}-CVE-2017-11333.patch |
485 |
+ "${FILESDIR}"/${P}-CVE-2017-11358.patch |
486 |
+ "${FILESDIR}"/${P}-CVE-2017-11359.patch |
487 |
+ "${FILESDIR}"/${P}-CVE-2017-15370.patch |
488 |
+ "${FILESDIR}"/${P}-CVE-2017-15371.patch |
489 |
+ "${FILESDIR}"/${P}-CVE-2017-15372.patch |
490 |
+ "${FILESDIR}"/${P}-CVE-2017-15642.patch |
491 |
+ "${FILESDIR}"/${P}-CVE-2017-18189.patch |
492 |
+ "${FILESDIR}"/${P}-wavpack-chk-errors-on-init.patch |
493 |
+) |
494 |
+ |
495 |
src_prepare() { |
496 |
default |
497 |
sed -i -e 's:CFLAGS="-g":CFLAGS="$CFLAGS -g":' configure.ac || die #386027 |