1 |
commit: 585ee02d57684b9b47738d103492543eb5786418 |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Jan 7 05:18:53 2021 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Jan 7 05:18:53 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=585ee02d |
7 |
|
8 |
media-sound/timidity++: restore CVE patches from 2.14.0 |
9 |
|
10 |
Whoops, misgrep (fooled by {}, I think?) |
11 |
|
12 |
Thanks-to: Jeroen Roovers |
13 |
Fixes: 4071642e177ae0e7289d684387d1f01af563cbd1 |
14 |
Package-Manager: Portage-3.0.12, Repoman-3.0.2 |
15 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
16 |
|
17 |
.../files/timidity++-2.14.0-CVE-2017-11546.patch | 31 ++++++++++ |
18 |
.../files/timidity++-2.14.0-CVE-2017-11547.patch | 67 ++++++++++++++++++++++ |
19 |
2 files changed, 98 insertions(+) |
20 |
|
21 |
diff --git a/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch |
22 |
new file mode 100644 |
23 |
index 00000000000..94135e98b96 |
24 |
--- /dev/null |
25 |
+++ b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch |
26 |
@@ -0,0 +1,31 @@ |
27 |
+From 2386ec2c745f6c5075e53ea051da211336b44b84 Mon Sep 17 00:00:00 2001 |
28 |
+From: Takashi Iwai <tiwai@××××.de> |
29 |
+Date: Tue, 26 Jun 2018 22:31:27 +0200 |
30 |
+Subject: readmidi: Fix division by zero |
31 |
+ |
32 |
+References: CVE-2017-11546 |
33 |
+ |
34 |
+An adhoc fix for division by zero in insert_note_steps(). |
35 |
+ |
36 |
+Signed-off-by: Takashi Iwai <tiwai@××××.de> |
37 |
+bug-debian: https://bugs.debian.org/870338 |
38 |
+bug-suse: https://bugzilla.suse.com/show_bug.cgi?id=1081694 |
39 |
+bug: https://bugzilla.suse.com/show_bug.cgi?id=1081694 |
40 |
+origin: https://bugzilla.suse.com/attachment.cgi?id=760825 |
41 |
+--- |
42 |
+ timidity/readmidi.c | 2 ++ |
43 |
+ 1 file changed, 2 insertions(+) |
44 |
+ |
45 |
+diff --git a/timidity/readmidi.c b/timidity/readmidi.c |
46 |
+index 158388a..341777e 100644 |
47 |
+--- a/timidity/readmidi.c |
48 |
++++ b/timidity/readmidi.c |
49 |
+@@ -4585,6 +4585,8 @@ static void insert_note_steps(void) |
50 |
+ if (beat != 0) |
51 |
+ meas++, beat = 0; |
52 |
+ num = timesig[n].a, denom = timesig[n].b, n++; |
53 |
++ if (!denom) |
54 |
++ denom = 1; |
55 |
+ } |
56 |
+ a = (meas + 1) & 0xff; |
57 |
+ b = (((meas + 1) >> 8) & 0x0f) + ((beat + 1) << 4); |
58 |
|
59 |
diff --git a/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch |
60 |
new file mode 100644 |
61 |
index 00000000000..12562a577e0 |
62 |
--- /dev/null |
63 |
+++ b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch |
64 |
@@ -0,0 +1,67 @@ |
65 |
+From 34328d22cbb4ccf03f29223f54f1834c796d86a2 Mon Sep 17 00:00:00 2001 |
66 |
+From: Takashi Iwai <tiwai@××××.de> |
67 |
+Date: Tue, 26 Jun 2018 22:31:28 +0200 |
68 |
+Subject: resample: Fix out-of-bound access in resamplers |
69 |
+ |
70 |
+References: CVE-2017-11547 |
71 |
+ |
72 |
+An adhoc fix for out-of-bound accesses in resamples. |
73 |
+The offset might overflow the given data range. |
74 |
+ |
75 |
+Signed-off-by: Takashi Iwai <tiwai@××××.de> |
76 |
+bug-debian: https://bugs.debian.org/870338 |
77 |
+bug-suse: https://bugzilla.suse.com/show_bug.cgi?id=1081694 |
78 |
+origin: https://bugzilla.suse.com/attachment.cgi?id=760826 |
79 |
+--- |
80 |
+ timidity/resample.c | 10 ++++++++++ |
81 |
+ 1 file changed, 10 insertions(+) |
82 |
+ |
83 |
+diff --git a/timidity/resample.c b/timidity/resample.c |
84 |
+index cd6b8e6..4a3fadf 100644 |
85 |
+--- a/timidity/resample.c |
86 |
++++ b/timidity/resample.c |
87 |
+@@ -57,6 +57,8 @@ static resample_t resample_cspline(sample_t *src, splen_t ofs, resample_rec_t *r |
88 |
+ { |
89 |
+ int32 ofsi, ofsf, v0, v1, v2, v3, temp; |
90 |
+ |
91 |
++ if (ofs + (1 << FRACTION_BITS) >= rec->data_length) |
92 |
++ return src[ofs >> FRACTION_BITS]; |
93 |
+ ofsi = ofs >> FRACTION_BITS; |
94 |
+ v1 = src[ofsi]; |
95 |
+ v2 = src[ofsi + 1]; |
96 |
+@@ -96,6 +98,8 @@ static resample_t resample_lagrange(sample_t *src, splen_t ofs, resample_rec_t * |
97 |
+ { |
98 |
+ int32 ofsi, ofsf, v0, v1, v2, v3; |
99 |
+ |
100 |
++ if (ofs + (1 << FRACTION_BITS) >= rec->data_length) |
101 |
++ return src[ofs >> FRACTION_BITS]; |
102 |
+ ofsi = ofs >> FRACTION_BITS; |
103 |
+ v1 = (int32)src[ofsi]; |
104 |
+ v2 = (int32)src[ofsi + 1]; |
105 |
+@@ -154,6 +158,8 @@ static resample_t resample_gauss(sample_t *src, splen_t ofs, resample_rec_t *rec |
106 |
+ sample_t *sptr; |
107 |
+ int32 left, right, temp_n; |
108 |
+ |
109 |
++ if (ofs + (1 << FRACTION_BITS) >= rec->data_length) |
110 |
++ return src[ofs >> FRACTION_BITS]; |
111 |
+ left = (ofs>>FRACTION_BITS); |
112 |
+ right = (rec->data_length>>FRACTION_BITS) - left - 1; |
113 |
+ temp_n = (right<<1)-1; |
114 |
+@@ -261,6 +267,8 @@ static resample_t resample_newton(sample_t *src, splen_t ofs, resample_rec_t *re |
115 |
+ int32 left, right, temp_n; |
116 |
+ int ii, jj; |
117 |
+ |
118 |
++ if (ofs + (1 << FRACTION_BITS) >= rec->data_length) |
119 |
++ return src[ofs >> FRACTION_BITS]; |
120 |
+ left = (ofs>>FRACTION_BITS); |
121 |
+ right = (rec->data_length>>FRACTION_BITS)-(ofs>>FRACTION_BITS)-1; |
122 |
+ temp_n = (right<<1)-1; |
123 |
+@@ -330,6 +338,8 @@ static resample_t resample_linear(sample_t *src, splen_t ofs, resample_rec_t *re |
124 |
+ { |
125 |
+ int32 v1, v2, ofsi; |
126 |
+ |
127 |
++ if (ofs + (1 << FRACTION_BITS) >= rec->data_length) |
128 |
++ return src[ofs >> FRACTION_BITS]; |
129 |
+ ofsi = ofs >> FRACTION_BITS; |
130 |
+ v1 = src[ofsi]; |
131 |
+ v2 = src[ofsi + 1]; |