diff --git a/packages/audiofile/0001_gcc6.patch b/packages/audiofile/0001_gcc6.patch new file mode 100644 index 0000000000..fbb237cab4 --- /dev/null +++ b/packages/audiofile/0001_gcc6.patch @@ -0,0 +1,102 @@ +Description: Fix FTBFS with GCC 6 +Author: Michael Schwendt +Origin: vendor, https://github.com/mpruett/audiofile/pull/27 +Bug-Debian: https://bugs.debian.org/812055 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ + +--- a/libaudiofile/modules/SimpleModule.h ++++ b/libaudiofile/modules/SimpleModule.h +@@ -123,7 +123,7 @@ struct signConverter + typedef typename IntTypes::UnsignedType UnsignedType; + + static const int kScaleBits = (Format + 1) * CHAR_BIT - 1; +- static const int kMinSignedValue = -1 << kScaleBits; ++ static const int kMinSignedValue = 0-(1U< + { +--- a/test/FloatToInt.cpp ++++ b/test/FloatToInt.cpp +@@ -115,7 +115,7 @@ TEST_F(FloatToIntTest, Int16) + EXPECT_EQ(readData[i], expectedData[i]); + } + +-static const int32_t kMinInt24 = -1<<23; ++static const int32_t kMinInt24 = 0-(1U<<23); + static const int32_t kMaxInt24 = (1<<23) - 1; + + TEST_F(FloatToIntTest, Int24) +--- a/test/IntToFloat.cpp ++++ b/test/IntToFloat.cpp +@@ -117,7 +117,7 @@ TEST_F(IntToFloatTest, Int16) + EXPECT_EQ(readData[i], expectedData[i]); + } + +-static const int32_t kMinInt24 = -1<<23; ++static const int32_t kMinInt24 = 0-(1U<<23); + static const int32_t kMaxInt24 = (1<<23) - 1; + + TEST_F(IntToFloatTest, Int24) +--- a/test/NeXT.cpp ++++ b/test/NeXT.cpp +@@ -37,13 +37,13 @@ + + #include "TestUtilities.h" + +-const char kDataUnspecifiedLength[] = ++const signed char kDataUnspecifiedLength[] = + { + '.', 's', 'n', 'd', + 0, 0, 0, 24, // offset of 24 bytes +- 0xff, 0xff, 0xff, 0xff, // unspecified length ++ -1, -1, -1, -1, // unspecified length + 0, 0, 0, 3, // 16-bit linear +- 0, 0, 172, 68, // 44100 Hz ++ 0, 0, -84, 68, // 44100 Hz (0xAC44) + 0, 0, 0, 1, // 1 channel + 0, 1, + 0, 1, +@@ -57,13 +57,13 @@ const char kDataUnspecifiedLength[] = + 0, 55 + }; + +-const char kDataTruncated[] = ++const signed char kDataTruncated[] = + { + '.', 's', 'n', 'd', + 0, 0, 0, 24, // offset of 24 bytes + 0, 0, 0, 20, // length of 20 bytes + 0, 0, 0, 3, // 16-bit linear +- 0, 0, 172, 68, // 44100 Hz ++ 0, 0, -84, 68, // 44100 Hz (0xAC44) + 0, 0, 0, 1, // 1 channel + 0, 1, + 0, 1, +@@ -152,13 +152,13 @@ TEST(NeXT, Truncated) + ASSERT_EQ(::unlink(testFileName.c_str()), 0); + } + +-const char kDataZeroChannels[] = ++const signed char kDataZeroChannels[] = + { + '.', 's', 'n', 'd', + 0, 0, 0, 24, // offset of 24 bytes + 0, 0, 0, 2, // 2 bytes + 0, 0, 0, 3, // 16-bit linear +- 0, 0, 172, 68, // 44100 Hz ++ 0, 0, -84, 68, // 44100 Hz (0xAC44) + 0, 0, 0, 0, // 0 channels + 0, 1 + }; +--- a/test/Sign.cpp ++++ b/test/Sign.cpp +@@ -116,7 +116,7 @@ TEST_F(SignConversionTest, Int16) + EXPECT_EQ(readData[i], expectedData[i]); + } + +-static const int32_t kMinInt24 = -1<<23; ++static const int32_t kMinInt24 = 0-(1U<<23); + static const int32_t kMaxInt24 = (1<<23) - 1; + static const uint32_t kMaxUInt24 = (1<<24) - 1; + diff --git a/packages/audiofile/0002_CVE-2015-7747.patch b/packages/audiofile/0002_CVE-2015-7747.patch new file mode 100644 index 0000000000..3325639591 --- /dev/null +++ b/packages/audiofile/0002_CVE-2015-7747.patch @@ -0,0 +1,156 @@ +Description: fix buffer overflow when changing both sample format and + number of channels +Origin: https://github.com/mpruett/audiofile/pull/25 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721 +Bug-Debian: https://bugs.debian.org/801102 + +--- a/libaudiofile/modules/ModuleState.cpp ++++ b/libaudiofile/modules/ModuleState.cpp +@@ -402,7 +402,7 @@ status ModuleState::arrange(AFfilehandle + addModule(new Transform(outfc, in.pcm, out.pcm)); + + if (in.channelCount != out.channelCount) +- addModule(new ApplyChannelMatrix(infc, isReading, ++ addModule(new ApplyChannelMatrix(outfc, isReading, + in.channelCount, out.channelCount, + in.pcm.minClip, in.pcm.maxClip, + track->channelMatrix)); +--- a/test/Makefile.am ++++ b/test/Makefile.am +@@ -26,6 +26,7 @@ TESTS = \ + VirtualFile \ + floatto24 \ + query2 \ ++ sixteen-stereo-to-eight-mono \ + sixteen-to-eight \ + testchannelmatrix \ + testdouble \ +@@ -139,6 +140,7 @@ printmarkers_SOURCES = printmarkers.c + printmarkers_LDADD = $(LIBAUDIOFILE) -lm + + sixteen_to_eight_SOURCES = sixteen-to-eight.c TestUtilities.cpp TestUtilities.h ++sixteen_stereo_to_eight_mono_SOURCES = sixteen-stereo-to-eight-mono.c TestUtilities.cpp TestUtilities.h + + testchannelmatrix_SOURCES = testchannelmatrix.c TestUtilities.cpp TestUtilities.h + +--- /dev/null ++++ b/test/sixteen-stereo-to-eight-mono.c +@@ -0,0 +1,118 @@ ++/* ++ Audio File Library ++ ++ Copyright 2000, Silicon Graphics, Inc. ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License along ++ with this program; if not, write to the Free Software Foundation, Inc., ++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++*/ ++ ++/* ++ sixteen-stereo-to-eight-mono.c ++ ++ This program tests the conversion from 2-channel 16-bit integers to ++ 1-channel 8-bit integers. ++*/ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include "TestUtilities.h" ++ ++int main (int argc, char **argv) ++{ ++ AFfilehandle file; ++ AFfilesetup setup; ++ int16_t frames16[] = {14298, 392, 3923, -683, 958, -1921}; ++ int8_t frames8[] = {28, 6, -2}; ++ int i, frameCount = 3; ++ int8_t byte; ++ AFframecount result; ++ ++ setup = afNewFileSetup(); ++ ++ afInitFileFormat(setup, AF_FILE_WAVE); ++ ++ afInitSampleFormat(setup, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 16); ++ afInitChannels(setup, AF_DEFAULT_TRACK, 2); ++ ++ char *testFileName; ++ if (!createTemporaryFile("sixteen-to-eight", &testFileName)) ++ { ++ fprintf(stderr, "Could not create temporary file.\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ file = afOpenFile(testFileName, "w", setup); ++ if (file == AF_NULL_FILEHANDLE) ++ { ++ fprintf(stderr, "could not open file for writing\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ afFreeFileSetup(setup); ++ ++ afWriteFrames(file, AF_DEFAULT_TRACK, frames16, frameCount); ++ ++ afCloseFile(file); ++ ++ file = afOpenFile(testFileName, "r", AF_NULL_FILESETUP); ++ if (file == AF_NULL_FILEHANDLE) ++ { ++ fprintf(stderr, "could not open file for reading\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ afSetVirtualSampleFormat(file, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 8); ++ afSetVirtualChannels(file, AF_DEFAULT_TRACK, 1); ++ ++ for (i=0; i +Date: Mon, 6 Mar 2017 18:02:31 +0100 +Subject: clamp index values to fix index overflow in IMA.cpp + +This fixes #33 +(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981 +and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/) +--- + libaudiofile/modules/IMA.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp +index 7476d44..df4aad6 100644 +--- a/libaudiofile/modules/IMA.cpp ++++ b/libaudiofile/modules/IMA.cpp +@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded) + if (encoded[1] & 0x80) + m_adpcmState[c].previousValue -= 0x10000; + +- m_adpcmState[c].index = encoded[2]; ++ m_adpcmState[c].index = clamp(encoded[2], 0, 88); + + *decoded++ = m_adpcmState[c].previousValue; + +@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded) + predictor -= 0x10000; + + state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16); +- state.index = encoded[1] & 0x7f; ++ state.index = clamp(encoded[1] & 0x7f, 0, 88); + encoded += 2; + + for (int n=0; n +Date: Mon, 6 Mar 2017 12:51:22 +0100 +Subject: Always check the number of coefficients + +When building the library with NDEBUG, asserts are eliminated +so it's better to always check that the number of coefficients +is inside the array range. + +This fixes the 00191-audiofile-indexoob issue in #41 +--- + libaudiofile/WAVE.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp +index 9dd8511..0fc48e8 100644 +--- a/libaudiofile/WAVE.cpp ++++ b/libaudiofile/WAVE.cpp +@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + + /* numCoefficients should be at least 7. */ + assert(numCoefficients >= 7 && numCoefficients <= 255); ++ if (numCoefficients < 7 || numCoefficients > 255) ++ { ++ _af_error(AF_BAD_HEADER, ++ "Bad number of coefficients"); ++ return AF_FAIL; ++ } + + m_msadpcmNumCoefficients = numCoefficients; + diff --git a/packages/audiofile/0005_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch b/packages/audiofile/0005_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch new file mode 100644 index 0000000000..2be930b924 --- /dev/null +++ b/packages/audiofile/0005_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch @@ -0,0 +1,116 @@ +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 13:43:53 +0100 +Subject: Check for multiplication overflow in MSADPCM decodeSample + +Check for multiplication overflow (using __builtin_mul_overflow +if available) in MSADPCM.cpp decodeSample and return an empty +decoded block if an error occurs. + +This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41 +--- + libaudiofile/modules/BlockCodec.cpp | 5 ++-- + libaudiofile/modules/MSADPCM.cpp | 47 +++++++++++++++++++++++++++++++++---- + 2 files changed, 46 insertions(+), 6 deletions(-) + +diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp +index 45925e8..4731be1 100644 +--- a/libaudiofile/modules/BlockCodec.cpp ++++ b/libaudiofile/modules/BlockCodec.cpp +@@ -52,8 +52,9 @@ void BlockCodec::runPull() + // Decompress into m_outChunk. + for (int i=0; i(m_inChunk->buffer) + i * m_bytesPerPacket, +- static_cast(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount); ++ if (decodeBlock(static_cast(m_inChunk->buffer) + i * m_bytesPerPacket, ++ static_cast(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0) ++ break; + + framesRead += m_framesPerPacket; + } +diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp +index 8ea3c85..ef9c38c 100644 +--- a/libaudiofile/modules/MSADPCM.cpp ++++ b/libaudiofile/modules/MSADPCM.cpp +@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] = + 768, 614, 512, 409, 307, 230, 230, 230 + }; + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ ++ + // Compute a linear PCM value from the given differential coded value. + static int16_t decodeSample(ms_adpcm_state &state, +- uint8_t code, const int16_t *coefficient) ++ uint8_t code, const int16_t *coefficient, bool *ok=NULL) + { + int linearSample = (state.sample1 * coefficient[0] + + state.sample2 * coefficient[1]) >> 8; ++ int delta; + + linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta; + + linearSample = clamp(linearSample, MIN_INT16, MAX_INT16); + +- int delta = (state.delta * adaptationTable[code]) >> 8; ++ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta)) ++ { ++ if (ok) *ok=false; ++ _af_error(AF_BAD_COMPRESSION, "Error decoding sample"); ++ return 0; ++ } ++ delta >>= 8; + if (delta < 16) + delta = 16; + + state.delta = delta; + state.sample2 = state.sample1; + state.sample1 = linearSample; ++ if (ok) *ok=true; + + return static_cast(linearSample); + } +@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded) + { + uint8_t code; + int16_t newSample; ++ bool ok; + + code = *encoded >> 4; +- newSample = decodeSample(*state[0], code, coefficient[0]); ++ newSample = decodeSample(*state[0], code, coefficient[0], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + code = *encoded & 0x0f; +- newSample = decodeSample(*state[1], code, coefficient[1]); ++ newSample = decodeSample(*state[1], code, coefficient[1], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + encoded++; diff --git a/packages/audiofile/0006_Check-for-multiplication-overflow-in-sfconvert.patch b/packages/audiofile/0006_Check-for-multiplication-overflow-in-sfconvert.patch new file mode 100644 index 0000000000..0f17140d6b --- /dev/null +++ b/packages/audiofile/0006_Check-for-multiplication-overflow-in-sfconvert.patch @@ -0,0 +1,66 @@ +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 13:54:52 +0100 +Subject: Check for multiplication overflow in sfconvert + +Checks that a multiplication doesn't overflow when +calculating the buffer size, and if it overflows, +reduce the buffer size instead of failing. + +This fixes the 00192-audiofile-signintoverflow-sfconvert case +in #41 +--- + sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c +index 80a1bc4..970a3e4 100644 +--- a/sfcommands/sfconvert.c ++++ b/sfcommands/sfconvert.c +@@ -45,6 +45,33 @@ void printusage (void); + void usageerror (void); + bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid); + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ + int main (int argc, char **argv) + { + if (argc == 2) +@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid) + { + int frameSize = afGetVirtualFrameSize(infile, trackid, 1); + +- const int kBufferFrameCount = 65536; +- void *buffer = malloc(kBufferFrameCount * frameSize); ++ int kBufferFrameCount = 65536; ++ int bufferSize; ++ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) ++ kBufferFrameCount /= 2; ++ void *buffer = malloc(bufferSize); + + AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK); + AFframecount totalFramesWritten = 0; diff --git a/packages/audiofile/0007_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch b/packages/audiofile/0007_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch new file mode 100644 index 0000000000..35627d3869 --- /dev/null +++ b/packages/audiofile/0007_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch @@ -0,0 +1,35 @@ +From: Antonio Larrosa +Date: Fri, 10 Mar 2017 15:40:02 +0100 +Subject: Fix signature of multiplyCheckOverflow. It returns a bool, not an int + +--- + libaudiofile/modules/MSADPCM.cpp | 2 +- + sfcommands/sfconvert.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp +index ef9c38c..d8c9553 100644 +--- a/libaudiofile/modules/MSADPCM.cpp ++++ b/libaudiofile/modules/MSADPCM.cpp +@@ -116,7 +116,7 @@ int firstBitSet(int x) + #define __has_builtin(x) 0 + #endif + +-int multiplyCheckOverflow(int a, int b, int *result) ++bool multiplyCheckOverflow(int a, int b, int *result) + { + #if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) + return __builtin_mul_overflow(a, b, result); +diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c +index 970a3e4..367f7a5 100644 +--- a/sfcommands/sfconvert.c ++++ b/sfcommands/sfconvert.c +@@ -60,7 +60,7 @@ int firstBitSet(int x) + #define __has_builtin(x) 0 + #endif + +-int multiplyCheckOverflow(int a, int b, int *result) ++bool multiplyCheckOverflow(int a, int b, int *result) + { + #if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) + return __builtin_mul_overflow(a, b, result); diff --git a/packages/audiofile/0008_Actually-fail-when-error-occurs-in-parseFormat.patch b/packages/audiofile/0008_Actually-fail-when-error-occurs-in-parseFormat.patch new file mode 100644 index 0000000000..50cd3dc9a3 --- /dev/null +++ b/packages/audiofile/0008_Actually-fail-when-error-occurs-in-parseFormat.patch @@ -0,0 +1,36 @@ +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 18:59:26 +0100 +Subject: Actually fail when error occurs in parseFormat + +When there's an unsupported number of bits per sample or an invalid +number of samples per block, don't only print an error message using +the error handler, but actually stop parsing the file. + +This fixes #35 (also reported at +https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and +https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/ +) +--- + libaudiofile/WAVE.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp +index 0fc48e8..d04b796 100644 +--- a/libaudiofile/WAVE.cpp ++++ b/libaudiofile/WAVE.cpp +@@ -332,6 +332,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_NOT_IMPLEMENTED, + "IMA ADPCM compression supports only 4 bits per sample"); ++ return AF_FAIL; + } + + int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount; +@@ -339,6 +340,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_CODEC_CONFIG, + "Invalid samples per block for IMA ADPCM compression"); ++ return AF_FAIL; + } + + track->f.sampleWidth = 16; diff --git a/packages/audiofile/0009_Check-for-division-by-zero-in-BlockCodec-runPull.patch b/packages/audiofile/0009_Check-for-division-by-zero-in-BlockCodec-runPull.patch new file mode 100644 index 0000000000..e001133916 --- /dev/null +++ b/packages/audiofile/0009_Check-for-division-by-zero-in-BlockCodec-runPull.patch @@ -0,0 +1,21 @@ +From: Antonio Larrosa +Date: Thu, 9 Mar 2017 10:21:18 +0100 +Subject: Check for division by zero in BlockCodec::runPull + +--- + libaudiofile/modules/BlockCodec.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp +index 4731be1..eb2fb4d 100644 +--- a/libaudiofile/modules/BlockCodec.cpp ++++ b/libaudiofile/modules/BlockCodec.cpp +@@ -47,7 +47,7 @@ void BlockCodec::runPull() + + // Read the compressed data. + ssize_t bytesRead = read(m_inChunk->buffer, m_bytesPerPacket * blockCount); +- int blocksRead = bytesRead >= 0 ? bytesRead / m_bytesPerPacket : 0; ++ int blocksRead = (bytesRead >= 0 && m_bytesPerPacket > 0) ? bytesRead / m_bytesPerPacket : 0; + + // Decompress into m_outChunk. + for (int i=0; i +Date: Thu, 27 Sep 2018 10:48:45 +0200 +Subject: [PATCH] ModuleState: handle compress/decompress init failure + +When the unit initcompress or initdecompress function fails, +m_fileModule is NULL. Return AF_FAIL in that case instead of +causing NULL pointer dereferences later. + +Fixes #49 +--- + libaudiofile/modules/ModuleState.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp +index 0c29d7a..070fd9b 100644 +--- a/libaudiofile/modules/ModuleState.cpp ++++ b/libaudiofile/modules/ModuleState.cpp +@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track) + m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok, + file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames); + ++ if (!m_fileModule) ++ return AF_FAIL; ++ + if (unit->needsRebuffer) + { + assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP); diff --git a/packages/audiofile/0011_CVE-2018-17095.patch b/packages/audiofile/0011_CVE-2018-17095.patch new file mode 100644 index 0000000000..231021b9fc --- /dev/null +++ b/packages/audiofile/0011_CVE-2018-17095.patch @@ -0,0 +1,26 @@ +From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Thu, 27 Sep 2018 12:11:12 +0200 +Subject: [PATCH] SimpleModule: set output chunk framecount after pull + +After pulling the data, set the output chunk to the amount of +frames we pulled so that the next module in the chain has the correct +frame count. + +Fixes #50 and #51 +--- + libaudiofile/modules/SimpleModule.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp +index 2bae1eb..e87932c 100644 +--- a/libaudiofile/modules/SimpleModule.cpp ++++ b/libaudiofile/modules/SimpleModule.cpp +@@ -26,6 +26,7 @@ + void SimpleModule::runPull() + { + pull(m_outChunk->frameCount); ++ m_outChunk->frameCount = m_inChunk->frameCount; + run(*m_inChunk, *m_outChunk); + } + diff --git a/packages/audiofile/0012-Fix-CVE-2022-24599.patch b/packages/audiofile/0012-Fix-CVE-2022-24599.patch new file mode 100644 index 0000000000..c09f6a8013 --- /dev/null +++ b/packages/audiofile/0012-Fix-CVE-2022-24599.patch @@ -0,0 +1,89 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Sat, 11 Nov 2023 15:58:50 +0000 +Subject: Fix CVE-2022-24599 + +Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer +with a user declared string. + +Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0' +for printf + +Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1. + +Before under valgrind: +libtool --mode=execute valgrind --track-origins=yes ./sfinfo heapleak_poc.aiff + +Duration -inf seconds +==896222== Invalid read of size 1 +==896222== at 0x4846794: strlen (vg_replace_strmem.c:494) +==896222== by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435) +==896222== by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459) +==896222== by 0x49DE986: __printf_chk (printf_chk.c:33) +==896222== by 0x10985C: printf (stdio2.h:86) +==896222== by 0x10985C: printfileinfo (printinfo.c:134) +==896222== by 0x10930A: main (sfinfo.c:113) +==896222== Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd +==896222== at 0x48407B4: malloc (vg_replace_malloc.c:381) +==896222== by 0x109825: copyrightstring (printinfo.c:163) +==896222== by 0x109825: printfileinfo (printinfo.c:131) +==896222== by 0x10930A: main (sfinfo.c:113) +==896222== +Copyright C + +After: +Duration -inf seconds +Copyright C + +forwarded: https://github.com/mpruett/audiofile/issues/60 +bug: https://github.com/mpruett/audiofile/issues/60 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008017 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2022-24599 +--- + sfcommands/printinfo.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c +index 60e6947..f5cf925 100644 +--- a/sfcommands/printinfo.c ++++ b/sfcommands/printinfo.c +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + + static char *copyrightstring (AFfilehandle file); + +@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file) + int i, misccount; + + misccount = afGetMiscIDs(file, NULL); +- miscids = (int *) malloc(sizeof (int) * misccount); ++ if(!misccount) ++ return NULL; ++ miscids = (int *) calloc(misccount, sizeof(int)); ++ if(!miscids) ++ return NULL; + afGetMiscIDs(file, miscids); + + for (i=0; i= INT_MAX -1 ) { ++ goto error; ++ } ++ char *data = (char *) calloc(datasize + 1, 1); + afReadMisc(file, miscids[i], data, datasize); + copyright = data; + break; + } +- ++error: + free(miscids); + + return copyright; diff --git a/packages/audiofile/0013-Partial-fix-of-CVE-2019-13147.patch b/packages/audiofile/0013-Partial-fix-of-CVE-2019-13147.patch new file mode 100644 index 0000000000..21eda41606 --- /dev/null +++ b/packages/audiofile/0013-Partial-fix-of-CVE-2019-13147.patch @@ -0,0 +1,43 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Sat, 11 Nov 2023 17:42:03 +0000 +Subject: Partial fix of CVE-2019-13147 + +This fix the symptom do not allow to allocate negative memory: +==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes +==129695==AddressSanitizer's allocator is terminating the process instead of returning 0 +==129695==If you don't like this behavior set allocator_may_return_null=1 +==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0) + #0 0x7f48c8503c02 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02) + #1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595) + #2 0x7f48c8509342 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342) + #3 0x7f48c8441e46 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46) + #4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a) + #5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327 + #6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248 + #7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) + #8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79) + +If negative bail out + +bug: https://github.com/mpruett/audiofile/issues/54 +forwarded: https://github.com/mpruett/audiofile/issues/54 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343 +--- + sfcommands/sfconvert.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c +index 367f7a5..400d485 100644 +--- a/sfcommands/sfconvert.c ++++ b/sfcommands/sfconvert.c +@@ -349,7 +349,8 @@ void printversion (void) + bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid) + { + int frameSize = afGetVirtualFrameSize(infile, trackid, 1); +- ++ if(frameSize <= 0) ++ return false; + int kBufferFrameCount = 65536; + int bufferSize; + while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) diff --git a/packages/audiofile/0014-Partial-fix-of-CVE-2019-13147.patch b/packages/audiofile/0014-Partial-fix-of-CVE-2019-13147.patch new file mode 100644 index 0000000000..96068b3084 --- /dev/null +++ b/packages/audiofile/0014-Partial-fix-of-CVE-2019-13147.patch @@ -0,0 +1,43 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Sat, 11 Nov 2023 17:43:19 +0000 +Subject: Partial fix of CVE-2019-13147 + +This is the fix of the POC. Do not allow too many channel + +Now it fail with: +Audio File Library: invalid file with 1633771873 channels [error 15] +Could not open file 'poc' for reading. + +bug: https://github.com/mpruett/audiofile/issues/54 +forwarded: https://github.com/mpruett/audiofile/issues/54 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343 +--- + libaudiofile/NeXT.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/libaudiofile/NeXT.cpp b/libaudiofile/NeXT.cpp +index c462dbe..01c967c 100644 +--- a/libaudiofile/NeXT.cpp ++++ b/libaudiofile/NeXT.cpp +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include "File.h" + #include "Setup.h" +@@ -122,6 +123,12 @@ status NeXTFile::readInit(AFfilesetup setup) + _af_error(AF_BAD_CHANNELS, "invalid file with 0 channels"); + return AF_FAIL; + } ++ /* avoid overflow of INT for double size rate */ ++ if (channelCount > (INT32_MAX / (sizeof(double)))) ++ { ++ _af_error(AF_BAD_CHANNELS, "invalid file with %i channels", channelCount); ++ return AF_FAIL; ++ } + + Track *track = allocateTrack(); + if (!track) diff --git a/packages/audiofile/build.sh b/packages/audiofile/build.sh new file mode 100644 index 0000000000..8bab8acacb --- /dev/null +++ b/packages/audiofile/build.sh @@ -0,0 +1,21 @@ +TERMUX_PKG_HOMEPAGE="https://audiofile.68k.org/" +TERMUX_PKG_DESCRIPTION="Silicon Graphics Audio File Library" +TERMUX_PKG_LICENSE="Apache-2.0, GPL-2.0-or-later, LGPL-2.1-or-later" +TERMUX_PKG_MAINTAINER="@termux" +TERMUX_PKG_VERSION="0.3.6" +TERMUX_PKG_SRCURL="https://audiofile.68k.org/audiofile-${TERMUX_PKG_VERSION}.tar.gz" +TERMUX_PKG_SHA256="cdc60df19ab08bfe55344395739bb08f50fc15c92da3962fac334d3bff116965" +TERMUX_PKG_AUTO_UPDATE=true +TERMUX_PKG_DEPENDS="flac, libc++" +TERMUX_PKG_BUILD_DEPENDS="alsa-lib" +TERMUX_PKG_EXTRA_CONFIGURE_ARGS=" +--disable-docs +" + +termux_step_pre_configure() { + export CXXFLAGS="-std=gnu++98 -Wno-deprecated-declarations" + # Fixes undefined symbols in 32-bit ARM target: + # ERROR: ./lib/libaudiofile.so.1.0.0 contains undefined symbols: + # 8: 00000000 0 NOTYPE GLOBAL DEFAULT UND __aeabi_ldivmod + LDFLAGS+=" $($CC -print-libgcc-file-name)" +}