aboutsummaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorChangqing Li <changqing.li@windriver.com>2019-01-07 16:06:32 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-01-07 17:23:07 +0000
commit8f4af329df5373db8910726a6b954652623003dd (patch)
tree345445ad38ebf231b372ee4a8d8bfb96526c9f1b /meta
parent19ad9e86012a012394dfa081fdb03981b01bdb7a (diff)
downloadopenembedded-core-contrib-8f4af329df5373db8910726a6b954652623003dd.tar.gz
openembedded-core-contrib-8f4af329df5373db8910726a6b954652623003dd.tar.bz2
openembedded-core-contrib-8f4af329df5373db8910726a6b954652623003dd.zip
libsndfile1: Security fix CVE-2017-17456/17457 CVE-2018-19661/19662
fix 4 CVEs, which is backport from https://github.com/erikd/libsndfile/commit/585cc28a93be27d6938f276af0011401b9f7c0ca Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch101
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb1
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
new file mode 100644
index 0000000000..c3f44ca235
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
@@ -0,0 +1,101 @@
+From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Mon, 7 Jan 2019 15:55:03 +0800
+Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432)
+
+i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
+properly, leading to buffer underflow. INT_MIN is a special value
+since - INT_MIN cannot be represented as int.
+
+In this case round - INT_MIN to INT_MAX and proceed as usual.
+
+f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
+properly, leading to null pointer dereference.
+
+In this case, arbitrarily set the buffer value to 0.
+
+This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
+fixes #344 (CVE-2017-17456 and CVE-2017-17457).
+
+Upstream-Status: Backport[https://github.com/erikd/libsndfile/
+commit/585cc28a93be27d6938f276af0011401b9f7c0ca]
+
+CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/alaw.c | 9 +++++++--
+ src/ulaw.c | 9 +++++++--
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/alaw.c b/src/alaw.c
+index 063fd1a..4220224 100644
+--- a/src/alaw.c
++++ b/src/alaw.c
+@@ -19,6 +19,7 @@
+ #include "sfconfig.h"
+
+ #include <math.h>
++#include <limits.h>
+
+ #include "sndfile.h"
+ #include "common.h"
+@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2alaw_array (const int *ptr, int count, unsigned char *buffer)
+ { while (--count >= 0)
+- { if (ptr [count] >= 0)
++ { if (ptr [count] == INT_MIN)
++ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
++ else if (ptr [count] >= 0)
+ buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
+ else
+ buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
+@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ { while (--count >= 0)
+- { if (ptr [count] >= 0)
++ { if (!isfinite (ptr [count]))
++ buffer [count] = 0 ;
++ else if (ptr [count] >= 0)
+ buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
+ else
+ buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
+diff --git a/src/ulaw.c b/src/ulaw.c
+index e50b4cb..b6070ad 100644
+--- a/src/ulaw.c
++++ b/src/ulaw.c
+@@ -19,6 +19,7 @@
+ #include "sfconfig.h"
+
+ #include <math.h>
++#include <limits.h>
+
+ #include "sndfile.h"
+ #include "common.h"
+@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
+ { while (--count >= 0)
+- { if (ptr [count] >= 0)
++ { if (ptr [count] == INT_MIN)
++ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
++ else if (ptr [count] >= 0)
+ buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
+ else
+ buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
+@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ { while (--count >= 0)
+- { if (ptr [count] >= 0)
++ { if (!isfinite (ptr [count]))
++ buffer [count] = 0 ;
++ else if (ptr [count] >= 0)
+ buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
+ else
+ buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index b28f675286..13248f5cb7 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
file://CVE-2017-14245-14246.patch \
file://CVE-2017-14634.patch \
file://CVE-2018-13139.patch \
+ file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
"
SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"