diff options
| author |   Tanu Kaskinen <tanuk@iki.fi> | 2015-12-12 04:23:12 +0200 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-12-16 12:11:23 +0000 |
| commit | 5a4b8f7f643a4b95a7036eab02c7f74aa4077982 (patch) | |
| tree | e9d24ba3737a58ad851ce30766ef88d9cff94784 /meta/recipes-multimedia/libsndfile | |
| parent | 39fe71fb632a899fb348d531c3e4c3d5923f54d6 (diff) | |
| download | openembedded-core-5a4b8f7f643a4b95a7036eab02c7f74aa4077982.tar.gz | |
libsndfile1: 1.0.25 -> 1.0.26
Main points from the release announcement:
* Fix for CVE-2014-9496, SD2 buffer read overflow.
* Fix for CVE-2014-9756, file_io.c divide by zero.
* Fix for CVE-2015-7805, AIFF heap write overflow.
* Add support for ALAC encoder in a CAF container.
* Add support for Cart chunks in WAV files.
* Minor bug fixes and improvements.
All patches we had are included in the new release.
Dropped PR from the recipe.
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-multimedia/libsndfile')
| -rw-r--r-- | meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch | 211 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch | 49 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch | 24 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1_1.0.26.bb (renamed from meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb) | 11 |
4 files changed, 3 insertions, 292 deletions
diff --git a/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch b/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch deleted file mode 100644 index cd48710fb7..0000000000 --- a/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch +++ /dev/null @@ -1,211 +0,0 @@ -From 9341e9c6e70cd3ad76c901c3cf052d4cb52fd827 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Thu, 27 Jun 2013 18:04:03 +1000 -Subject: [PATCH] src/sd2.c : Fix segfault in SD2 RSRC parser. - -(Upstream commit 9341e9c6e70cd3ad76c901c3cf052d4cb52fd827) - -A specially crafted resource fork for an SD2 file can cause -the SD2 RSRC parser to read data from outside a dynamically -defined buffer. The data that is read is converted into a -short or int and used during further processing. - -Since no write occurs, this is unlikely to be exploitable. - -Bug reported by The Mayhem Team from Cylab, Carnegie Mellon -Univeristy. Paper is: -http://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf - -Upstream-Status: Backport - -Signed-off-by: Yue Tao <yue.tao@windriver.com> ---- - src/sd2.c | 93 ++++++++++++++++++++++++++++++++++++------------------------- - 1 file changed, 55 insertions(+), 38 deletions(-) - -diff --git a/src/sd2.c b/src/sd2.c -index 35ce36b..6be150c 100644 ---- a/src/sd2.c -+++ b/src/sd2.c -@@ -1,5 +1,5 @@ - /* --** Copyright (C) 2001-2011 Erik de Castro Lopo <erikd@mega-nerd.com> -+** Copyright (C) 2001-2013 Erik de Castro Lopo <erikd@mega-nerd.com> - ** Copyright (C) 2004 Paavo Jumppanen - ** - ** This program is free software; you can redistribute it and/or modify -@@ -371,44 +371,61 @@ sd2_write_rsrc_fork (SF_PRIVATE *psf, int UNUSED (calc_length)) - */ - - static inline int --read_char (const unsigned char * data, int offset) --{ return data [offset] ; --} /* read_char */ -+read_rsrc_char (const SD2_RSRC *prsrc, int offset) -+{ const unsigned char * data = prsrc->rsrc_data ; -+ if (offset < 0 || offset >= prsrc->rsrc_len) -+ return 0 ; -+ return data [offset] ; -+} /* read_rsrc_char */ - - static inline int --read_short (const unsigned char * data, int offset) --{ return (data [offset] << 8) + data [offset + 1] ; --} /* read_short */ -+read_rsrc_short (const SD2_RSRC *prsrc, int offset) -+{ const unsigned char * data = prsrc->rsrc_data ; -+ if (offset < 0 || offset + 1 >= prsrc->rsrc_len) -+ return 0 ; -+ return (data [offset] << 8) + data [offset + 1] ; -+} /* read_rsrc_short */ - - static inline int --read_int (const unsigned char * data, int offset) --{ return (data [offset] << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ; --} /* read_int */ -+read_rsrc_int (const SD2_RSRC *prsrc, int offset) -+{ const unsigned char * data = prsrc->rsrc_data ; -+ if (offset < 0 || offset + 3 >= prsrc->rsrc_len) -+ return 0 ; -+ return (data [offset] << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ; -+} /* read_rsrc_int */ - - static inline int --read_marker (const unsigned char * data, int offset) --{ -+read_rsrc_marker (const SD2_RSRC *prsrc, int offset) -+{ const unsigned char * data = prsrc->rsrc_data ; -+ -+ if (offset < 0 || offset + 3 >= prsrc->rsrc_len) -+ return 0 ; -+ - if (CPU_IS_BIG_ENDIAN) - return (data [offset] << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ; -- else if (CPU_IS_LITTLE_ENDIAN) -+ if (CPU_IS_LITTLE_ENDIAN) - return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (data [offset + 3] << 24) ; -- else -- return 0x666 ; --} /* read_marker */ -+ -+ return 0 ; -+} /* read_rsrc_marker */ - - static void --read_str (const unsigned char * data, int offset, char * buffer, int buffer_len) --{ int k ; -+read_rsrc_str (const SD2_RSRC *prsrc, int offset, char * buffer, int buffer_len) -+{ const unsigned char * data = prsrc->rsrc_data ; -+ int k ; - - memset (buffer, 0, buffer_len) ; - -+ if (offset < 0 || offset + buffer_len >= prsrc->rsrc_len) -+ return ; -+ - for (k = 0 ; k < buffer_len - 1 ; k++) - { if (psf_isprint (data [offset + k]) == 0) - return ; - buffer [k] = data [offset + k] ; - } ; - return ; --} /* read_str */ -+} /* read_rsrc_str */ - - static int - sd2_parse_rsrc_fork (SF_PRIVATE *psf) -@@ -435,17 +452,17 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - /* Reset the header storage because we have changed to the rsrcdes. */ - psf->headindex = psf->headend = rsrc.rsrc_len ; - -- rsrc.data_offset = read_int (rsrc.rsrc_data, 0) ; -- rsrc.map_offset = read_int (rsrc.rsrc_data, 4) ; -- rsrc.data_length = read_int (rsrc.rsrc_data, 8) ; -- rsrc.map_length = read_int (rsrc.rsrc_data, 12) ; -+ rsrc.data_offset = read_rsrc_int (&rsrc, 0) ; -+ rsrc.map_offset = read_rsrc_int (&rsrc, 4) ; -+ rsrc.data_length = read_rsrc_int (&rsrc, 8) ; -+ rsrc.map_length = read_rsrc_int (&rsrc, 12) ; - - if (rsrc.data_offset == 0x51607 && rsrc.map_offset == 0x20000) - { psf_log_printf (psf, "Trying offset of 0x52 bytes.\n") ; -- rsrc.data_offset = read_int (rsrc.rsrc_data, 0x52 + 0) + 0x52 ; -- rsrc.map_offset = read_int (rsrc.rsrc_data, 0x52 + 4) + 0x52 ; -- rsrc.data_length = read_int (rsrc.rsrc_data, 0x52 + 8) ; -- rsrc.map_length = read_int (rsrc.rsrc_data, 0x52 + 12) ; -+ rsrc.data_offset = read_rsrc_int (&rsrc, 0x52 + 0) + 0x52 ; -+ rsrc.map_offset = read_rsrc_int (&rsrc, 0x52 + 4) + 0x52 ; -+ rsrc.data_length = read_rsrc_int (&rsrc, 0x52 + 8) ; -+ rsrc.map_length = read_rsrc_int (&rsrc, 0x52 + 12) ; - } ; - - psf_log_printf (psf, " data offset : 0x%04X\n map offset : 0x%04X\n" -@@ -488,7 +505,7 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - goto parse_rsrc_fork_cleanup ; - } ; - -- rsrc.string_offset = rsrc.map_offset + read_short (rsrc.rsrc_data, rsrc.map_offset + 26) ; -+ rsrc.string_offset = rsrc.map_offset + read_rsrc_short (&rsrc, rsrc.map_offset + 26) ; - if (rsrc.string_offset > rsrc.rsrc_len) - { psf_log_printf (psf, "Bad string offset (%d).\n", rsrc.string_offset) ; - error = SFE_SD2_BAD_RSRC ; -@@ -497,7 +514,7 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - - rsrc.type_offset = rsrc.map_offset + 30 ; - -- rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ; -+ rsrc.type_count = read_rsrc_short (&rsrc, rsrc.map_offset + 28) + 1 ; - if (rsrc.type_count < 1) - { psf_log_printf (psf, "Bad type count.\n") ; - error = SFE_SD2_BAD_RSRC ; -@@ -513,11 +530,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - - rsrc.str_index = -1 ; - for (k = 0 ; k < rsrc.type_count ; k ++) -- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ; -+ { marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ; - - if (marker == STR_MARKER) - { rsrc.str_index = k ; -- rsrc.str_count = read_short (rsrc.rsrc_data, rsrc.type_offset + k * 8 + 4) + 1 ; -+ rsrc.str_count = read_rsrc_short (&rsrc, rsrc.type_offset + k * 8 + 4) + 1 ; - error = parse_str_rsrc (psf, &rsrc) ; - goto parse_rsrc_fork_cleanup ; - } ; -@@ -549,26 +566,26 @@ parse_str_rsrc (SF_PRIVATE *psf, SD2_RSRC * rsrc) - for (k = 0 ; data_offset + data_len < rsrc->rsrc_len ; k++) - { int slen ; - -- slen = read_char (rsrc->rsrc_data, str_offset) ; -- read_str (rsrc->rsrc_data, str_offset + 1, name, SF_MIN (SIGNED_SIZEOF (name), slen + 1)) ; -+ slen = read_rsrc_char (rsrc, str_offset) ; -+ read_rsrc_str (rsrc, str_offset + 1, name, SF_MIN (SIGNED_SIZEOF (name), slen + 1)) ; - str_offset += slen + 1 ; - -- rsrc_id = read_short (rsrc->rsrc_data, rsrc->item_offset + k * 12) ; -+ rsrc_id = read_rsrc_short (rsrc, rsrc->item_offset + k * 12) ; - -- data_offset = rsrc->data_offset + read_int (rsrc->rsrc_data, rsrc->item_offset + k * 12 + 4) ; -+ data_offset = rsrc->data_offset + read_rsrc_int (rsrc, rsrc->item_offset + k * 12 + 4) ; - if (data_offset < 0 || data_offset > rsrc->rsrc_len) - { psf_log_printf (psf, "Exiting parser on data offset of %d.\n", data_offset) ; - break ; - } ; - -- data_len = read_int (rsrc->rsrc_data, data_offset) ; -+ data_len = read_rsrc_int (rsrc, data_offset) ; - if (data_len < 0 || data_len > rsrc->rsrc_len) - { psf_log_printf (psf, "Exiting parser on data length of %d.\n", data_len) ; - break ; - } ; - -- slen = read_char (rsrc->rsrc_data, data_offset + 4) ; -- read_str (rsrc->rsrc_data, data_offset + 5, value, SF_MIN (SIGNED_SIZEOF (value), slen + 1)) ; -+ slen = read_rsrc_char (rsrc, data_offset + 4) ; -+ read_rsrc_str (rsrc, data_offset + 5, value, SF_MIN (SIGNED_SIZEOF (value), slen + 1)) ; - - psf_log_printf (psf, " 0x%04x %4d %4d %3d '%s'\n", data_offset, rsrc_id, data_len, slen, value) ; - --- -1.7.9.5 - diff --git a/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch b/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch deleted file mode 100644 index fa6473d4f8..0000000000 --- a/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch +++ /dev/null @@ -1,49 +0,0 @@ -From dbe14f00030af5d3577f4cabbf9861db59e9c378 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Thu, 25 Dec 2014 19:23:12 +1100 -Subject: [PATCH] src/sd2.c : Fix two potential buffer read overflows. - -(Upstream commit dbe14f00030af5d3577f4cabbf9861db59e9c378) - -Closes: https://github.com/erikd/libsndfile/issues/93 - -Upstream-Status: Backport - -Signed-off-by: Yue Tao <yue.tao@windriver.com> ---- - src/sd2.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/src/sd2.c b/src/sd2.c -index 0b4e5af..a70a1f1 100644 ---- a/src/sd2.c -+++ b/src/sd2.c -@@ -517,6 +517,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - - rsrc.type_offset = rsrc.map_offset + 30 ; - -+ if (rsrc.map_offset + 28 > rsrc.rsrc_len) -+ { psf_log_printf (psf, "Bad map offset.\n") ; -+ goto parse_rsrc_fork_cleanup ; -+ } ; -+ - rsrc.type_count = read_rsrc_short (&rsrc, rsrc.map_offset + 28) + 1 ; - if (rsrc.type_count < 1) - { psf_log_printf (psf, "Bad type count.\n") ; -@@ -533,7 +538,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - - rsrc.str_index = -1 ; - for (k = 0 ; k < rsrc.type_count ; k ++) -- { marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ; -+ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len) -+ { psf_log_printf (psf, "Bad rsrc marker.\n") ; -+ goto parse_rsrc_fork_cleanup ; -+ } ; -+ -+ marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ; - - if (marker == STR_MARKER) - { rsrc.str_index = k ; --- -1.7.9.5 - diff --git a/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch b/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch deleted file mode 100644 index b54b3ba669..0000000000 --- a/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch +++ /dev/null @@ -1,24 +0,0 @@ -src/file_io.c : Prevent potential divide-by-zero. - -Closes: https://github.com/erikd/libsndfile/issues/92 - -Upstream-Status: Backport - -Fixes CVE-2014-9756 - -Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com> -Signed-off-by: Maxin B. John <maxin.john@intel.com> ---- -diff -Naur libsndfile-1.0.25-orig/src/file_io.c libsndfile-1.0.25/src/file_io.c ---- libsndfile-1.0.25-orig/src/file_io.c 2011-01-19 12:12:28.000000000 +0200 -+++ libsndfile-1.0.25/src/file_io.c 2015-11-04 15:02:04.337395618 +0200 -@@ -358,6 +358,9 @@ - { sf_count_t total = 0 ; - ssize_t count ; - -+ if (bytes == 0 || items == 0) -+ return 0 ; -+ - if (psf->virtual_io) - return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ; - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.26.bb index be875c227b..3b11568c17 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.26.bb @@ -4,16 +4,11 @@ AUTHOR = "Erik de Castro Lopo" DEPENDS = "sqlite3" SECTION = "libs/multimedia" LICENSE = "LGPLv2.1" -PR = "r2" -SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ - file://0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch \ - file://0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch \ - file://libsndfile-fix-CVE-2014-9756.patch \ -" +SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz" -SRC_URI[md5sum] = "e2b7bb637e01022c7d20f95f9c3990a2" -SRC_URI[sha256sum] = "59016dbd326abe7e2366ded5c344c853829bebfd1702ef26a07ef662d6aa4882" +SRC_URI[md5sum] = "ec810a0c60c08772a8a5552704b63393" +SRC_URI[sha256sum] = "cd6520ec763d1a45573885ecb1f8e4e42505ac12180268482a44b28484a25092" LIC_FILES_CHKSUM = "file://COPYING;md5=e77fe93202736b47c07035910f47974a" |