Backport patches from upstream against all currently known CVEs

PR: 227669 Submitted by: p5B2E9A8F@t-online.de MFH: 2019Q1 Security: CVE-2018-19661 CVE-2018-19662 CVE-2017-17456 CVE-2017-17457 CVE-2018-19758
svn path=/head/; revision=495440
2024-11-20 00:21:35 +00:00 · 2019-03-12 06:10:24 +00:00 · 2019-03-12 06:10:24 +00:00 · a6e226ea28 · 2021-03-31 03:12:20 +00:00
commit a6e226ea28
parent f176b71dd3
6 changed files with 268 additions and 1 deletions
--- a/audio/libsndfile/Makefile
+++ b/audio/libsndfile/Makefile
@ -3,7 +3,7 @@

 PORTNAME=	libsndfile
 PORTVERSION=	1.0.28
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	audio
 MASTER_SITES=	http://www.mega-nerd.com/libsndfile/files/

--- a/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662
+++ b/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662
@ -0,0 +1,90 @@
+From: Hugo Lefeuvre <hle@owl.eu.com>
+Date: Mon, 24 Dec 2018 06:43:48 +0100
+Subject: a/ulaw: fix multiple buffer overflows (#432)
+
+i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
+properly, leading to buffer underflow. INT_MIN is a special value
+since - INT_MIN cannot be represented as int.
+
+In this case round - INT_MIN to INT_MAX and proceed as usual.
+
+f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
+properly, leading to null pointer dereference.
+
+In this case, arbitrarily set the buffer value to 0.
+
+This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
+fixes #344 (CVE-2017-17456 and CVE-2017-17457).
+---
+ src/alaw.c | 9 +++++++--
+ src/ulaw.c | 9 +++++++--
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/alaw.c b/src/alaw.c
+index 063fd1a..4220224 100644
+--- src/alaw.c
+++ src/alaw.c
+@@ -19,6 +19,7 @@
+ #include	"sfconfig.h"
+ 
+ #include	<math.h>
+#include	<limits.h>
+ 
+ #include	"sndfile.h"
+ #include	"common.h"
+@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2alaw_array (const int *ptr, int count, unsigned char *buffer)
+ {	while (--count >= 0)
+-	{	if (ptr [count] >= 0)
+	{	if (ptr [count] == INT_MIN)
+			buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
+		else if (ptr [count] >= 0)
+ 			buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
+ 		else
+ 			buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
+@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ {	while (--count >= 0)
+-	{	if (ptr [count] >= 0)
+	{	if (!isfinite (ptr [count]))
+			buffer [count] = 0 ;
+		else if (ptr [count] >= 0)
+ 			buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
+ 		else
+ 			buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
+diff --git a/src/ulaw.c b/src/ulaw.c
+index e50b4cb..b6070ad 100644
+--- src/ulaw.c
+++ src/ulaw.c
+@@ -19,6 +19,7 @@
+ #include	"sfconfig.h"
+ 
+ #include	<math.h>
+#include	<limits.h>
+ 
+ #include	"sndfile.h"
+ #include	"common.h"
+@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
+ {	while (--count >= 0)
+-	{	if (ptr [count] >= 0)
+	{	if (ptr [count] == INT_MIN)
+			buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
+		else if (ptr [count] >= 0)
+ 			buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
+ 		else
+ 			buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
+@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ {	while (--count >= 0)
+-	{	if (ptr [count] >= 0)
+	{	if (!isfinite (ptr [count]))
+			buffer [count] = 0 ;
+		else if (ptr [count] >= 0)
+ 			buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
+ 		else
+ 			buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;
--- a/audio/libsndfile/files/patch-CVE-2018-19758
+++ b/audio/libsndfile/files/patch-CVE-2018-19758
@ -0,0 +1,31 @@
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Tue, 1 Jan 2019 20:11:46 +1100
+Subject: src/wav.c: Fix heap read overflow
+
+This is CVE-2018-19758.
+
+Closes: https://github.com/erikd/libsndfile/issues/435
+---
+ src/wav.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/wav.c b/src/wav.c
+index 4b943dc..59015a1 100644
+--- src/wav.c
+++ src/wav.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 1999-2019 Erik de Castro Lopo <erikd@mega-nerd.com>
+ ** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
+ 		psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
+ 		psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
+ 
+		/* Loop count is signed 16 bit number so we limit it range to something sensible. */
+		psf->instrument->loop_count &= 0x7fff ;
+ 		for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+ 		{	int type ;
+ 
--- a/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave
+++ b/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave
@ -0,0 +1,30 @@
+From: "Brett T. Warden" <brett.t.warden@intel.com>
+Date: Tue, 28 Aug 2018 12:01:17 -0700
+Subject: Check MAX_CHANNELS in sndfile-deinterleave
+
+Allocated buffer has space for only 16 channels. Verify that input file
+meets this limit.
+
+Fixes #397
+---
+ programs/sndfile-deinterleave.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c
+index e27593e..cb497e1 100644
+--- programs/sndfile-deinterleave.c
+++ programs/sndfile-deinterleave.c
+@@ -89,6 +89,13 @@ main (int argc, char **argv)
+ 		exit (1) ;
+ 		} ;
+ 
+	if (sfinfo.channels > MAX_CHANNELS)
+	{	printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n",
+			argv [1], sfinfo.channels, MAX_CHANNELS) ;
+		exit (1) ;
+		} ;
+
+
+ 	state.channels = sfinfo.channels ;
+ 	sfinfo.channels = 1 ;
+ 
--- a/audio/libsndfile/files/patch-rf64_arm
+++ b/audio/libsndfile/files/patch-rf64_arm
@ -0,0 +1,49 @@
+From: Erik de Castro Lopez <erikd@mega-nerd.com>
+Date: Tue, 20 Jun 2017 00:00:00 +0200
+Subject: fix RF64 on armel/armhf archs
+
+Origin: upstream
+Applied-Upstream: 9d470ee5577d3ccedb1c28c7e0a7295ba17feaf5
+Last-Update: 2017-06-20
+---
+ src/rf64.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/rf64.c b/src/rf64.c
+index c373bb0..60a3309 100644
+--- src/rf64.c
+++ src/rf64.c
+@@ -339,6 +339,12 @@ rf64_read_header (SF_PRIVATE *psf, int *blockalign, int *framesperblock)
+ 					} ;
+ 				break ;
+ 
+			case JUNK_MARKER :
+			case PAD_MARKER :
+				psf_log_printf (psf, "%M : %d\n", marker, chunk_size) ;
+				psf_binheader_readf (psf, "j", chunk_size) ;
+				break ;
+
+ 			default :
+ 					if (chunk_size >= 0xffff0000)
+ 					{	psf_log_printf (psf, "*** Unknown chunk marker (%X) at position %D with length %u. Exiting parser.\n", marker, psf_ftell (psf) - 8, chunk_size) ;
+@@ -659,7 +665,7 @@ rf64_write_header (SF_PRIVATE *psf, int calc_length)
+ 
+ 	if (wpriv->rf64_downgrade && psf->filelength < RIFF_DOWNGRADE_BYTES)
+ 	{	psf_binheader_writef (psf, "etm8m", RIFF_MARKER, (psf->filelength < 8) ? 8 : psf->filelength - 8, WAVE_MARKER) ;
+-		psf_binheader_writef (psf, "m4884", JUNK_MARKER, 20, 0, 0, 0, 0) ;
+		psf_binheader_writef (psf, "m4z", JUNK_MARKER, 24, 24) ;
+ 		add_fact_chunk = 1 ;
+ 		}
+ 	else
+@@ -735,9 +741,10 @@ rf64_write_header (SF_PRIVATE *psf, int calc_length)
+ 
+ #endif
+ 
+	/* Padding may be needed if string data sizes change. */
+ 	pad_size = psf->dataoffset - 16 - psf->header.indx ;
+ 	if (pad_size >= 0)
+-		psf_binheader_writef (psf, "m4z", PAD_MARKER, pad_size, make_size_t (pad_size)) ;
+		psf_binheader_writef (psf, "m4z", PAD_MARKER, (unsigned int) pad_size, make_size_t (pad_size)) ;
+ 
+ 	if (wpriv->rf64_downgrade && (psf->filelength < RIFF_DOWNGRADE_BYTES))
+ 		psf_binheader_writef (psf, "tm8", data_MARKER, psf->datalength) ;
--- a/audio/libsndfile/files/patch-typos
+++ b/audio/libsndfile/files/patch-typos
@ -0,0 +1,67 @@
+From: IOhannes m zmoelnig <umlaeute@debian.org>
+Date: Wed, 5 Oct 2016 00:00:00 +0200
+Subject: fixed spelling errors
+
+Forwarded: yes
+Last-Update: 2016-10-05
+
+discovered by lintian
+---
+ doc/bugs.html              | 2 +-
+ programs/sndfile-convert.c | 2 +-
+ src/ogg.c                  | 2 +-
+ src/wavlike.c              | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/doc/bugs.html b/doc/bugs.html
+index 3a441fe..addedb8 100644
+--- doc/bugs.html
+++ doc/bugs.html
+@@ -31,7 +31,7 @@
+ 	<UL>
+ 	<LI>	Compilation problems on new platforms.
+ 	<LI>	Errors being detected during the `make check' process.
+-	<LI>	Segmentation faults occuring inside libsndfile.
+	<LI>	Segmentation faults occurring inside libsndfile.
+ 	<LI>	libsndfile hanging when opening a file.
+ 	<LI>	Supported sound file types being incorrectly read or written.
+ 	<LI>	Omissions, errors or spelling mistakes in the documentation.
+diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c
+index dff7f79..896838f 100644
+--- programs/sndfile-convert.c
+++ programs/sndfile-convert.c
+@@ -317,7 +317,7 @@ main (int argc, char * argv [])
+ 	if ((sfinfo.format & SF_FORMAT_SUBMASK) == SF_FORMAT_GSM610 && sfinfo.samplerate != 8000)
+ 	{	printf (
+ 			"WARNING: GSM 6.10 data format only supports 8kHz sample rate. The converted\n"
+-			"ouput file will contain the input data converted to the GSM 6.10 data format\n"
+			"output file will contain the input data converted to the GSM 6.10 data format\n"
+ 			"but not re-sampled.\n"
+ 			) ;
+ 		} ;
+diff --git a/src/ogg.c b/src/ogg.c
+index 0856f77..e01ebe1 100644
+--- src/ogg.c
+++ src/ogg.c
+@@ -193,7 +193,7 @@ ogg_stream_classify (SF_PRIVATE *psf, OGG_PRIVATE* odata)
+ 			break ;
+ 		} ;
+ 
+-	psf_log_printf (psf, "This Ogg bitstream contains some uknown data type.\n") ;
+	psf_log_printf (psf, "This Ogg bitstream contains some unknown data type.\n") ;
+ 	return SFE_UNIMPLEMENTED ;
+ } /* ogg_stream_classify */
+ 
+diff --git a/src/wavlike.c b/src/wavlike.c
+index 86ebf01..c053da3 100644
+--- src/wavlike.c
+++ src/wavlike.c
+@@ -161,7 +161,7 @@ wavlike_read_fmt_chunk (SF_PRIVATE *psf, int fmtsize)
+ 	{	psf_log_printf (psf, "  Bit Width     : 24\n") ;
+ 
+ 		psf_log_printf (psf, "\n"
+-			"  Ambiguous information in 'fmt ' chunk. Possibile file types:\n"
+			"  Ambiguous information in 'fmt ' chunk. Possible file types:\n"
+ 			"    0) Invalid IEEE float file generated by Syntrillium's Cooledit!\n"
+ 			"    1) File generated by ALSA's arecord containing 24 bit samples in 32 bit containers.\n"
+ 			"    2) 24 bit file with incorrect Block Align value.\n"