Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 644044 Details for
Bug 614046
<media-libs/audiofile-0.3.6-r4: multiple vulnerabilities (CVE-2017-{6827,6828,6829,6830,6831,6832,6833,6834,6835,6836,6839})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
audiofile-0.3.6-cve-2015.patch
audiofile-0.3.6-cve-2015.patch (text/plain), 9.29 KB, created by
John Helmert III
on 2020-06-09 06:29:22 UTC
(
hide
)
Description:
audiofile-0.3.6-cve-2015.patch
Filename:
MIME Type:
Creator:
John Helmert III
Created:
2020-06-09 06:29:22 UTC
Size:
9.29 KB
patch
obsolete
>From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001 >From: Antonio Larrosa <larrosa@kde.org> >Date: Mon, 6 Mar 2017 18:02:31 +0100 >Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp > >This fixes #33 >(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981 >and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/) >--- > libaudiofile/modules/IMA.cpp | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp >index 7476d44..df4aad6 100644 >--- a/libaudiofile/modules/IMA.cpp >+++ b/libaudiofile/modules/IMA.cpp >@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded) > if (encoded[1] & 0x80) > m_adpcmState[c].previousValue -= 0x10000; > >- m_adpcmState[c].index = encoded[2]; >+ m_adpcmState[c].index = clamp(encoded[2], 0, 88); > > *decoded++ = m_adpcmState[c].previousValue; > >@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded) > predictor -= 0x10000; > > state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16); >- state.index = encoded[1] & 0x7f; >+ state.index = clamp(encoded[1] & 0x7f, 0, 88); > encoded += 2; > > for (int n=0; n<m_framesPerPacket; n+=2) >From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001 >From: Antonio Larrosa <larrosa@kde.org> >Date: Mon, 6 Mar 2017 13:54:52 +0100 >Subject: [PATCH] Check for multiplication overflow in sfconvert > >Checks that a multiplication doesn't overflow when >calculating the buffer size, and if it overflows, >reduce the buffer size instead of failing. > >This fixes the 00192-audiofile-signintoverflow-sfconvert case >in #41 >--- > sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++-- > 1 file changed, 32 insertions(+), 2 deletions(-) > >diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c >index 80a1bc4..970a3e4 100644 >--- a/sfcommands/sfconvert.c >+++ b/sfcommands/sfconvert.c >@@ -45,6 +45,33 @@ void printusage (void); > void usageerror (void); > bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid); > >+int firstBitSet(int x) >+{ >+ int position=0; >+ while (x!=0) >+ { >+ x>>=1; >+ ++position; >+ } >+ return position; >+} >+ >+#ifndef __has_builtin >+#define __has_builtin(x) 0 >+#endif >+ >+int multiplyCheckOverflow(int a, int b, int *result) >+{ >+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) >+ return __builtin_mul_overflow(a, b, result); >+#else >+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits >+ return true; >+ *result = a * b; >+ return false; >+#endif >+} >+ > int main (int argc, char **argv) > { > if (argc == 2) >@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid) > { > int frameSize = afGetVirtualFrameSize(infile, trackid, 1); > >- const int kBufferFrameCount = 65536; >- void *buffer = malloc(kBufferFrameCount * frameSize); >+ int kBufferFrameCount = 65536; >+ int bufferSize; >+ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) >+ kBufferFrameCount /= 2; >+ void *buffer = malloc(bufferSize); > > AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK); > AFframecount totalFramesWritten = 0; >From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001 >From: Antonio Larrosa <larrosa@kde.org> >Date: Mon, 6 Mar 2017 18:59:26 +0100 >Subject: [PATCH] Actually fail when error occurs in parseFormat > >When there's an unsupported number of bits per sample or an invalid >number of samples per block, don't only print an error message using >the error handler, but actually stop parsing the file. > >This fixes #35 (also reported at >https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and >https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/ >) >--- > libaudiofile/WAVE.cpp | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp >index 0e81cf7..d762249 100644 >--- a/libaudiofile/WAVE.cpp >+++ b/libaudiofile/WAVE.cpp >@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) > { > _af_error(AF_BAD_NOT_IMPLEMENTED, > "IMA ADPCM compression supports only 4 bits per sample"); >+ return AF_FAIL; > } > > int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount; >@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) > { > _af_error(AF_BAD_CODEC_CONFIG, > "Invalid samples per block for IMA ADPCM compression"); >+ return AF_FAIL; > } > > track->f.sampleWidth = 16; >From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001 >From: Antonio Larrosa <larrosa@kde.org> >Date: Mon, 6 Mar 2017 13:43:53 +0100 >Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample > >Check for multiplication overflow (using __builtin_mul_overflow >if available) in MSADPCM.cpp decodeSample and return an empty >decoded block if an error occurs. > >This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41 >--- > libaudiofile/modules/BlockCodec.cpp | 5 +-- > libaudiofile/modules/MSADPCM.cpp | 47 ++++++++++++++++++++++++++--- > 2 files changed, 46 insertions(+), 6 deletions(-) > >diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp >index 45925e8..4731be1 100644 >--- a/libaudiofile/modules/BlockCodec.cpp >+++ b/libaudiofile/modules/BlockCodec.cpp >@@ -52,8 +52,9 @@ void BlockCodec::runPull() > // Decompress into m_outChunk. > for (int i=0; i<blocksRead; i++) > { >- decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket, >- static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount); >+ if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket, >+ static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0) >+ break; > > framesRead += m_framesPerPacket; > } >diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp >index 8ea3c85..ef9c38c 100644 >--- a/libaudiofile/modules/MSADPCM.cpp >+++ b/libaudiofile/modules/MSADPCM.cpp >@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] = > 768, 614, 512, 409, 307, 230, 230, 230 > }; > >+int firstBitSet(int x) >+{ >+ int position=0; >+ while (x!=0) >+ { >+ x>>=1; >+ ++position; >+ } >+ return position; >+} >+ >+#ifndef __has_builtin >+#define __has_builtin(x) 0 >+#endif >+ >+int multiplyCheckOverflow(int a, int b, int *result) >+{ >+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) >+ return __builtin_mul_overflow(a, b, result); >+#else >+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits >+ return true; >+ *result = a * b; >+ return false; >+#endif >+} >+ >+ > // Compute a linear PCM value from the given differential coded value. > static int16_t decodeSample(ms_adpcm_state &state, >- uint8_t code, const int16_t *coefficient) >+ uint8_t code, const int16_t *coefficient, bool *ok=NULL) > { > int linearSample = (state.sample1 * coefficient[0] + > state.sample2 * coefficient[1]) >> 8; >+ int delta; > > linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta; > > linearSample = clamp(linearSample, MIN_INT16, MAX_INT16); > >- int delta = (state.delta * adaptationTable[code]) >> 8; >+ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta)) >+ { >+ if (ok) *ok=false; >+ _af_error(AF_BAD_COMPRESSION, "Error decoding sample"); >+ return 0; >+ } >+ delta >>= 8; > if (delta < 16) > delta = 16; > > state.delta = delta; > state.sample2 = state.sample1; > state.sample1 = linearSample; >+ if (ok) *ok=true; > > return static_cast<int16_t>(linearSample); > } >@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded) > { > uint8_t code; > int16_t newSample; >+ bool ok; > > code = *encoded >> 4; >- newSample = decodeSample(*state[0], code, coefficient[0]); >+ newSample = decodeSample(*state[0], code, coefficient[0], &ok); >+ if (!ok) return 0; > *decoded++ = newSample; > > code = *encoded & 0x0f; >- newSample = decodeSample(*state[1], code, coefficient[1]); >+ newSample = decodeSample(*state[1], code, coefficient[1], &ok); >+ if (!ok) return 0; > *decoded++ = newSample; > > encoded++; >From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001 >From: Antonio Larrosa <larrosa@kde.org> >Date: Mon, 6 Mar 2017 12:51:22 +0100 >Subject: [PATCH] Always check the number of coefficients > >When building the library with NDEBUG, asserts are eliminated >so it's better to always check that the number of coefficients >is inside the array range. > >This fixes the 00191-audiofile-indexoob issue in #41 >--- > libaudiofile/WAVE.cpp | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp >index 0e81cf7..61f9541 100644 >--- a/libaudiofile/WAVE.cpp >+++ b/libaudiofile/WAVE.cpp >@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) > > /* numCoefficients should be at least 7. */ > assert(numCoefficients >= 7 && numCoefficients <= 255); >+ if (numCoefficients < 7 || numCoefficients > 255) >+ { >+ _af_error(AF_BAD_HEADER, >+ "Bad number of coefficients"); >+ return AF_FAIL; >+ } > > m_msadpcmNumCoefficients = numCoefficients; >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 614046
: 644044