Browse Source

libaudiofile: Multiple bug fixes, CVE-2017-6837, CVE-2017-6838, CVE-2017-6839, CVE-2015-7747 & GCC6 patches

Signed-off-by: Ted Hess <thess@kitschensync.net>
lilik-openwrt-22.03
Ted Hess 8 years ago
parent
commit
cf39348a73
11 changed files with 424 additions and 5 deletions
  1. +5
    -5
      libs/libaudiofile/Makefile
  2. +18
    -0
      libs/libaudiofile/patches/010-gcc6-fix-left-shift-negative-number.patch
  3. +25
    -0
      libs/libaudiofile/patches/020-remove-tests-examples-docs.patch
  4. +19
    -0
      libs/libaudiofile/patches/030-CVE-2015-7747.patch
  5. +34
    -0
      libs/libaudiofile/patches/110-Always-check-the-number-of-coefficients.patch
  6. +37
    -0
      libs/libaudiofile/patches/120-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
  7. +70
    -0
      libs/libaudiofile/patches/130-Check-for-multiplication-overflow-in-sfconvert.patch
  8. +35
    -0
      libs/libaudiofile/patches/140-Actually-fail-when-error-occurs-in-parseFormat.patch
  9. +120
    -0
      libs/libaudiofile/patches/150-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
  10. +40
    -0
      libs/libaudiofile/patches/160-Fix-signature-of-multiplyCheckOverflow.patch
  11. +21
    -0
      libs/libaudiofile/patches/170-Check-for-division-by-zero-in-BlockCodec.patch

+ 5
- 5
libs/libaudiofile/Makefile View File

@ -1,6 +1,4 @@
#
# Copyright (C) 2006-2016 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
@ -9,7 +7,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=audiofile
PKG_VERSION:=0.3.6
PKG_RELEASE:=3
PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@GNOME/$(PKG_NAME)/0.3
@ -39,8 +37,10 @@ endef
CONFIGURE_ARGS+= \
--enable-shared \
--enable-static \
--disable-examples \
--with-build-cc="$(HOSTCC)"
--disable-docs \
--disable-coverage \
--disable-examples
TARGET_CFLAGS+= $(FPIC)


+ 18
- 0
libs/libaudiofile/patches/010-gcc6-fix-left-shift-negative-number.patch View File

@ -0,0 +1,18 @@
Description: Fix FTBFS with GCC 6
Author: Michael Schwendt <mschwendt@fedoraproject.org>
Origin: vendor, https://github.com/mpruett/audiofile/pull/27
Bug-Debian: https://bugs.debian.org/812055
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/libaudiofile/modules/SimpleModule.h
+++ b/libaudiofile/modules/SimpleModule.h
@@ -123,7 +123,7 @@ struct signConverter
typedef typename IntTypes<Format>::UnsignedType UnsignedType;
static const int kScaleBits = (Format + 1) * CHAR_BIT - 1;
- static const int kMinSignedValue = -1 << kScaleBits;
+ static const int kMinSignedValue = 0-(1U<<kScaleBits);
struct signedToUnsigned : public std::unary_function<SignedType, UnsignedType>
{

+ 25
- 0
libs/libaudiofile/patches/020-remove-tests-examples-docs.patch View File

@ -0,0 +1,25 @@
--- a/configure.ac
+++ b/configure.ac
@@ -159,12 +159,8 @@ AC_CONFIG_FILES([
audiofile.pc
audiofile-uninstalled.pc
sfcommands/Makefile
- test/Makefile
- gtest/Makefile
- examples/Makefile
libaudiofile/Makefile
libaudiofile/alac/Makefile
libaudiofile/modules/Makefile
- docs/Makefile
Makefile])
AC_OUTPUT
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,6 +1,6 @@
## Process this file with automake to produce Makefile.in
-SUBDIRS = gtest libaudiofile sfcommands test examples docs
+SUBDIRS = libaudiofile sfcommands
EXTRA_DIST = \
ACKNOWLEDGEMENTS \

+ 19
- 0
libs/libaudiofile/patches/030-CVE-2015-7747.patch View File

@ -0,0 +1,19 @@
Description: fix buffer overflow when changing both sample format and
number of channels
Origin: backport, https://github.com/mpruett/audiofile/pull/25
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801102
Index: audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp
===================================================================
--- audiofile-0.3.6.orig/libaudiofile/modules/ModuleState.cpp 2015-10-20 08:00:58.036128202 -0400
+++ audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp 2015-10-20 08:00:58.036128202 -0400
@@ -402,7 +402,7 @@
addModule(new Transform(outfc, in.pcm, out.pcm));
if (in.channelCount != out.channelCount)
- addModule(new ApplyChannelMatrix(infc, isReading,
+ addModule(new ApplyChannelMatrix(outfc, isReading,
in.channelCount, out.channelCount,
in.pcm.minClip, in.pcm.maxClip,
track->channelMatrix));

+ 34
- 0
libs/libaudiofile/patches/110-Always-check-the-number-of-coefficients.patch View File

@ -0,0 +1,34 @@
From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <larrosa@kde.org>
Date: Mon, 6 Mar 2017 12:51:22 +0100
Subject: [PATCH] Always check the number of coefficients
When building the library with NDEBUG, asserts are eliminated
so it's better to always check that the number of coefficients
is inside the array range.
This fixes the 00191-audiofile-indexoob issue in #41
---
libaudiofile/WAVE.cpp | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
index 0e81cf7..61f9541 100644
--- a/libaudiofile/WAVE.cpp
+++ b/libaudiofile/WAVE.cpp
@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
/* numCoefficients should be at least 7. */
assert(numCoefficients >= 7 && numCoefficients <= 255);
+ if (numCoefficients < 7 || numCoefficients > 255)
+ {
+ _af_error(AF_BAD_HEADER,
+ "Bad number of coefficients");
+ return AF_FAIL;
+ }
m_msadpcmNumCoefficients = numCoefficients;
--
2.11.0

+ 37
- 0
libs/libaudiofile/patches/120-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch View File

@ -0,0 +1,37 @@
From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <larrosa@kde.org>
Date: Mon, 6 Mar 2017 18:02:31 +0100
Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp
This fixes #33
(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981
and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/)
---
libaudiofile/modules/IMA.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp
index 7476d44..df4aad6 100644
--- a/libaudiofile/modules/IMA.cpp
+++ b/libaudiofile/modules/IMA.cpp
@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded)
if (encoded[1] & 0x80)
m_adpcmState[c].previousValue -= 0x10000;
- m_adpcmState[c].index = encoded[2];
+ m_adpcmState[c].index = clamp(encoded[2], 0, 88);
*decoded++ = m_adpcmState[c].previousValue;
@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded)
predictor -= 0x10000;
state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
- state.index = encoded[1] & 0x7f;
+ state.index = clamp(encoded[1] & 0x7f, 0, 88);
encoded += 2;
for (int n=0; n<m_framesPerPacket; n+=2)
--
2.11.0

+ 70
- 0
libs/libaudiofile/patches/130-Check-for-multiplication-overflow-in-sfconvert.patch View File

@ -0,0 +1,70 @@
From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <larrosa@kde.org>
Date: Mon, 6 Mar 2017 13:54:52 +0100
Subject: [PATCH] Check for multiplication overflow in sfconvert
Checks that a multiplication doesn't overflow when
calculating the buffer size, and if it overflows,
reduce the buffer size instead of failing.
This fixes the 00192-audiofile-signintoverflow-sfconvert case
in #41
---
sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
1 file changed, 32 insertions(+), 2 deletions(-)
diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
index 80a1bc4..970a3e4 100644
--- a/sfcommands/sfconvert.c
+++ b/sfcommands/sfconvert.c
@@ -45,6 +45,33 @@ void printusage (void);
void usageerror (void);
bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
+int firstBitSet(int x)
+{
+ int position=0;
+ while (x!=0)
+ {
+ x>>=1;
+ ++position;
+ }
+ return position;
+}
+
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
+int multiplyCheckOverflow(int a, int b, int *result)
+{
+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
+ return __builtin_mul_overflow(a, b, result);
+#else
+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
+ return true;
+ *result = a * b;
+ return false;
+#endif
+}
+
int main (int argc, char **argv)
{
if (argc == 2)
@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
{
int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
- const int kBufferFrameCount = 65536;
- void *buffer = malloc(kBufferFrameCount * frameSize);
+ int kBufferFrameCount = 65536;
+ int bufferSize;
+ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
+ kBufferFrameCount /= 2;
+ void *buffer = malloc(bufferSize);
AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
AFframecount totalFramesWritten = 0;
--
2.11.0

+ 35
- 0
libs/libaudiofile/patches/140-Actually-fail-when-error-occurs-in-parseFormat.patch View File

@ -0,0 +1,35 @@
From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <larrosa@kde.org>
Date: Mon, 6 Mar 2017 18:59:26 +0100
Subject: [PATCH] Actually fail when error occurs in parseFormat
When there's an unsupported number of bits per sample or an invalid
number of samples per block, don't only print an error message using
the error handler, but actually stop parsing the file.
This fixes #35 (also reported at
https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
)
---
libaudiofile/WAVE.cpp | 2 ++
1 file changed, 2 insertions(+)
--- a/libaudiofile/WAVE.cpp
+++ b/libaudiofile/WAVE.cpp
@@ -332,6 +332,7 @@ status WAVEFile::parseFormat(const Tag &
{
_af_error(AF_BAD_NOT_IMPLEMENTED,
"IMA ADPCM compression supports only 4 bits per sample");
+ return AF_FAIL;
}
int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
@@ -339,6 +340,7 @@ status WAVEFile::parseFormat(const Tag &
{
_af_error(AF_BAD_CODEC_CONFIG,
"Invalid samples per block for IMA ADPCM compression");
+ return AF_FAIL;
}
track->f.sampleWidth = 16;

+ 120
- 0
libs/libaudiofile/patches/150-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch View File

@ -0,0 +1,120 @@
From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <larrosa@kde.org>
Date: Mon, 6 Mar 2017 13:43:53 +0100
Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample
Check for multiplication overflow (using __builtin_mul_overflow
if available) in MSADPCM.cpp decodeSample and return an empty
decoded block if an error occurs.
This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41
---
libaudiofile/modules/BlockCodec.cpp | 5 ++--
libaudiofile/modules/MSADPCM.cpp | 47 +++++++++++++++++++++++++++++++++----
2 files changed, 46 insertions(+), 6 deletions(-)
diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
index 45925e8..4731be1 100644
--- a/libaudiofile/modules/BlockCodec.cpp
+++ b/libaudiofile/modules/BlockCodec.cpp
@@ -52,8 +52,9 @@ void BlockCodec::runPull()
// Decompress into m_outChunk.
for (int i=0; i<blocksRead; i++)
{
- decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
- static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount);
+ if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
+ static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0)
+ break;
framesRead += m_framesPerPacket;
}
diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
index 8ea3c85..ef9c38c 100644
--- a/libaudiofile/modules/MSADPCM.cpp
+++ b/libaudiofile/modules/MSADPCM.cpp
@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] =
768, 614, 512, 409, 307, 230, 230, 230
};
+int firstBitSet(int x)
+{
+ int position=0;
+ while (x!=0)
+ {
+ x>>=1;
+ ++position;
+ }
+ return position;
+}
+
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
+int multiplyCheckOverflow(int a, int b, int *result)
+{
+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
+ return __builtin_mul_overflow(a, b, result);
+#else
+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
+ return true;
+ *result = a * b;
+ return false;
+#endif
+}
+
+
// Compute a linear PCM value from the given differential coded value.
static int16_t decodeSample(ms_adpcm_state &state,
- uint8_t code, const int16_t *coefficient)
+ uint8_t code, const int16_t *coefficient, bool *ok=NULL)
{
int linearSample = (state.sample1 * coefficient[0] +
state.sample2 * coefficient[1]) >> 8;
+ int delta;
linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta;
linearSample = clamp(linearSample, MIN_INT16, MAX_INT16);
- int delta = (state.delta * adaptationTable[code]) >> 8;
+ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta))
+ {
+ if (ok) *ok=false;
+ _af_error(AF_BAD_COMPRESSION, "Error decoding sample");
+ return 0;
+ }
+ delta >>= 8;
if (delta < 16)
delta = 16;
state.delta = delta;
state.sample2 = state.sample1;
state.sample1 = linearSample;
+ if (ok) *ok=true;
return static_cast<int16_t>(linearSample);
}
@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded)
{
uint8_t code;
int16_t newSample;
+ bool ok;
code = *encoded >> 4;
- newSample = decodeSample(*state[0], code, coefficient[0]);
+ newSample = decodeSample(*state[0], code, coefficient[0], &ok);
+ if (!ok) return 0;
*decoded++ = newSample;
code = *encoded & 0x0f;
- newSample = decodeSample(*state[1], code, coefficient[1]);
+ newSample = decodeSample(*state[1], code, coefficient[1], &ok);
+ if (!ok) return 0;
*decoded++ = newSample;
encoded++;
--
2.11.0

+ 40
- 0
libs/libaudiofile/patches/160-Fix-signature-of-multiplyCheckOverflow.patch View File

@ -0,0 +1,40 @@
From ce536d707b8e2a26baca77320398c45238224ca7 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <larrosa@kde.org>
Date: Fri, 10 Mar 2017 15:40:02 +0100
Subject: [PATCH] Fix signature of multiplyCheckOverflow. It returns a bool,
not an int
---
libaudiofile/modules/MSADPCM.cpp | 2 +-
sfcommands/sfconvert.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
index ef9c38c..d8c9553 100644
--- a/libaudiofile/modules/MSADPCM.cpp
+++ b/libaudiofile/modules/MSADPCM.cpp
@@ -116,7 +116,7 @@ int firstBitSet(int x)
#define __has_builtin(x) 0
#endif
-int multiplyCheckOverflow(int a, int b, int *result)
+bool multiplyCheckOverflow(int a, int b, int *result)
{
#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
return __builtin_mul_overflow(a, b, result);
diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
index 970a3e4..367f7a5 100644
--- a/sfcommands/sfconvert.c
+++ b/sfcommands/sfconvert.c
@@ -60,7 +60,7 @@ int firstBitSet(int x)
#define __has_builtin(x) 0
#endif
-int multiplyCheckOverflow(int a, int b, int *result)
+bool multiplyCheckOverflow(int a, int b, int *result)
{
#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
return __builtin_mul_overflow(a, b, result);
--
2.11.0

+ 21
- 0
libs/libaudiofile/patches/170-Check-for-division-by-zero-in-BlockCodec.patch View File

@ -0,0 +1,21 @@
From: Antonio Larrosa <larrosa@kde.org>
Date: Thu, 9 Mar 2017 10:21:18 +0100
Subject: Check for division by zero in BlockCodec::runPull
---
libaudiofile/modules/BlockCodec.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
index 4731be1..eb2fb4d 100644
--- a/libaudiofile/modules/BlockCodec.cpp
+++ b/libaudiofile/modules/BlockCodec.cpp
@@ -47,7 +47,7 @@ void BlockCodec::runPull()
// Read the compressed data.
ssize_t bytesRead = read(m_inChunk->buffer, m_bytesPerPacket * blockCount);
- int blocksRead = bytesRead >= 0 ? bytesRead / m_bytesPerPacket : 0;
+ int blocksRead = (bytesRead >= 0 && m_bytesPerPacket > 0) ? bytesRead / m_bytesPerPacket : 0;
// Decompress into m_outChunk.
for (int i=0; i<blocksRead; i++)

Loading…
Cancel
Save