libsndfile/libsndfile-CVE-2022-33065.patch

From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Tue, 10 Oct 2023 16:10:34 -0400
Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation

The clang sanitizer warns of a possible signed integer overflow when
calculating the `dataend` value in `mat4_read_header()`.

```
src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
```

Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
`dataend` before performing the calculation, to avoid the issue.

CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/789
Fixes: https://github.com/libsndfile/libsndfile/issues/833

Signed-off-by: Alex Stewart <alex.stewart@ni.com>
---
 src/mat4.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/mat4.c b/src/mat4.c
index 0b1b414b4..575683ba1 100644
--- a/src/mat4.c
+++ b/src/mat4.c
@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
 				psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
 		}
 	else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
-		psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
+		psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
 
 	psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
Accepting request 1119225 from home:tiwai:branches:multimedia:libs - Update to 1.2.1: * Various bug fixes (issue #908, #907, #934, #950, #930) - Update to 1.2.2: * Fixed invalid regex in src/create_symbols_file.py * Fixed passing null pointer to printf %s in tests - Fix signed integers overflows in au_read_header() (bsc#121345, CVE-2022-33065): libsndfile-CVE-2022-33065.patch - Update to 1.2.1: * Various bug fixes (issue #908, #907, #934, #950, #930) - Update to 1.2.2: * Fixed invalid regex in src/create_symbols_file.py * Fixed passing null pointer to printf %s in tests - Fix signed integers overflows in au_read_header() (bsc#121345, CVE-2022-33065): libsndfile-CVE-2022-33065.patch OBS-URL: https://build.opensuse.org/request/show/1119225 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libsndfile?expand=0&rev=90 2023-10-20 14:11:28 +02:00			`From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001`
			`From: Alex Stewart <alex.stewart@ni.com>`
			`Date: Tue, 10 Oct 2023 16:10:34 -0400`
			`Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation`

			`The clang sanitizer warns of a possible signed integer overflow when`
			calculating the `dataend` value in `mat4_read_header()`.

			```
			`src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'`
			`SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in`
			`src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'`
			`SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in`
			```

			Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
			`dataend` before performing the calculation, to avoid the issue.

			`CVE: CVE-2022-33065`
			`Fixes: https://github.com/libsndfile/libsndfile/issues/789`
			`Fixes: https://github.com/libsndfile/libsndfile/issues/833`

			`Signed-off-by: Alex Stewart <alex.stewart@ni.com>`
			`---`
			`src/mat4.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/src/mat4.c b/src/mat4.c`
			`index 0b1b414b4..575683ba1 100644`
			`--- a/src/mat4.c`
			`+++ b/src/mat4.c`
			`@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)`
			`psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;`
			`}`
			`else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)`
			`- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;`
			`+ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;`

			`psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;`