Accepting request 653843 from home:tiwai:branches:multimedia:libs

- Fix segfault in wav conversion due to the invalid loop count
  (CVE-2018-19758, bsc#1117954):
  libsndfile-wav-loop-count-fix.patch

OBS-URL: https://build.opensuse.org/request/show/653843
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libsndfile?expand=0&rev=74

debug.patch

@@ -0,0 +1,14 @@
+---
+ programs/common.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/programs/common.c
++++ b/programs/common.c
+@@ -92,6 +92,7 @@ sfe_copy_data_int (SNDFILE *outfile, SND
+ 
+ 	while (readcount > 0)
+ 	{	readcount = sf_readf_int (infile, data, frames) ;
++		fprintf(stderr, "XXX sf_read_int frames=%d, count=%d, size=%d\n", frames, readcount, BUFFER_LEN);
+ 		sf_writef_int (outfile, data, readcount) ;
+ 		} ;
+ 

libsndfile-progs.spec

@@ -38,6 +38,7 @@ Patch31:        0031-sfe_copy_data_fp-check-value-of-max-variable.patch
 Patch32:        libsndfile-CVE-2017-17456-alaw-range-check.patch
 Patch33:        libsndfile-CVE-2017-17457-ulaw-range-check.patch
 Patch34:        sndfile-deinterlace-channels-check.patch
+Patch99:        debug.patch
 # PATCH-FIX-OPENSUSE
 Patch100:       sndfile-ocloexec.patch
 BuildRequires:  alsa-devel
@@ -64,6 +65,7 @@ This package includes the example programs for libsndfile.
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
+%patch99 -p1
 %patch100 -p1
 
 %build

libsndfile-wav-loop-count-fix.patch

@@ -0,0 +1,27 @@
+From: Takashi Iwai <tiwai@suse.de>
+Subject: wav: Fix segfault due to invalid loop_count
+References: CVE-2018-19758, bsc#1117954
+
+The psf->instrument->loop_count can be over the actual loops array size,
+and it leads to a segfault.
+
+Just add the loop size fix to address it.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ src/wav.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1097,6 +1097,9 @@ wav_write_header (SF_PRIVATE *psf, int c
+ 		for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+ 		{	int type ;
+ 
++			if (tmp >= ARRAY_LEN (psf->instrument->loops))
++				break;
++
+ 			type = psf->instrument->loops [tmp].mode ;
+ 			type = (type == SF_LOOP_FORWARD ? 0 : type == SF_LOOP_BACKWARD ? 2 : type == SF_LOOP_ALTERNATING ? 1 : 32) ;
+ 

libsndfile.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Dec  4 13:42:05 CET 2018 - tiwai@suse.de
+
+- Fix segfault in wav conversion due to the invalid loop count
+  (CVE-2018-19758, bsc#1117954):
+  libsndfile-wav-loop-count-fix.patch
+
 -------------------------------------------------------------------
 Fri Jul  6 14:11:47 CEST 2018 - tiwai@suse.de
 

libsndfile.spec

@@ -40,6 +40,8 @@ Patch31:        0031-sfe_copy_data_fp-check-value-of-max-variable.patch
 Patch32:        libsndfile-CVE-2017-17456-alaw-range-check.patch
 Patch33:        libsndfile-CVE-2017-17457-ulaw-range-check.patch
 Patch34:        sndfile-deinterlace-channels-check.patch
+# not yet upstreamed, CVE-2018-19758, bsc#1117954
+Patch40:        libsndfile-wav-loop-count-fix.patch
 # PATCH-FIX-OPENSUSE
 Patch100:       sndfile-ocloexec.patch
 BuildRequires:  alsa-devel
@@ -96,6 +98,7 @@ libsndfile library.
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
+%patch40 -p1
 %patch100 -p1
 
 %build