diff --git a/debug.patch b/debug.patch new file mode 100644 index 0000000..23e39ea --- /dev/null +++ b/debug.patch @@ -0,0 +1,14 @@ +--- + programs/common.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/programs/common.c ++++ b/programs/common.c +@@ -92,6 +92,7 @@ sfe_copy_data_int (SNDFILE *outfile, SND + + while (readcount > 0) + { readcount = sf_readf_int (infile, data, frames) ; ++ fprintf(stderr, "XXX sf_read_int frames=%d, count=%d, size=%d\n", frames, readcount, BUFFER_LEN); + sf_writef_int (outfile, data, readcount) ; + } ; + diff --git a/libsndfile-progs.spec b/libsndfile-progs.spec index b515e52..55b6a7a 100644 --- a/libsndfile-progs.spec +++ b/libsndfile-progs.spec @@ -38,6 +38,7 @@ Patch31: 0031-sfe_copy_data_fp-check-value-of-max-variable.patch Patch32: libsndfile-CVE-2017-17456-alaw-range-check.patch Patch33: libsndfile-CVE-2017-17457-ulaw-range-check.patch Patch34: sndfile-deinterlace-channels-check.patch +Patch99: debug.patch # PATCH-FIX-OPENSUSE Patch100: sndfile-ocloexec.patch BuildRequires: alsa-devel @@ -64,6 +65,7 @@ This package includes the example programs for libsndfile. %patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch99 -p1 %patch100 -p1 %build diff --git a/libsndfile-wav-loop-count-fix.patch b/libsndfile-wav-loop-count-fix.patch new file mode 100644 index 0000000..b61ea15 --- /dev/null +++ b/libsndfile-wav-loop-count-fix.patch @@ -0,0 +1,27 @@ +From: Takashi Iwai +Subject: wav: Fix segfault due to invalid loop_count +References: CVE-2018-19758, bsc#1117954 + +The psf->instrument->loop_count can be over the actual loops array size, +and it leads to a segfault. + +Just add the loop size fix to address it. + +Signed-off-by: Takashi Iwai + +--- + src/wav.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/wav.c ++++ b/src/wav.c +@@ -1097,6 +1097,9 @@ wav_write_header (SF_PRIVATE *psf, int c + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + ++ if (tmp >= ARRAY_LEN (psf->instrument->loops)) ++ break; ++ + type = psf->instrument->loops [tmp].mode ; + type = (type == SF_LOOP_FORWARD ? 0 : type == SF_LOOP_BACKWARD ? 2 : type == SF_LOOP_ALTERNATING ? 1 : 32) ; + diff --git a/libsndfile.changes b/libsndfile.changes index 346ad4e..1063d79 100644 --- a/libsndfile.changes +++ b/libsndfile.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Dec 4 13:42:05 CET 2018 - tiwai@suse.de + +- Fix segfault in wav conversion due to the invalid loop count + (CVE-2018-19758, bsc#1117954): + libsndfile-wav-loop-count-fix.patch + ------------------------------------------------------------------- Fri Jul 6 14:11:47 CEST 2018 - tiwai@suse.de diff --git a/libsndfile.spec b/libsndfile.spec index 4b05a03..7fb97d9 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -40,6 +40,8 @@ Patch31: 0031-sfe_copy_data_fp-check-value-of-max-variable.patch Patch32: libsndfile-CVE-2017-17456-alaw-range-check.patch Patch33: libsndfile-CVE-2017-17457-ulaw-range-check.patch Patch34: sndfile-deinterlace-channels-check.patch +# not yet upstreamed, CVE-2018-19758, bsc#1117954 +Patch40: libsndfile-wav-loop-count-fix.patch # PATCH-FIX-OPENSUSE Patch100: sndfile-ocloexec.patch BuildRequires: alsa-devel @@ -96,6 +98,7 @@ libsndfile library. %patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch40 -p1 %patch100 -p1 %build