From 55880a58e1e823c97657a71f8b95d4927a2984fc2c5b5d7f12d24fc165b66e0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Mon, 23 Nov 2015 18:49:52 +0000 Subject: [PATCH] Accepting request 345901 from home:tiwai:branches:multimedia:libs - Update to version 1.0.26: * Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805. * Add ALAC/CAF support. Minor bug fixes and improvements. - Update to version 1.0.26: * Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805. * Add ALAC/CAF support. Minor bug fixes and improvements. - Refreshed patches: sndfile-ocloexec.patch libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch - Removed obsoleted patches: libsndfile-example-fix.diff libsndfile-fix-header-read-CVE-2015-7805.patch libsndfile-paf-zero-division-fix.diff libsndfile-src-common.c-Fix-a-header-parsing-bug.patch libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch OBS-URL: https://build.opensuse.org/request/show/345901 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libsndfile?expand=0&rev=50 --- libsndfile-1.0.25.tar.gz | 3 - libsndfile-1.0.25.tar.gz.asc | 7 - libsndfile-1.0.26.tar.gz | 3 + libsndfile-1.0.26.tar.gz.asc | 17 ++ libsndfile-example-fix.diff | 38 ---- ...ndfile-fix-header-read-CVE-2015-7805.patch | 19 -- libsndfile-paf-zero-division-fix.diff | 16 -- libsndfile-progs.changes | 7 + libsndfile-progs.spec | 4 +- ...e-psf_strlcpy_crlf-fix-CVE-2015-8075.patch | 2 +- ...rc-common.c-Fix-a-header-parsing-bug.patch | 81 ------- ...o.c-Prevent-potential-divide-by-zero.patch | 22 -- libsndfile.changes | 18 ++ libsndfile.spec | 27 +-- sndfile-ocloexec.patch | 32 +-- ...d2.c-Fix-segfault-in-SD2-RSRC-parser.patch | 200 ------------------ ...-two-potential-buffer-read-overflows.patch | 38 ---- 17 files changed, 57 insertions(+), 477 deletions(-) delete mode 100644 libsndfile-1.0.25.tar.gz delete mode 100644 libsndfile-1.0.25.tar.gz.asc create mode 100644 libsndfile-1.0.26.tar.gz create mode 100644 libsndfile-1.0.26.tar.gz.asc delete mode 100644 libsndfile-example-fix.diff delete mode 100644 libsndfile-fix-header-read-CVE-2015-7805.patch delete mode 100644 libsndfile-paf-zero-division-fix.diff delete mode 100644 libsndfile-src-common.c-Fix-a-header-parsing-bug.patch delete mode 100644 libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch delete mode 100644 sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch delete mode 100644 sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch diff --git a/libsndfile-1.0.25.tar.gz b/libsndfile-1.0.25.tar.gz deleted file mode 100644 index d03108d..0000000 --- a/libsndfile-1.0.25.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:59016dbd326abe7e2366ded5c344c853829bebfd1702ef26a07ef662d6aa4882 -size 1060692 diff --git a/libsndfile-1.0.25.tar.gz.asc b/libsndfile-1.0.25.tar.gz.asc deleted file mode 100644 index cb95bf2..0000000 --- a/libsndfile-1.0.25.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iEYEABECAAYFAk4dgRAACgkQbKQad0O41siZbQCfVOjunNH2JJuMJaY8nKsHrvTD -7IMAn0be2Nmm1A2TbYZ0wmf4wukEGcQJ -=YleA ------END PGP SIGNATURE----- diff --git a/libsndfile-1.0.26.tar.gz b/libsndfile-1.0.26.tar.gz new file mode 100644 index 0000000..5b5593e --- /dev/null +++ b/libsndfile-1.0.26.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cd6520ec763d1a45573885ecb1f8e4e42505ac12180268482a44b28484a25092 +size 1080727 diff --git a/libsndfile-1.0.26.tar.gz.asc b/libsndfile-1.0.26.tar.gz.asc new file mode 100644 index 0000000..aedea7e --- /dev/null +++ b/libsndfile-1.0.26.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABCAAGBQJWUZHQAAoJEEXYQ7zIiotIH84P/0Ub1LnlVeYrYBGd/rK3hBxC +i0PtmA6SRd6JYphiX11eKgG6qVLTGZ+Wy7ef5TYuIlxq/Q6+IGPghLR3YUTbeugf +U2DUlufBd3Ua9s2mpRx4CFo5kbFor38ULsH7CtJ4SiL9lcPgEVnLXzKiJLsLuALR +uOzUpYu9Vlm2sLt/ryagYux0sVmpqfsOvEg2FI83S1v0CDJm+58GH1P7b5eMsf2h +kGLd76vkCa5ooM+rXIYxsYSuRhT9SCbyDMrCgr2+djr3pEEgHQwDdfMCIxGLm111 +wrl3kU2z/KwZMuj2sgsRnvL1+G8R6uSKv1EjYfAJmvV0o5XIoirufzR3XZ5+UThH +6MeZmUCDI5+dIyNU4Ru+/92Jvn/yePf9h/DESIN/5ne86rniOQseaxoHjD1tHKxS +9xdu+CdfrY9kiI7LdPsNiGhnLbt1C4WO5B06G8UcC0OIefmcqw/i+JMXl9sV1/Q4 +/et1BirluKs9MUbZkXM1HYpeE0MCV4xRvwraKsBj7xH3eb+9RtKcPIAzdgFa3nBQ +JuWNTlnGlYqcPVrkZXMEkFSrHvFNP1o/DP0s0715pOvCpM+aHWq54KjFYn0OpeDY +PcyWtuiDX9vzkWkrFZkicKwn3kwEVc9Dg4FyK/toVWm3Khcnpk1O1S9/1EkYbzja +jbu/qJRaYp5qcVPJVvHI +=PGP6 +-----END PGP SIGNATURE----- diff --git a/libsndfile-example-fix.diff b/libsndfile-example-fix.diff deleted file mode 100644 index fca743e..0000000 --- a/libsndfile-example-fix.diff +++ /dev/null @@ -1,38 +0,0 @@ ---- examples/sndfile-to-text.c-dist 2009-02-09 12:36:49.000000000 +0100 -+++ examples/sndfile-to-text.c 2009-02-09 12:37:05.000000000 +0100 -@@ -101,6 +101,7 @@ main (int argc, char * argv []) - return 1 ; - } ; - -+ memset(&sfinfo, 0, sizeof(sfinfo)); - if ((infile = sf_open (infilename, SFM_READ, &sfinfo)) == NULL) - { printf ("Not able to open input file %s.\n", infilename) ; - puts (sf_strerror (NULL)) ; ---- examples/sfprocess.c-dist 2009-02-07 05:07:34.000000000 +0100 -+++ examples/sfprocess.c 2009-02-09 12:36:23.000000000 +0100 -@@ -31,6 +31,7 @@ - */ - - #include -+#include - - /* Include this header file to use functions from libsndfile. */ - #include -@@ -83,6 +84,7 @@ main (void) - ** sfinfo.format = SF_FORMAT_RAW | SF_FORMAT_PCM_16 ; - ** sfinfo.channels = 2 ; - */ -+ memset(&sfinfo, 0, sizeof(sfinfo)); - if (! (infile = sf_open (infilename, SFM_READ, &sfinfo))) - { /* Open failed so print an error message. */ - printf ("Not able to open input file %s.\n", infilename) ; ---- examples/generate.c-dist 2009-02-07 05:07:44.000000000 +0100 -+++ examples/generate.c 2009-02-09 12:36:23.000000000 +0100 -@@ -98,6 +98,7 @@ encode_file (const char *infilename, con - k = 16 - strlen (outfilename) ; - PUT_DOTS (k) ; - -+ memset(&sfinfo, 0, sizeof(sfinfo)); - if (! (infile = sf_open (infilename, SFM_READ, &sfinfo))) - { printf ("Error : could not open file : %s\n", infilename) ; - puts (sf_strerror (NULL)) ; diff --git a/libsndfile-fix-header-read-CVE-2015-7805.patch b/libsndfile-fix-header-read-CVE-2015-7805.patch deleted file mode 100644 index 14f0ee5..0000000 --- a/libsndfile-fix-header-read-CVE-2015-7805.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- - src/common.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/src/common.c -+++ b/src/common.c -@@ -800,9 +800,10 @@ header_read (SF_PRIVATE *psf, void *ptr, - if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header)) - { int most ; - -- most = SIGNED_SIZEOF (psf->header) - psf->headindex ; -+ most = SIGNED_SIZEOF (psf->header) - psf->headend ; - psf_fread (psf->header + psf->headend, 1, most, psf) ; -- memcpy (ptr, psf->header + psf->headend, most) ; -+ most = SIGNED_SIZEOF (psf->header) - psf->headindex ; -+ memcpy (ptr, psf->header + psf->headindex, most) ; - psf->headend = psf->headindex += most ; - psf_fread ((char *) ptr + most, bytes - most, 1, psf) ; - return bytes ; diff --git a/libsndfile-paf-zero-division-fix.diff b/libsndfile-paf-zero-division-fix.diff deleted file mode 100644 index 3debd8e..0000000 --- a/libsndfile-paf-zero-division-fix.diff +++ /dev/null @@ -1,16 +0,0 @@ -=== modified file 'src/paf.c' ---- - src/paf.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/src/paf.c -+++ b/src/paf.c -@@ -202,7 +202,7 @@ - psf->endian = SF_ENDIAN_BIG ; - } ; - -- if (paf_fmt.channels > SF_MAX_CHANNELS) -+ if (paf_fmt.channels > SF_MAX_CHANNELS || paf_fmt.channels <= 0) - return SFE_PAF_BAD_CHANNELS ; - - psf->datalength = psf->filelength - psf->dataoffset ; diff --git a/libsndfile-progs.changes b/libsndfile-progs.changes index 853689e..a4f0339 100644 --- a/libsndfile-progs.changes +++ b/libsndfile-progs.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Nov 23 17:22:41 CET 2015 - tiwai@suse.de + +- Update to version 1.0.26: + * Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805. + * Add ALAC/CAF support. Minor bug fixes and improvements. + ------------------------------------------------------------------- Sat Mar 21 08:14:38 UTC 2015 - mpluskal@suse.com diff --git a/libsndfile-progs.spec b/libsndfile-progs.spec index f64ba3a..e21993c 100644 --- a/libsndfile-progs.spec +++ b/libsndfile-progs.spec @@ -17,7 +17,7 @@ Name: libsndfile-progs -Version: 1.0.25 +Version: 1.0.26 Release: 0 Summary: Example Programs for libsndfile License: LGPL-2.1+ @@ -26,7 +26,6 @@ Url: http://www.mega-nerd.com/libsndfile/ Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz Source1: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz.asc Source2: libsndfile.keyring -Patch0: libsndfile-example-fix.diff BuildRequires: alsa-devel BuildRequires: flac-devel BuildRequires: gcc-c++ @@ -42,7 +41,6 @@ This package includes the example programs for libsndfile. %prep %setup -q -n libsndfile-%{version} -%patch0 %build %define warn_flags -W -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter diff --git a/libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch b/libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch index 789d6cf..6518afa 100644 --- a/libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch +++ b/libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch @@ -4,7 +4,7 @@ --- a/src/common.c +++ b/src/common.c -@@ -1332,7 +1332,7 @@ psf_strlcpy_crlf (char *dest, const char +@@ -1339,7 +1339,7 @@ psf_strlcpy_crlf (char *dest, const char char * destend = dest + destmax - 2 ; const char * srcend = src + srcmax ; diff --git a/libsndfile-src-common.c-Fix-a-header-parsing-bug.patch b/libsndfile-src-common.c-Fix-a-header-parsing-bug.patch deleted file mode 100644 index 709276e..0000000 --- a/libsndfile-src-common.c-Fix-a-header-parsing-bug.patch +++ /dev/null @@ -1,81 +0,0 @@ -From d2a87385c1ca1d72918e9a2875d24f202a5093e8 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo -Date: Sat, 7 Feb 2015 15:45:10 +1100 -Subject: [PATCH] src/common.c : Fix a header parsing bug. - -When the file header is bigger that SF_HEADER_LEN, the code would seek -instead of reading causing file parse errors. - -The current header parsing and writing code *badly* needs a re-write. ---- - src/common.c | 25 ++++++++++--------------- - 1 file changed, 10 insertions(+), 15 deletions(-) - ---- a/src/common.c -+++ b/src/common.c -@@ -795,21 +795,16 @@ header_read (SF_PRIVATE *psf, void *ptr, - { int count = 0 ; - - if (psf->headindex >= SIGNED_SIZEOF (psf->header)) -- { memset (ptr, 0, SIGNED_SIZEOF (psf->header) - psf->headindex) ; -- -- /* This is the best that we can do. */ -- psf_fseek (psf, bytes, SEEK_CUR) ; -- return bytes ; -- } ; -+ return psf_fread (ptr, 1, bytes, psf) ; - - if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header)) - { int most ; - - most = SIGNED_SIZEOF (psf->header) - psf->headindex ; - psf_fread (psf->header + psf->headend, 1, most, psf) ; -- memset ((char *) ptr + most, 0, bytes - most) ; -- -- psf_fseek (psf, bytes - most, SEEK_CUR) ; -+ memcpy (ptr, psf->header + psf->headend, most) ; -+ psf->headend = psf->headindex += most ; -+ psf_fread ((char *) ptr + most, bytes - most, 1, psf) ; - return bytes ; - } ; - -@@ -817,7 +812,7 @@ header_read (SF_PRIVATE *psf, void *ptr, - { count = psf_fread (psf->header + psf->headend, 1, bytes - (psf->headend - psf->headindex), psf) ; - if (count != bytes - (int) (psf->headend - psf->headindex)) - { psf_log_printf (psf, "Error : psf_fread returned short count.\n") ; -- return 0 ; -+ return count ; - } ; - psf->headend += count ; - } ; -@@ -831,7 +826,6 @@ header_read (SF_PRIVATE *psf, void *ptr, - static void - header_seek (SF_PRIVATE *psf, sf_count_t position, int whence) - { -- - switch (whence) - { case SEEK_SET : - if (position > SIGNED_SIZEOF (psf->header)) -@@ -880,8 +874,7 @@ header_seek (SF_PRIVATE *psf, sf_count_t - - static int - header_gets (SF_PRIVATE *psf, char *ptr, int bufsize) --{ -- int k ; -+{ int k ; - - for (k = 0 ; k < bufsize - 1 ; k++) - { if (psf->headindex < psf->headend) -@@ -1068,8 +1061,10 @@ psf_binheader_readf (SF_PRIVATE *psf, ch - case 'j' : - /* Get the seek position first. */ - count = va_arg (argptr, size_t) ; -- header_seek (psf, count, SEEK_CUR) ; -- byte_count += count ; -+ if (count) -+ { header_seek (psf, count, SEEK_CUR) ; -+ byte_count += count ; -+ } ; - break ; - - default : diff --git a/libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch b/libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch deleted file mode 100644 index 0d6adbb..0000000 --- a/libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 725c7dbb95bfaf8b4bb7b04820e3a00cceea9ce6 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo -Date: Wed, 24 Dec 2014 21:02:35 +1100 -Subject: [PATCH] src/file_io.c : Prevent potential divide-by-zero. - -Closes: https://github.com/erikd/libsndfile/issues/92 ---- - src/file_io.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/src/file_io.c -+++ b/src/file_io.c -@@ -358,6 +358,9 @@ psf_fwrite (const void *ptr, sf_count_t - { sf_count_t total = 0 ; - ssize_t count ; - -+ if (bytes == 0 || items == 0) -+ return 0 ; -+ - if (psf->virtual_io) - return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ; - diff --git a/libsndfile.changes b/libsndfile.changes index df7014c..1295d15 100644 --- a/libsndfile.changes +++ b/libsndfile.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Mon Nov 23 17:20:09 CET 2015 - tiwai@suse.de + +- Update to version 1.0.26: + * Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805. + * Add ALAC/CAF support. Minor bug fixes and improvements. +- Refreshed patches: + sndfile-ocloexec.patch + libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch +- Removed obsoleted patches: + libsndfile-example-fix.diff + libsndfile-fix-header-read-CVE-2015-7805.patch + libsndfile-paf-zero-division-fix.diff + libsndfile-src-common.c-Fix-a-header-parsing-bug.patch + libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch + sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch + sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch + ------------------------------------------------------------------- Wed Nov 4 16:43:39 CET 2015 - tiwai@suse.de diff --git a/libsndfile.spec b/libsndfile.spec index 8190018..627e5c7 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -18,7 +18,7 @@ %define lname %{name}1 Name: libsndfile -Version: 1.0.25 +Version: 1.0.26 Release: 0 Summary: Development/Libraries/C and C++ License: LGPL-2.1+ @@ -28,21 +28,7 @@ Source0: http://www.mega-nerd.com/%{name}/files/%{name}-%{version}.tar.gz Source1: http://www.mega-nerd.com/%{name}/files/%{name}-%{version}.tar.gz.asc Source2: %{name}.keyring Source3: baselibs.conf -# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines -Patch0: libsndfile-example-fix.diff -# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines -Patch1: libsndfile-paf-zero-division-fix.diff Patch2: sndfile-ocloexec.patch -# PATCH-FIX-UPSTREAM CVE-2014-9496 bnc#911796 -Patch3: sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch -# PATCH-FIX-UPSTREAM CVE-2014-9496 bnc#911796 -Patch4: sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch -# PATCH-FIX-UPSTREAM CVE-2014-9756 bsc#953521 -Patch5: libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch -# PATCH-FIX-UPSTREAM CVE-2015-7805 bsc#953516 -Patch6: libsndfile-src-common.c-Fix-a-header-parsing-bug.patch -# PATCH-FIX-SUSE CVE-2015-7805 bsc#953516 -Patch7: libsndfile-fix-header-read-CVE-2015-7805.patch # PATCH-FIX-SUSE CVE-2015-8075 bsc#953519 Patch8: libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch BuildRequires: alsa-devel @@ -90,14 +76,7 @@ libsndfile library. %prep %setup -q -%patch0 -%patch1 -p1 -%patch2 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 +%patch2 -p1 %patch8 -p1 %build @@ -125,7 +104,7 @@ rm -rf %{buildroot}%{_bindir} rm -rf %{buildroot}%{_mandir}/man1 # remove binaries from examples directory make -C examples distclean -rm -rf %{buildroot}%{_datadir}/doc/libsndfile1-dev +rm -rf %{buildroot}%{_datadir}/doc/libsndfile %post -n %{lname} -p /sbin/ldconfig diff --git a/sndfile-ocloexec.patch b/sndfile-ocloexec.patch index e4a252b..b91e741 100644 --- a/sndfile-ocloexec.patch +++ b/sndfile-ocloexec.patch @@ -1,19 +1,10 @@ ---- configure.ac.orig -+++ configure.ac -@@ -23,7 +23,9 @@ AC_SUBST(ACLOCAL_AMFLAGS, "-I M4") - - AC_LANG([C]) - --AC_PROG_CC -+AC_PROG_CC_STDC -+AC_USE_SYSTEM_EXTENSIONS -+AC_SYS_LARGEFILE - AM_PROG_CC_C_O - AC_PROG_CXX - AC_PROG_SED ---- src/file_io.c.orig -+++ src/file_io.c -@@ -564,6 +564,9 @@ psf_open_fd (PSF_FILE * pfile) +--- + src/file_io.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/file_io.c ++++ b/src/file_io.c +@@ -570,6 +570,9 @@ psf_open_fd (PSF_FILE * pfile) return - SFE_BAD_OPEN_MODE ; break ; } ; @@ -23,12 +14,3 @@ if (mode == 0) fd = open (pfile->path.c, oflag) ; ---- Makefile.am.orig -+++ Makefile.am -@@ -1,5 +1,6 @@ - ## Process this file with automake to produce Makefile.in - -+ACLOCAL_AMFLAGS = -I M4 - DISTCHECK_CONFIGURE_FLAGS = --enable-gcc-werror - - if BUILD_OCTAVE_MOD diff --git a/sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch b/sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch deleted file mode 100644 index 744565e..0000000 --- a/sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 9341e9c6e70cd3ad76c901c3cf052d4cb52fd827 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo -Date: Thu, 27 Jun 2013 18:04:03 +1000 -Subject: [PATCH] src/sd2.c : Fix segfault in SD2 RSRC parser. - -A specially crafted resource fork for an SD2 file can cause -the SD2 RSRC parser to read data from outside a dynamically -defined buffer. The data that is read is converted into a -short or int and used during further processing. - -Since no write occurs, this is unlikely to be exploitable. - -Bug reported by The Mayhem Team from Cylab, Carnegie Mellon -Univeristy. Paper is: -http://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf ---- - src/sd2.c | 93 ++++++++++++++++++++++++++++++++++++-------------------------- - 1 file changed, 55 insertions(+), 38 deletions(-) - ---- a/src/sd2.c -+++ b/src/sd2.c -@@ -1,5 +1,5 @@ - /* --** Copyright (C) 2001-2011 Erik de Castro Lopo -+** Copyright (C) 2001-2013 Erik de Castro Lopo - ** Copyright (C) 2004 Paavo Jumppanen - ** - ** This program is free software; you can redistribute it and/or modify -@@ -370,44 +370,61 @@ sd2_write_rsrc_fork (SF_PRIVATE *psf, in - */ - - static inline int --read_char (const unsigned char * data, int offset) --{ return data [offset] ; --} /* read_char */ -+read_rsrc_char (const SD2_RSRC *prsrc, int offset) -+{ const unsigned char * data = prsrc->rsrc_data ; -+ if (offset < 0 || offset >= prsrc->rsrc_len) -+ return 0 ; -+ return data [offset] ; -+} /* read_rsrc_char */ - - static inline int --read_short (const unsigned char * data, int offset) --{ return (data [offset] << 8) + data [offset + 1] ; --} /* read_short */ -+read_rsrc_short (const SD2_RSRC *prsrc, int offset) -+{ const unsigned char * data = prsrc->rsrc_data ; -+ if (offset < 0 || offset + 1 >= prsrc->rsrc_len) -+ return 0 ; -+ return (data [offset] << 8) + data [offset + 1] ; -+} /* read_rsrc_short */ - - static inline int --read_int (const unsigned char * data, int offset) --{ return (data [offset] << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ; --} /* read_int */ -+read_rsrc_int (const SD2_RSRC *prsrc, int offset) -+{ const unsigned char * data = prsrc->rsrc_data ; -+ if (offset < 0 || offset + 3 >= prsrc->rsrc_len) -+ return 0 ; -+ return (data [offset] << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ; -+} /* read_rsrc_int */ - - static inline int --read_marker (const unsigned char * data, int offset) --{ -+read_rsrc_marker (const SD2_RSRC *prsrc, int offset) -+{ const unsigned char * data = prsrc->rsrc_data ; -+ -+ if (offset < 0 || offset + 3 >= prsrc->rsrc_len) -+ return 0 ; -+ - if (CPU_IS_BIG_ENDIAN) - return (data [offset] << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ; -- else if (CPU_IS_LITTLE_ENDIAN) -+ if (CPU_IS_LITTLE_ENDIAN) - return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (data [offset + 3] << 24) ; -- else -- return 0x666 ; --} /* read_marker */ -+ -+ return 0 ; -+} /* read_rsrc_marker */ - - static void --read_str (const unsigned char * data, int offset, char * buffer, int buffer_len) --{ int k ; -+read_rsrc_str (const SD2_RSRC *prsrc, int offset, char * buffer, int buffer_len) -+{ const unsigned char * data = prsrc->rsrc_data ; -+ int k ; - - memset (buffer, 0, buffer_len) ; - -+ if (offset < 0 || offset + buffer_len >= prsrc->rsrc_len) -+ return ; -+ - for (k = 0 ; k < buffer_len - 1 ; k++) - { if (psf_isprint (data [offset + k]) == 0) - return ; - buffer [k] = data [offset + k] ; - } ; - return ; --} /* read_str */ -+} /* read_rsrc_str */ - - static int - sd2_parse_rsrc_fork (SF_PRIVATE *psf) -@@ -434,17 +451,17 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - /* Reset the header storage because we have changed to the rsrcdes. */ - psf->headindex = psf->headend = rsrc.rsrc_len ; - -- rsrc.data_offset = read_int (rsrc.rsrc_data, 0) ; -- rsrc.map_offset = read_int (rsrc.rsrc_data, 4) ; -- rsrc.data_length = read_int (rsrc.rsrc_data, 8) ; -- rsrc.map_length = read_int (rsrc.rsrc_data, 12) ; -+ rsrc.data_offset = read_rsrc_int (&rsrc, 0) ; -+ rsrc.map_offset = read_rsrc_int (&rsrc, 4) ; -+ rsrc.data_length = read_rsrc_int (&rsrc, 8) ; -+ rsrc.map_length = read_rsrc_int (&rsrc, 12) ; - - if (rsrc.data_offset == 0x51607 && rsrc.map_offset == 0x20000) - { psf_log_printf (psf, "Trying offset of 0x52 bytes.\n") ; -- rsrc.data_offset = read_int (rsrc.rsrc_data, 0x52 + 0) + 0x52 ; -- rsrc.map_offset = read_int (rsrc.rsrc_data, 0x52 + 4) + 0x52 ; -- rsrc.data_length = read_int (rsrc.rsrc_data, 0x52 + 8) ; -- rsrc.map_length = read_int (rsrc.rsrc_data, 0x52 + 12) ; -+ rsrc.data_offset = read_rsrc_int (&rsrc, 0x52 + 0) + 0x52 ; -+ rsrc.map_offset = read_rsrc_int (&rsrc, 0x52 + 4) + 0x52 ; -+ rsrc.data_length = read_rsrc_int (&rsrc, 0x52 + 8) ; -+ rsrc.map_length = read_rsrc_int (&rsrc, 0x52 + 12) ; - } ; - - psf_log_printf (psf, " data offset : 0x%04X\n map offset : 0x%04X\n" -@@ -487,7 +504,7 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - goto parse_rsrc_fork_cleanup ; - } ; - -- rsrc.string_offset = rsrc.map_offset + read_short (rsrc.rsrc_data, rsrc.map_offset + 26) ; -+ rsrc.string_offset = rsrc.map_offset + read_rsrc_short (&rsrc, rsrc.map_offset + 26) ; - if (rsrc.string_offset > rsrc.rsrc_len) - { psf_log_printf (psf, "Bad string offset (%d).\n", rsrc.string_offset) ; - error = SFE_SD2_BAD_RSRC ; -@@ -496,7 +513,7 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - - rsrc.type_offset = rsrc.map_offset + 30 ; - -- rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ; -+ rsrc.type_count = read_rsrc_short (&rsrc, rsrc.map_offset + 28) + 1 ; - if (rsrc.type_count < 1) - { psf_log_printf (psf, "Bad type count.\n") ; - error = SFE_SD2_BAD_RSRC ; -@@ -512,11 +529,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - - rsrc.str_index = -1 ; - for (k = 0 ; k < rsrc.type_count ; k ++) -- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ; -+ { marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ; - - if (marker == STR_MARKER) - { rsrc.str_index = k ; -- rsrc.str_count = read_short (rsrc.rsrc_data, rsrc.type_offset + k * 8 + 4) + 1 ; -+ rsrc.str_count = read_rsrc_short (&rsrc, rsrc.type_offset + k * 8 + 4) + 1 ; - error = parse_str_rsrc (psf, &rsrc) ; - goto parse_rsrc_fork_cleanup ; - } ; -@@ -548,26 +565,26 @@ parse_str_rsrc (SF_PRIVATE *psf, SD2_RSR - for (k = 0 ; data_offset + data_len < rsrc->rsrc_len ; k++) - { int slen ; - -- slen = read_char (rsrc->rsrc_data, str_offset) ; -- read_str (rsrc->rsrc_data, str_offset + 1, name, SF_MIN (SIGNED_SIZEOF (name), slen + 1)) ; -+ slen = read_rsrc_char (rsrc, str_offset) ; -+ read_rsrc_str (rsrc, str_offset + 1, name, SF_MIN (SIGNED_SIZEOF (name), slen + 1)) ; - str_offset += slen + 1 ; - -- rsrc_id = read_short (rsrc->rsrc_data, rsrc->item_offset + k * 12) ; -+ rsrc_id = read_rsrc_short (rsrc, rsrc->item_offset + k * 12) ; - -- data_offset = rsrc->data_offset + read_int (rsrc->rsrc_data, rsrc->item_offset + k * 12 + 4) ; -+ data_offset = rsrc->data_offset + read_rsrc_int (rsrc, rsrc->item_offset + k * 12 + 4) ; - if (data_offset < 0 || data_offset > rsrc->rsrc_len) - { psf_log_printf (psf, "Exiting parser on data offset of %d.\n", data_offset) ; - break ; - } ; - -- data_len = read_int (rsrc->rsrc_data, data_offset) ; -+ data_len = read_rsrc_int (rsrc, data_offset) ; - if (data_len < 0 || data_len > rsrc->rsrc_len) - { psf_log_printf (psf, "Exiting parser on data length of %d.\n", data_len) ; - break ; - } ; - -- slen = read_char (rsrc->rsrc_data, data_offset + 4) ; -- read_str (rsrc->rsrc_data, data_offset + 5, value, SF_MIN (SIGNED_SIZEOF (value), slen + 1)) ; -+ slen = read_rsrc_char (rsrc, data_offset + 4) ; -+ read_rsrc_str (rsrc, data_offset + 5, value, SF_MIN (SIGNED_SIZEOF (value), slen + 1)) ; - - psf_log_printf (psf, " 0x%04x %4d %4d %3d '%s'\n", data_offset, rsrc_id, data_len, slen, value) ; - diff --git a/sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch b/sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch deleted file mode 100644 index 686071f..0000000 --- a/sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch +++ /dev/null @@ -1,38 +0,0 @@ -From dbe14f00030af5d3577f4cabbf9861db59e9c378 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo -Date: Thu, 25 Dec 2014 19:23:12 +1100 -Subject: [PATCH] src/sd2.c : Fix two potential buffer read overflows. - -Closes: https://github.com/erikd/libsndfile/issues/93 ---- - src/sd2.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - ---- a/src/sd2.c -+++ b/src/sd2.c -@@ -513,6 +513,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - - rsrc.type_offset = rsrc.map_offset + 30 ; - -+ if (rsrc.map_offset + 28 > rsrc.rsrc_len) -+ { psf_log_printf (psf, "Bad map offset.\n") ; -+ goto parse_rsrc_fork_cleanup ; -+ } ; -+ - rsrc.type_count = read_rsrc_short (&rsrc, rsrc.map_offset + 28) + 1 ; - if (rsrc.type_count < 1) - { psf_log_printf (psf, "Bad type count.\n") ; -@@ -529,7 +534,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) - - rsrc.str_index = -1 ; - for (k = 0 ; k < rsrc.type_count ; k ++) -- { marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ; -+ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len) -+ { psf_log_printf (psf, "Bad rsrc marker.\n") ; -+ goto parse_rsrc_fork_cleanup ; -+ } ; -+ -+ marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ; - - if (marker == STR_MARKER) - { rsrc.str_index = k ;