Accepting request 558585 from home:tiwai:branches:multimedia:libs

- Fix VUL-0: divide-by-zero error exists in the function double64_init() in double64.c (CVE-2017-14634, bsc#1059911): 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch - Tentative fix for VUL-0: out of bounds read in the function d2alaw_array() in alaw.c (CVE-2017-14245, bsc#1059912) and VUL-0: out of bounds read in the function d2ulaw_array() in ulaw.c (CVE-2017-14246, bsc#1059913): 0031-sfe_copy_data_fp-check-value-of-max-variable.patch OBS-URL: https://build.opensuse.org/request/show/558585 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libsndfile?expand=0&rev=64
2017-12-19 17:57:01 +00:00 · 2017-12-19 17:57:01 +00:00 · 593b609c4f
commit 593b609c4f
parent b1e542206b
4 changed files with 157 additions and 0 deletions
--- a/0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
+++ b/0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
@ -0,0 +1,33 @@
+From 85c877d5072866aadbe8ed0c3e0590fbb5e16788 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Thu, 28 Sep 2017 12:15:04 +0200
+Subject: [PATCH] double64_init: Check psf->sf.channels against upper bound
+
+This prevents division by zero later in the code.
+
+While the trivial case to catch this (i.e. sf.channels < 1) has already
+been covered, a crafted file may report a number of channels that is
+so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
+miscalculated to zero (if this makes sense) in the determination of the
+blockwidth. Since we only support a limited number of channels anyway,
+make sure to check here as well.
+
+CVE-2017-14634
+
+Closes: https://github.com/erikd/libsndfile/issues/318
+Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
+---
+ src/double64.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/double64.c
+++ b/src/double64.c
+@@ -91,7 +91,7 @@ int
+ double64_init	(SF_PRIVATE *psf)
+ {	static int double64_caps ;
+ 
+-	if (psf->sf.channels < 1)
+	if (psf->sf.channels < 1 || psf->sf.channels > SF_MAX_CHANNELS)
+ 	{	psf_log_printf (psf, "double64_init : internal error : channels = %d\n", psf->sf.channels) ;
+ 		return SFE_INTERNAL ;
+ 		} ;
--- a/0031-sfe_copy_data_fp-check-value-of-max-variable.patch
+++ b/0031-sfe_copy_data_fp-check-value-of-max-variable.patch
@ -0,0 +1,107 @@
+From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Wed, 27 Sep 2017 14:46:17 +0200
+Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being
+ normal
+
+and check elements of the data[] array for being finite.
+
+Both checks use functions provided by the <math.h> header as declared
+by the C99 standard.
+
+Fixes #317
+CVE-2017-14245
+CVE-2017-14246
+---
+ programs/common.c          |   20 ++++++++++++++++----
+ programs/common.h          |    2 +-
+ programs/sndfile-convert.c |    6 +++++-
+ 3 files changed, 22 insertions(+), 6 deletions(-)
+
+--- a/programs/common.c
+++ b/programs/common.c
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include <ctype.h>
+ #include <stdint.h>
+#include <math.h>
+ 
+ #include <sndfile.h>
+ 
+@@ -45,7 +46,7 @@
+ 
+ #define	MIN(x, y)	((x) < (y) ? (x) : (y))
+ 
+-void
+int
+ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize)
+ {	static double	data [BUFFER_LEN], max ;
+ 	int		frames, readcount, k ;
+@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDF
+ 	readcount = frames ;
+ 
+ 	sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ;
+	if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */
+		return 1 ;
+ 
+ 	if (!normalize && max < 1.0)
+ 	{	while (readcount > 0)
+@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDF
+ 		while (readcount > 0)
+ 		{	readcount = sf_readf_double (infile, data, frames) ;
+ 			for (k = 0 ; k < readcount * channels ; k++)
+-				data [k] /= max ;
+			{	data [k] /= max ;
+
+				if (!isfinite (data [k])) /* infinite or NaN */
+					return 1;
+				}
+ 			sf_writef_double (outfile, data, readcount) ;
+ 			} ;
+ 		} ;
+ 
+-	return ;
+	return 0 ;
+ } /* sfe_copy_data_fp */
+ 
+ void
+@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char *
+ 
+ 		/* If the input file is not the same as the output file, copy the data. */
+ 		if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT))
+-			sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ;
+		{	if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0)
+			{	printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ;
+				error_code = 1 ;
+				goto cleanup_exit ;
+				} ;
+			}
+ 		else
+ 			sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
+ 		} ;
+--- a/programs/common.h
+++ b/programs/common.h
+@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_
+ 
+ void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ;
+ 
+-void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
+int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
+ 
+ void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ;
+ 
+--- a/programs/sndfile-convert.c
+++ b/programs/sndfile-convert.c
+@@ -335,7 +335,11 @@ main (int argc, char * argv [])
+ 			|| (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT)
+ 			|| (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)
+ 			|| (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS))
+-		sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ;
+	{	if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0)
+		{	printf ("Error : Not able to decode input file %s.\n", infilename) ;
+			return 1 ;
+			} ;
+		}
+ 	else
+ 		sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
+ 
--- a/libsndfile.changes
+++ b/libsndfile.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Tue Dec 19 15:57:19 CET 2017 - tiwai@suse.de
+
+- Fix VUL-0: divide-by-zero error exists in the function
+  double64_init() in double64.c (CVE-2017-14634, bsc#1059911):
+  0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
+- Tentative fix for VUL-0: out of bounds read in the function
+  d2alaw_array() in alaw.c (CVE-2017-14245, bsc#1059912) and
+  VUL-0: out of bounds read in the function d2ulaw_array() in
+  ulaw.c (CVE-2017-14246, bsc#1059913):
+  0031-sfe_copy_data_fp-check-value-of-max-variable.patch
+
 -------------------------------------------------------------------
 Tue Aug  8 11:00:09 CEST 2017 - tiwai@suse.de

--- a/libsndfile.spec
+++ b/libsndfile.spec
@ -33,6 +33,9 @@ Patch1:         0001-FLAC-Fix-a-buffer-read-overrun.patch
 Patch2:         0002-src-flac.c-Fix-a-buffer-read-overflow.patch
 Patch10:        0010-src-aiff.c-Fix-a-buffer-read-overflow.patch
 Patch20:        0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch
+Patch30:        0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
+# not yet upstreamed, https://github.com/erikd/libsndfile/issues/317
+Patch31:        0031-sfe_copy_data_fp-check-value-of-max-variable.patch
 # PATCH-FIX-OPENSUSE
 Patch100:       sndfile-ocloexec.patch
 BuildRequires:  alsa-devel
@ -84,6 +87,8 @@ libsndfile library.
 %patch2 -p1
 %patch10 -p1
 %patch20 -p1
+%patch30 -p1
+%patch31 -p1
 %patch100 -p1

 %build