pool/libsndfile
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 879319 from home:dirkmueller:Factory

Browse Source 
- update to 1.0.31:
  * documentation fixes and updates
  * Change CMake's project name from sndfile to libsndfile as it should be.
  * Fix memory leak in wav_read_smpl_chunk() function, credit to OSS-Fuzz.
  * Fix aiff_read_header() memory leak(), credit to OSS-Fuzz.
  * Fix leak in wav_read_header(), credit to OSS-Fuzz.
  * Fix leak in wavlike_read_cart_chunk(), credit to OSS-Fuzz.
  * Fix memory leak in wav_read_acid_chunk(), credit to OSS-Fuzz.
  * Fix memory leak in aiff_read_basc_chunk(), credit to OSS-Fuzz.
  * Fix memory leak in wavlike_read_peak_chunk(), credit to OSS-Fuzz.
  * Fix memory leak in aiff_read_header(), credit to OSS-Fuzz.
  * Fix use of uninitialized value in exif_subchunk_parse(), credit to OSS-Fuzz.
  * Fix use of uninitialized value in endswap_int64_t_array(), credit to
  * OSS-Fuzz.
  * Fix up the fuzzer so that it can't under or overseek,
  * thanks to Max Dymond cmeister2@gmail.com.
  * Fix Autotools configure on macOS, thanks to @tmcguire and @nwh.
  * Exclude repository-configuration from git-archive, thanks to @umlaeute.
  * Use version-script when compiling with clang on Unix with Autotools, thanks
  * to @tstellar.
  * Improve handling of SMPL chunks in WAV files, thanks to @zodf0055980. 
- update to 1.0.30:
  * Move sndfile.h.in from src/ to include/ directory.
  * Huge documentation update.
  * Fix opus test failures on BE platforms
  * Fix bug when sf_open_fd() function sometimes leaves filehandle open, even if close_desc parameter is TRUE, thanks to @umläute.
  * Fix infinite loops on some pathological SD2 files
  * Switch to GitHub Actions for continuous integration.
  * Add OSS-Fuzz tests to GitHub Actions workflow
  * Fix memory leak in wavlike_read_bext_chunk() function, credit to OSS-Fuzz.

OBS-URL: https://build.opensuse.org/request/show/879319
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libsndfile?expand=0&rev=79
This commit is contained in:
Takashi Iwai 2021-03-16 08:20:11 +00:00 committed by Git OBS Bridge
parent f1444ccfd3
commit 6c4c983df7
19 changed files with 255 additions and 662 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
0001-FLAC-Fix-a-buffer-read-overrun.patch
View File

@ -1,60 +0,0 @@
From fd0484aba8e51d16af1e3a880f9b8b857b385eb3 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Wed, 12 Apr 2017 19:45:30 +1000
Subject: [PATCH] FLAC: Fix a buffer read overrun
References: CVE-2017-8361 CVE-2017-8363 CVE-2017-8365 bsc#1036944 bsc#1036945 bsc#1036946
Buffer read overrun occurs when reading a FLAC file that switches
from 2 channels to one channel mid-stream. Only option is to
abort the read.
Closes: https://github.com/erikd/libsndfile/issues/230
---
src/common.h | 1 +
src/flac.c | 13 +++++++++++++
src/sndfile.c | 1 +
3 files changed, 15 insertions(+)
--- a/src/common.h
+++ b/src/common.h
@@ -725,6 +725,7 @@ enum
SFE_FLAC_INIT_DECODER,
SFE_FLAC_LOST_SYNC,
SFE_FLAC_BAD_SAMPLE_RATE,
+ SFE_FLAC_CHANNEL_COUNT_CHANGED,
SFE_FLAC_UNKOWN_ERROR,
SFE_WVE_NOT_WVE,
--- a/src/flac.c
+++ b/src/flac.c
@@ -435,6 +435,19 @@ sf_flac_meta_callback (const FLAC__Strea
switch (metadata->type)
{ case FLAC__METADATA_TYPE_STREAMINFO :
+ if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
+ { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
+ "Nothing to be but to error out.\n" ,
+ psf->sf.channels, metadata->data.stream_info.channels) ;
+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
+ return ;
+ } ;
+
+ if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate)
+ { psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n"
+ "Carrying on as if nothing happened.",
+ psf->sf.samplerate, metadata->data.stream_info.sample_rate) ;
+ } ;
psf->sf.channels = metadata->data.stream_info.channels ;
psf->sf.samplerate = metadata->data.stream_info.sample_rate ;
psf->sf.frames = metadata->data.stream_info.total_samples ;
--- a/src/sndfile.c
+++ b/src/sndfile.c
@@ -245,6 +245,7 @@ ErrorStruct SndfileErrors [] =
{ SFE_FLAC_INIT_DECODER , "Error : problem with initialization of the flac decoder." },
{ SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." },
{ SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." },
+ { SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." },
{ SFE_FLAC_UNKOWN_ERROR , "Error : unknown error in flac decoder." },
{ SFE_WVE_NOT_WVE , "Error : not a WVE file." },

50
0002-src-flac.c-Fix-a-buffer-read-overflow.patch
View File

@ -1,50 +0,0 @@
From ef1dbb2df1c0e741486646de40bd638a9c4cd808 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Fri, 14 Apr 2017 15:19:16 +1000
Subject: [PATCH] src/flac.c: Fix a buffer read overflow
References: CVE-2017-8362 bsc#1036943
A file (generated by a fuzzer) which increased the number of channels
from one frame to the next could cause a read beyond the end of the
buffer provided by libFLAC. Only option is to abort the read.
Closes: https://github.com/erikd/libsndfile/issues/231
---
src/flac.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/src/flac.c
+++ b/src/flac.c
@@ -169,6 +169,14 @@ flac_buffer_copy (SF_PRIVATE *psf)
const int32_t* const *buffer = pflac->wbuffer ;
unsigned i = 0, j, offset, channels, len ;
+ if (psf->sf.channels != (int) frame->header.channels)
+ { psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n"
+ "Nothing to do but to error out.\n" ,
+ psf->sf.channels, frame->header.channels) ;
+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
+ return 0 ;
+ } ;
+
/*
** frame->header.blocksize is variable and we're using a constant blocksize
** of FLAC__MAX_BLOCK_SIZE.
@@ -202,7 +210,6 @@ flac_buffer_copy (SF_PRIVATE *psf)
return 0 ;
} ;
-
len = SF_MIN (pflac->len, frame->header.blocksize) ;
if (pflac->remain % channels != 0)
@@ -437,7 +444,7 @@ sf_flac_meta_callback (const FLAC__Strea
{ case FLAC__METADATA_TYPE_STREAMINFO :
if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
{ psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
- "Nothing to be but to error out.\n" ,
+ "Nothing to do but to error out.\n" ,
psf->sf.channels, metadata->data.stream_info.channels) ;
psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
return ;

23
0010-src-aiff.c-Fix-a-buffer-read-overflow.patch
View File

@ -1,23 +0,0 @@
From f833c53cb596e9e1792949f762e0b33661822748 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Tue, 23 May 2017 20:15:24 +1000
Subject: [PATCH] src/aiff.c: Fix a buffer read overflow
Secunia Advisory SA76717.
Found by: Laurent Delosieres, Secunia Research at Flexera Software
---
src/aiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/aiff.c
+++ b/src/aiff.c
@@ -1905,7 +1905,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, uns
psf_binheader_readf (psf, "j", dword - bytesread) ;
if (map_info->channel_map != NULL)
- { size_t chanmap_size = psf->sf.channels * sizeof (psf->channel_map [0]) ;
+ { size_t chanmap_size = SF_MIN (psf->sf.channels, layout_tag & 0xffff) * sizeof (psf->channel_map [0]) ;
free (psf->channel_map) ;

86
0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch
View File

@ -1,86 +0,0 @@
From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
Date: Wed, 14 Jun 2017 12:25:40 +0200
Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
in binheader
Fixes the following problems:
1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
big switch statement by an amount (16 bytes) which is enough for all cases
where only a single value gets added. Cases 's', 'S', 'p' however
additionally write an arbitrary length block of data and again enlarge the
buffer to the required amount. However, the required space calculation does
not take into account the size of the length field which gets output before
the data.
3. Buffer size requirement calculation in case 'S' does not account for the
padding byte ("size += (size & 1) ;" happens after the calculation which
uses "size").
4. Case 'S' can overrun the header buffer by 1 byte when no padding is
involved
("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
the buffer is only guaranteed to have "size" space available).
5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
beyond the space which is guaranteed to be allocated in the header buffer.
6. Case 's' can overrun the provided source string by 1 byte if padding is
involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
plus optionally another 1 which is padding and not guaranteed to be
readable via the source string pointer).
Closes: https://github.com/erikd/libsndfile/issues/292
---
src/common.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/src/common.c
+++ b/src/common.c
@@ -675,16 +675,16 @@ psf_binheader_writef (SF_PRIVATE *psf, c
/* Write a C string (guaranteed to have a zero terminator). */
strptr = va_arg (argptr, char *) ;
size = strlen (strptr) + 1 ;
- size += (size & 1) ;
- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
return count ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
- header_put_be_int (psf, size) ;
+ header_put_be_int (psf, size + (size & 1)) ;
else
- header_put_le_int (psf, size) ;
+ header_put_le_int (psf, size + (size & 1)) ;
memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
+ size += (size & 1) ;
psf->header.indx += size ;
psf->header.ptr [psf->header.indx - 1] = 0 ;
count += 4 + size ;
@@ -697,16 +697,15 @@ psf_binheader_writef (SF_PRIVATE *psf, c
*/
strptr = va_arg (argptr, char *) ;
size = strlen (strptr) ;
- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
return count ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
header_put_be_int (psf, size) ;
else
header_put_le_int (psf, size) ;
- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
+ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
size += (size & 1) ;
psf->header.indx += size ;
- psf->header.ptr [psf->header.indx] = 0 ;
count += 4 + size ;
break ;
@@ -718,7 +717,7 @@ psf_binheader_writef (SF_PRIVATE *psf, c
size = (size & 1) ? size : size + 1 ;
size = (size > 254) ? 254 : size ;
- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
+ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
return count ;
header_put_byte (psf, size) ;

33
0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
View File

@ -1,33 +0,0 @@
From 85c877d5072866aadbe8ed0c3e0590fbb5e16788 Mon Sep 17 00:00:00 2001
From: Fabian Greffrath <fabian@greffrath.com>
Date: Thu, 28 Sep 2017 12:15:04 +0200
Subject: [PATCH] double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code.
While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.
CVE-2017-14634
Closes: https://github.com/erikd/libsndfile/issues/318
Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
---
src/double64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/double64.c
+++ b/src/double64.c
@@ -91,7 +91,7 @@ int
double64_init (SF_PRIVATE *psf)
{ static int double64_caps ;
- if (psf->sf.channels < 1)
+ if (psf->sf.channels < 1 || psf->sf.channels > SF_MAX_CHANNELS)
{ psf_log_printf (psf, "double64_init : internal error : channels = %d\n", psf->sf.channels) ;
return SFE_INTERNAL ;
} ;

107
0031-sfe_copy_data_fp-check-value-of-max-variable.patch
View File

@ -1,107 +0,0 @@
From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001
From: Fabian Greffrath <fabian@greffrath.com>
Date: Wed, 27 Sep 2017 14:46:17 +0200
Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being
normal
and check elements of the data[] array for being finite.
Both checks use functions provided by the <math.h> header as declared
by the C99 standard.
Fixes #317
CVE-2017-14245
CVE-2017-14246
---
programs/common.c | 20 ++++++++++++++++----
programs/common.h | 2 +-
programs/sndfile-convert.c | 6 +++++-
3 files changed, 22 insertions(+), 6 deletions(-)
--- a/programs/common.c
+++ b/programs/common.c
@@ -36,6 +36,7 @@
#include <string.h>
#include <ctype.h>
#include <stdint.h>
+#include <math.h>
#include <sndfile.h>
@@ -45,7 +46,7 @@
#define MIN(x, y) ((x) < (y) ? (x) : (y))
-void
+int
sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize)
{ static double data [BUFFER_LEN], max ;
int frames, readcount, k ;
@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDF
readcount = frames ;
sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ;
+ if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */
+ return 1 ;
if (!normalize && max < 1.0)
{ while (readcount > 0)
@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDF
while (readcount > 0)
{ readcount = sf_readf_double (infile, data, frames) ;
for (k = 0 ; k < readcount * channels ; k++)
- data [k] /= max ;
+ { data [k] /= max ;
+
+ if (!isfinite (data [k])) /* infinite or NaN */
+ return 1;
+ }
sf_writef_double (outfile, data, readcount) ;
} ;
} ;
- return ;
+ return 0 ;
} /* sfe_copy_data_fp */
void
@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char *
/* If the input file is not the same as the output file, copy the data. */
if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT))
- sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ;
+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0)
+ { printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ;
+ error_code = 1 ;
+ goto cleanup_exit ;
+ } ;
+ }
else
sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
} ;
--- a/programs/common.h
+++ b/programs/common.h
@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_
void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ;
-void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
+int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ;
--- a/programs/sndfile-convert.c
+++ b/programs/sndfile-convert.c
@@ -335,7 +335,11 @@ main (int argc, char * argv [])
|| (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT)
|| (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)
|| (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS))
- sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ;
+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0)
+ { printf ("Error : Not able to decode input file %s.\n", infilename) ;
+ return 1 ;
+ } ;
+ }
else
sfe_copy_data_int (outfile, infile, sfinfo.channels) ;

3
libsndfile-1.0.28.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9
size 1202833

16
libsndfile-1.0.28.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEapGlzyLCTJmjXgE/z9z5H7JCrO0FAljgvHEACgkQz9z5H7JC
rO3hnA/9FXYT5fAI9efgrPbzlVes3HpWSlnyjXY/oK7JdUUK6jNhyR8LB70h1En1
dTFIz2m5t+VcTTXjaJJ3sluHdPtIYT3lqGD1UtsHgclsCcXCZMttcCfe7S+sfk4b
jN5iMOvaIiVH4t3OqEPU61K7S6SQHdjdmfEEsrsp2j7TjnOJLrJm3/SH6EbGoK6v
CpbJjllfoSNiv/A0Q0wtO2nam/FS7R1OlVhzXjMOf/DJTNchpIPzhbTKiMRC9uBL
fC5msjtKm0jHYZLzzy3s0F1eOOHm3Mm3snSGXTDZeLOMKkhfKOVGO1V9zh3kku7U
viFL8fVxe/UQxzKL5V3xjaawbwBqS3U5JjnUGbz7KDgBk9dcJF69cLA+b2lv0Dbt
1cx4DeGPhJTG6hI5ZYgQs+n8b/IMS51uPy562y0CkxoB17g6pXo11x6D3UfZQq3p
z5xbFLUo2Hy/C78F1OunwRcA0awJxgWaOj9EPZk4xqRX5jeLuCEfWM8SylLkiXat
nTb5veejLzQ4ZFLAzwxzHjJTLt0nhqfp+O14jXQby+LFa6g3R5QTkZBZh6FGeqSP
TGNLtJIIOhpeUyLaZAuDGpn+EeKoZNrv7DJqQdNoyYxwCCvvZsEsKzKdpI87ssTr
Rg/PeZn36/Re7xaSomEbAgXAxo0ySj9KayG1FPLysPzix+sqvO4=
=tyOh
-----END PGP SIGNATURE-----

3
libsndfile-1.0.31.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a8cfb1c09ea6e90eff4ca87322d4168cdbe5035cb48717b40bf77e751cc02163
size 875335

BIN
libsndfile-1.0.31.tar.bz2.sig Normal file
View File

Binary file not shown.

55
libsndfile-CVE-2017-17456-alaw-range-check.patch
View File

@ -1,55 +0,0 @@
---
src/alaw.c | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
--- a/src/alaw.c
+++ b/src/alaw.c
@@ -336,20 +336,40 @@ i2alaw_array (const int *ptr, int count,
static inline void
f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
- buffer [count] = alaw_encode [lrintf (normfact * ptr [count])] ;
- else
- buffer [count] = 0x7F & alaw_encode [- lrintf (normfact * ptr [count])] ;
+ { int idx;
+ if (isnan (ptr [count])) {
+ buffer [count] = alaw_encode [0] ;
+ } else if (ptr [count] >= 0) {
+ idx = lrintf (normfact * ptr [count]) ;
+ if (idx > 2048)
+ idx = 2048;
+ buffer [count] = alaw_encode [idx] ;
+ } else {
+ idx = -lrintf (normfact * ptr [count]) ;
+ if (idx > 2048)
+ idx = 2048 ;
+ buffer [count] = 0x7F & alaw_encode [idx] ;
+ }
} ;
} /* f2alaw_array */
static inline void
d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
- buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
- else
- buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
+ { int idx;
+ if (isnan (ptr [count])) {
+ buffer [count] = alaw_encode [0] ;
+ } else if (ptr [count] >= 0) {
+ idx = lrintf (normfact * ptr [count]) ;
+ if (idx > 2048)
+ idx = 2048;
+ buffer [count] = alaw_encode [idx] ;
+ } else {
+ idx = -lrintf (normfact * ptr [count]) ;
+ if (idx > 2048)
+ idx = 2048 ;
+ buffer [count] = 0x7F & alaw_encode [idx] ;
+ }
} ;
} /* d2alaw_array */

55
libsndfile-CVE-2017-17457-ulaw-range-check.patch
View File

@ -1,55 +0,0 @@
---
src/ulaw.c | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
--- a/src/ulaw.c
+++ b/src/ulaw.c
@@ -837,20 +837,40 @@ i2ulaw_array (const int *ptr, int count,
static inline void
f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
- buffer [count] = ulaw_encode [lrintf (normfact * ptr [count])] ;
- else
- buffer [count] = 0x7F & ulaw_encode [- lrintf (normfact * ptr [count])] ;
+ { int idx;
+ if (isnan (ptr [count])) {
+ buffer [count] = ulaw_encode [0];
+ } else if (ptr [count] >= 0) {
+ idx = lrint (normfact * ptr [count]);
+ if (idx > 8192)
+ idx = 8192;
+ buffer [count] = ulaw_encode [idx] ;
+ } else {
+ idx = -lrint (normfact * ptr [count]) ;
+ if (idx > 8192)
+ idx = 8192;
+ buffer [count] = 0x7F & ulaw_encode [idx] ;
+ }
} ;
} /* f2ulaw_array */
static inline void
d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
- buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
- else
- buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;
+ { int idx;
+ if (isnan (ptr [count])) {
+ buffer [count] = ulaw_encode [0];
+ } else if (ptr [count] >= 0) {
+ idx = lrint (normfact * ptr [count]);
+ if (idx > 8192)
+ idx = 8192;
+ buffer [count] = ulaw_encode [idx] ;
+ } else {
+ idx = -lrint (normfact * ptr [count]) ;
+ if (idx > 8192)
+ idx = 8192;
+ buffer [count] = 0x7F & ulaw_encode [idx] ;
+ }
} ;
} /* d2ulaw_array */

55
libsndfile-progs.changes
View File

@ -1,3 +1,58 @@
-------------------------------------------------------------------
Sun Mar 14 21:38:48 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 1.0.31:
* documentation fixes and updates
* Change CMake's project name from sndfile to libsndfile as it should be.
* Fix memory leak in wav_read_smpl_chunk() function, credit to OSS-Fuzz.
* Fix aiff_read_header() memory leak(), credit to OSS-Fuzz.
* Fix leak in wav_read_header(), credit to OSS-Fuzz.
* Fix leak in wavlike_read_cart_chunk(), credit to OSS-Fuzz.
* Fix memory leak in wav_read_acid_chunk(), credit to OSS-Fuzz.
* Fix memory leak in aiff_read_basc_chunk(), credit to OSS-Fuzz.
* Fix memory leak in wavlike_read_peak_chunk(), credit to OSS-Fuzz.
* Fix memory leak in aiff_read_header(), credit to OSS-Fuzz.
* Fix use of uninitialized value in exif_subchunk_parse(), credit to OSS-Fuzz.
* Fix use of uninitialized value in endswap_int64_t_array(), credit to
* OSS-Fuzz.
* Fix up the fuzzer so that it can't under or overseek,
* thanks to Max Dymond cmeister2@gmail.com.
* Fix Autotools configure on macOS, thanks to @tmcguire and @nwh.
* Exclude repository-configuration from git-archive, thanks to @umlaeute.
* Use version-script when compiling with clang on Unix with Autotools, thanks
* to @tstellar.
* Improve handling of SMPL chunks in WAV files, thanks to @zodf0055980.
- update to 1.0.30:
* Move sndfile.h.in from src/ to include/ directory.
* Huge documentation update.
* Fix opus test failures on BE platforms
* Fix bug when sf_open_fd() function sometimes leaves filehandle open, even if close_desc parameter is TRUE, thanks to @umläute.
* Fix infinite loops on some pathological SD2 files
* Switch to GitHub Actions for continuous integration.
* Add OSS-Fuzz tests to GitHub Actions workflow
* Fix memory leak in wavlike_read_bext_chunk() function, credit to OSS-Fuzz.
* Fix undefined behavior in avr-read_header() function, credit to OSS-Fuzz.
- update to 1.0.29:
* Fixes for: CVE-2017-12562, CVE-2017-17456, CVE-2017-17457, CVE-2018-19661, CVE-2018-19662, CVE-2018-19758 and CVE-2019-3832.
* Add BWF v2 loudness parameters.
* Wave64: Permit and skip arbitrary chunks prior to the data chunk.
* Fix ASAN crash in wavlike_ima_seek().
* Fix IMA-ADPCM encoding for AIFF files.
* sndfile-convert: Handle gsm, vox and opus extensions the same way.
* Add SFC_SET_OGG_PAGE_LATENCY_MS command to get Ogg page latency for Ogg Opus files.
* Fix parsing of some SD2 files.
* Documentation updates.
* Minor bug fixes and improvements.
- drop libsndfile-CVE-2017-17456-alaw-range-check.patch
libsndfile-CVE-2017-17457-ulaw-range-check.patch
libsndfile-wav-loop-count-fix.patch
0001-FLAC-Fix-a-buffer-read-overrun.patch
0002-src-flac.c-Fix-a-buffer-read-overflow.patch
0010-src-aiff.c-Fix-a-buffer-read-overflow.patch
0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch
0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
0031-sfe_copy_data_fp-check-value-of-max-variable.patch: upstream
-------------------------------------------------------------------
Fri Jul 6 14:11:47 CEST 2018 - tiwai@suse.de

49
libsndfile-progs.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package libsndfile-progs
#
# Copyright (c) 2019 SUSE LLC
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,68 +17,42 @@
Name: libsndfile-progs
Version: 1.0.28
Version: 1.0.31
Release: 0
Summary: Example Programs for libsndfile
License: LGPL-2.1-or-later
Group: System/Libraries
URL: http://www.mega-nerd.com/libsndfile/
Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
Source1: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz.asc
URL: https://libsndfile.github.io/libsndfile/
Source0: https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2
Source1: https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2.sig
Source2: libsndfile.keyring
# PATCH-FIX-UPSTREAM
Patch1: 0001-FLAC-Fix-a-buffer-read-overrun.patch
Patch2: 0002-src-flac.c-Fix-a-buffer-read-overflow.patch
Patch10: 0010-src-aiff.c-Fix-a-buffer-read-overflow.patch
Patch20: 0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch
Patch30: 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
# not yet upstreamed, https://github.com/erikd/libsndfile/issues/317
Patch31: 0031-sfe_copy_data_fp-check-value-of-max-variable.patch
# not yet upstreamed
Patch32: libsndfile-CVE-2017-17456-alaw-range-check.patch
Patch33: libsndfile-CVE-2017-17457-ulaw-range-check.patch
Patch34: sndfile-deinterlace-channels-check.patch
# PATCH-FIX-OPENSUSE
Patch100: sndfile-ocloexec.patch
BuildRequires: alsa-devel
BuildRequires: cmake
BuildRequires: flac-devel
BuildRequires: gcc-c++
BuildRequires: libjack-devel
BuildRequires: libtool
BuildRequires: libvorbis-devel
BuildRequires: pkgconfig
BuildRequires: sqlite-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: sqlite3-devel
%description
This package includes the example programs for libsndfile.
%prep
%setup -q -n libsndfile-%{version}
%patch1 -p1
%patch2 -p1
%patch10 -p1
%patch20 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch100 -p1
%build
%define warn_flags -W -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter
# autoreconf --force --install
CFLAGS="%{optflags} %{warn_flags}"
export CFLAGS
%configure --disable-silent-rules \
--disable-static \
--enable-sqlite \
--with-pic
make %{?_smp_mflags}
%cmake -DENABLE_EXPERIMENTAL=ON -DBUILD_EXAMPLES=OFF
%cmake_build
%install
make DESTDIR=%{buildroot} install %{?_smp_mflags}
%cmake_install
# remove unnecessary files
rm -rf %{buildroot}%{_datadir}/doc/libsndfile
@ -87,8 +61,7 @@ rm -rf %{buildroot}%{_includedir}
rm -rf %{buildroot}%{_datadir}/doc/libsndfile1-dev
%files
%defattr(-, root, root)
%{_bindir}/*
%doc %{_mandir}/man?/*
%{_mandir}/man?/*
%changelog

27
libsndfile-wav-loop-count-fix.patch
View File

@ -1,27 +0,0 @@
From: Takashi Iwai <tiwai@suse.de>
Subject: wav: Fix segfault due to invalid loop_count
References: CVE-2018-19758, bsc#1117954
The psf->instrument->loop_count can be over the actual loops array size,
and it leads to a segfault.
Just add the loop size fix to address it.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
src/wav.c | 3 +++
1 file changed, 3 insertions(+)
--- a/src/wav.c
+++ b/src/wav.c
@@ -1097,6 +1097,9 @@ wav_write_header (SF_PRIVATE *psf, int c
for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
{ int type ;
+ if (tmp >= ARRAY_LEN (psf->instrument->loops))
+ break;
+
type = psf->instrument->loops [tmp].mode ;
type = (type == SF_LOOP_FORWARD ? 0 : type == SF_LOOP_BACKWARD ? 2 : type == SF_LOOP_ALTERNATING ? 1 : 32) ;

55
libsndfile.changes
View File

@ -1,3 +1,58 @@
-------------------------------------------------------------------
Sun Mar 14 21:38:48 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 1.0.31:
* documentation fixes and updates
* Change CMake's project name from sndfile to libsndfile as it should be.
* Fix memory leak in wav_read_smpl_chunk() function, credit to OSS-Fuzz.
* Fix aiff_read_header() memory leak(), credit to OSS-Fuzz.
* Fix leak in wav_read_header(), credit to OSS-Fuzz.
* Fix leak in wavlike_read_cart_chunk(), credit to OSS-Fuzz.
* Fix memory leak in wav_read_acid_chunk(), credit to OSS-Fuzz.
* Fix memory leak in aiff_read_basc_chunk(), credit to OSS-Fuzz.
* Fix memory leak in wavlike_read_peak_chunk(), credit to OSS-Fuzz.
* Fix memory leak in aiff_read_header(), credit to OSS-Fuzz.
* Fix use of uninitialized value in exif_subchunk_parse(), credit to OSS-Fuzz.
* Fix use of uninitialized value in endswap_int64_t_array(), credit to
* OSS-Fuzz.
* Fix up the fuzzer so that it can't under or overseek,
* thanks to Max Dymond cmeister2@gmail.com.
* Fix Autotools configure on macOS, thanks to @tmcguire and @nwh.
* Exclude repository-configuration from git-archive, thanks to @umlaeute.
* Use version-script when compiling with clang on Unix with Autotools, thanks
* to @tstellar.
* Improve handling of SMPL chunks in WAV files, thanks to @zodf0055980.
- update to 1.0.30:
* Move sndfile.h.in from src/ to include/ directory.
* Huge documentation update.
* Fix opus test failures on BE platforms
* Fix bug when sf_open_fd() function sometimes leaves filehandle open, even if close_desc parameter is TRUE, thanks to @umläute.
* Fix infinite loops on some pathological SD2 files
* Switch to GitHub Actions for continuous integration.
* Add OSS-Fuzz tests to GitHub Actions workflow
* Fix memory leak in wavlike_read_bext_chunk() function, credit to OSS-Fuzz.
* Fix undefined behavior in avr-read_header() function, credit to OSS-Fuzz.
- update to 1.0.29:
* Fixes for: CVE-2017-12562, CVE-2017-17456, CVE-2017-17457, CVE-2018-19661, CVE-2018-19662, CVE-2018-19758 and CVE-2019-3832.
* Add BWF v2 loudness parameters.
* Wave64: Permit and skip arbitrary chunks prior to the data chunk.
* Fix ASAN crash in wavlike_ima_seek().
* Fix IMA-ADPCM encoding for AIFF files.
* sndfile-convert: Handle gsm, vox and opus extensions the same way.
* Add SFC_SET_OGG_PAGE_LATENCY_MS command to get Ogg page latency for Ogg Opus files.
* Fix parsing of some SD2 files.
* Documentation updates.
* Minor bug fixes and improvements.
- drop libsndfile-CVE-2017-17456-alaw-range-check.patch
libsndfile-CVE-2017-17457-ulaw-range-check.patch
libsndfile-wav-loop-count-fix.patch
0001-FLAC-Fix-a-buffer-read-overrun.patch
0002-src-flac.c-Fix-a-buffer-read-overflow.patch
0010-src-aiff.c-Fix-a-buffer-read-overflow.patch
0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch
0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
0031-sfe_copy_data_fp-check-value-of-max-variable.patch: upstream
-------------------------------------------------------------------
Tue Dec 3 01:46:45 UTC 2019 - Stefan Brüns <stefan.bruens@rwth-aachen.de>

157
libsndfile.keyring
View File

@ -1,52 +1,111 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQINBFjgp8wBEAC/L//htBnj3cZWI/A6JMt7DHWoONr1B4AOk7NNleIWkFY5cqYJ
ENu9eesCxEjVqH8wUbFZ0NJbn+306guqDFTtZftiiv6ljZz2enZI8j5xVCgzkYBf
u08YU31jYjPuXV9YnAj4GnaI/AvKp9NilUhSLbEyif5+PI61n+OlaSMTiyl03iN/
pxsPM+g/CyIvb/E9dyg2kZLoet0kIBiimpDV57RNviYcynh7n5kbamYGm0sD4t98
Nnb7lk9vXk3XrXYWpVuF8NhfgEJLo9CU2vhHCZSSEs1uNYBXsxg5lCmzbQzkn3mq
A+0+tNvH1yhepmjG4DxsGKBkF2rccefndScFi5eAfQjBSFEcOOvzF1oBadrYgU1w
ayb7gta0bZqWG5TwoTLZlY6ML2+UlfRGDyaGvgzcicHDH6zbvPEr2npgSCq5LUeo
k6vvLn824/4ZNJww75HL1Tw9HzBX+/fVXFSanELYfISqwRAOcH7QbLK3YVBzMEer
vCnuzsxdI1LneBpdXhddOQdPPjOarHAZWNtc4jNAzok9O3DLtI4obWyWTZ/c1oM9
eKDUNUt8zAf4scs8CvJO5dNd4XvJE0PbYP4vUX7Rhh9iUuUI9JeS04f/H/MPjxkG
o+HIAJIbJAXsNVTZTG6qmaeaIR8AUbKWQBODwHCtdgVIji5xvOSITPJbAwARAQAB
tClFcmlrIGRlIENhc3RybyBMb3BvIDxlcmlrZEBtZWdhLW5lcmQuY29tPokCTgQT
AQgAOBYhBGqRpc8iwkyZo14BP8/c+R+yQqztBQJY4KfMAhsDBQsJCAcCBhUICQoL
AgQWAgMBAh4BAheAAAoJEM/c+R+yQqztodMP/R23t9PL/CIzcJgAyrzmQNIple0E
Pbd9HuqwNZEwkTjtJ3zehkiUQJCU1U/26TvNDVMtvnqLVV6gWYCJQYthk+7dxa/l
WVb3o96ZZR1Pj1ouqRAhm788+bAFsW6kr7TxqF37InCnzbFaLgsUfD0XZfB1XJp6
cx51TgKDBDJS+8nTUJoNXR3luAaWD/n4qcRiLxwA1XehWFD058Pm/vsFgfjewuGQ
THMFp4Pdzk0w/gRwcn1gEqkB7bspzdS0CGqklqv26NkIS+2aRBoXtroCKPn65FcX
fkF1CGdQWnGTrLNJ9vPJC1QCeo9XoR9Wp4XiWGgYG9owxvOLJnSZAUK3c2vtrkCE
pm4XE83dv8Brs+bvGFc8Ba77RyK6BQ7P3YYvzj0TQVYKaYXswrTqQQSCKqJe9Qet
XECHvbiNvgbMUoROvloUVPUQorCx33mZdTzGicgKqvMgWBn58B9qK208utPgk3Ot
o+4m8s/hJ/HkwLz6a00Tzg7CFrjlr+vX1qzgosJLjew80np3azrAf+Wwen8/mzm3
gaDIptbh+hTjAUfdEnw/aQT6HryIQJNEFsNAER+FpHuMJepIllHmFLRjvLBF2rzR
US6zfkq4mfwrRht1ya8bpIAhDyYFP44MrpVtSCY+PkjtrlB5F9ck7MmxThSUOfxQ
YalBpqOTmHUHwra0uQINBFjgp8wBEACyNn74E17Xn0ba/UcrTVDs75HYvE6DJ/PJ
/HXv8bfTVlyuhXMP7ZzX3GnLK/ilIzUJbskpyDvaZxzSmWsA6tzagWOr7/YmtEYP
TZBnZW/nlr9gQfWL1YqO9fE1D1nHM1rnkFeUhPZRUGfk53VRnr5XMhgZZcuhj8cg
dLDL5aeULRw1TfqP4pAxov/yGx5gbxeqistuMEWq6PiFYpnyyoMeR+a193rM3Asl
CxkMsWmKZqI6tXLCUYn5z010/sstrZ2eionv9u5bpi5FeN2pZ6usdM0wqm/21dFC
qXtXdXa37mznSfHpP/sqyNhU6tWg+o9QTBcmGOZE5lLc6xAZDS0sYts0F9daizoF
e5ZSrNE46wKSaOI6fLfprvg3NXXrOf5fBTdpd3EUKaNVeCQ6juyQqYNHB8NnwfuQ
+2Oxuuw8Vh6ooxJ/KAcDSdmhm1OhNIEmVPoY7fGheUFf04toZQj5MtuCJnmSbWbS
GsEwPbkETCNB/vXiTzDm2Ern8wxEz7a3sBr3bKg25HkOXtlKmqXHJ+5r7hdExc+W
kHQaELQpv7NHnR1pfTgH2RbB+nLNx8cfoGnnNEDpg1VOHNzELK4xT/ZqULET944n
Wf1En0YX8Ecx0n11iW4Y8r0Mu2E+VcBLbYNf9t6BodbEZ7kRfI16MDXIIFeg/HxI
5F4wGCIMyQARAQABiQI2BBgBCAAgFiEEapGlzyLCTJmjXgE/z9z5H7JCrO0FAljg
p8wCGwwACgkQz9z5H7JCrO2t8A//dWj6L24uM1WF/P2Np9/Ks45HaqZMpuQyifxt
X1+XRzQvfu9cQEFiKfcHgZbx67JOFC6C9BHoN54AwLN+VeoYB08WXzHxPphlFfVL
GCD0aAl6pA27EGFkRTZ3tlCOYbnS+szVw3zyyap/2Qci9BxwNvFuRol/M95hn606
K7krGluXOLUJIE9pkmW7uEp+dFSZkOwXI6e9ZSgJQeFy8BWY12AJHDyO0BOyfF59
FIZg8JC2Rjz8w1xp2qXNNnGoDMPvTfQGL1LGfWGH3UMWe+cK3j2Zw8klgtFQm+v+
ZWaq+Hacf5u0BZNXdUao+1pAChVCxiZH245hPXEGsV/yNyYUW9metRJMfatmsPCq
ozFfTYXSuZunbMZLbzqh78jeLGSzS46l3bnQDhUcXh4gD3a8DBLyndymfmz6uWgZ
PO1MSw+76aZFQRA3MJC+DhbOAarvjJPhOCiEeDYc/haROvfeOsvZFmYrwHlnRnQh
LnVlLHcT7m6qnslxuUA+FNTep5/vHnw8Nn9Q6/FaXewVFsHoz3uICNtUSA4OUG7C
s2p3vvTXxV7cXUt02K9imZznwGKJIl2esTPS3g6ow106DVh26GYtkQc3fuCQmIQh
Uk4qtes3BpsFl/WUWEUSPzNaqmIdJWVzUkPI9SeGjql9EBpV/MiO31I2XgvdqPjY
7t8v33E=
=2Oyd
mQINBFppABgBEAC42ZiNvV7BTIgR6TQy0YnF54fx3mVRP1u8Mq00UZa7reAsNKh7
1H60j0W4s6+4pVVIKGfpVGxLwUdJe+KVCYw1Cd3YW6uMf5zZrC/ZWqnJiH/n6S6o
1l4INII2o6YbGBnzIWBPRo7PlOL+mvgKTLpBSJPnhD8XDGN5wRiV8rL2+6Dptg0F
nJt7oxECGF3OD3gk6HMel0o82CVkIqMtNaX1L/bhcdF7K0Rp2MXPZMmpn1izW5sI
asN1G9+w+Zwj7kMJzq1Aw3ac+rsX4SEYdvXjS2QhDHQUIr6LXri3D2WbcEqIZj2R
JVoVwblsrG11dYXFDBbgrq4NhgTBsxHYDlkr/qF2W+kbPC/nhSqTVZeCYvTBZbOQ
+RqyN/I0izukglnWmV1jGijFA8snyP8efx732hw/24zRYmtXOtnEITUpw8WOeZCq
6uiHaQ+eopnY2ojBg9BI7WZm0AFn58xxT9soMsyFOUFgXTqaWFZWlJ3fhZE8/0v8
JEu/kPGE5aJReT3b34B+Bojkj74XR+h2u7iJJBHMTE8RwGoUOZHer/XsL9xlcdks
I+7TCjiq++ShaSSt2XsJmw2BhREohrjW/2KkwmvT3b44RMpKPB4WTH+++aqJQNeM
IqmswOMoZvzEZezInj7WVY/r0WEei1Y6wt1tBrJ/cFf1oQBM1UmphxcrfQARAQAB
tB9EYXZpZCBTZWlmZXJ0IDxzb2FwQGdlbnRvby5vcmc+iQJUBBMBCgA+BQsJCAcD
BRUKCQgLBRYCAwEAAh4BAheAAhsBFiEEMdlcq22A0mIkShdQpHYg6AHkfpUFAl/V
CvoFCQkuceIACgkQpHYg6AHkfpXYxA//aiJW1NwunpmzEc62id8lRMnoLHWVjISZ
b+xSlm+hk4LYq+ZbthJDzKcT86/3DJOSE1zQw9wLuCao9IW2UfFJQBtR+TAfbagG
0Yyk/kMcLoFJxnG1ywdJWypCAauuIhia52Z7PmmjsBbFwr6LygDwSQmZAyACMAs7
TLQe+yERc2RNDsIEsquLSxxRF0Spk9gagWtKgrPc2XBjuNtQDwW7JgsOUoEeHyxC
29fRUjC3o/pG2I6iAZp17OROZI5yl4TSORrSBDGIi2sayxyxP0x+IPKtrCUcBGNx
wGp+56bP/V0hA6sgCPh/iwvqLoeibso6l/Kd4ltVAEQnHTd6fr8g+wLEUXfbJVTR
7aeFUoaFmWjSPlQrNr6HlxSLV/kRx9kVJp1Pn16vkfVBF7fG7iDLiqphwEeQg5ND
nmGeKAbRRNxFHyBHf0XRsaYiFZQckguO+71XSRtVx8/YP5nyNbtl9y1h/4JlT6Gy
t7hb5twYFQyQrKss83E/Bo1sRdHpj0ibtqb4ZbYANbh482E6yFhAkuo8YjVTJipI
1Ve8EBKnX3R+pDt147uyysNvtPVXML+sWpGSMVSm4NA8uT3F5nqxVwj+SeXy3Wq/
CHQ2VBKGBC655G+wFD5C6O7cTx2MwH+2H8tzhWm+gFlI3MFKEXa/PC+YUC/diYcb
BrApavriTRa5Ag0EWmkAZgEQAPXMD3mZI+ChvBysXZWksC88/uSEwFeb3XkcRm7v
04GN7hcz+bfrmnUTB3tuE/ZQgv+u7ZjetvH1aEKieznn/GjnWoOBoJusOYvfAQeF
0mQVi118QiOZRCnEZpkz+RY9TiXVgrZJg+AGqHZ3Ol4GkInEV2NWgH37Xal+HkFl
rwI2U7mL0kZRG+LAVCQHKzqU0R0HE1XyJ4qf0awtG5Qi/TZvgXBdZPDXgr8i9Vlf
UUu10c2XnXM0Av/YAlZmBFjVYrSOUCFenqSVqL+s9sTCVdWlJrGjrr3Ja4uT3kl2
rLva0AR4oSQoxt8adKohmFz0vzOkQtCoRzhrCwoo3JvNjKdSNoOP1nSsxlO5ji8r
ih5d+ajPgi580XyHLnrvG7vobR48qqscv1hizKuCgTacOTe6Db2Gqc8xF6v8HhJa
KwWJtmFllIfN/tIvZ6BbbgHQn0IGf4CYnWf0SksPZqpBmTRpD2jfBxcj2UEg+AR3
LARjuyUVpFJScyu6ExQG+6O+ByLL31iWP5MgUrza1rIpriPa3NT3rZ3DG2pvQrS3
ySsrPzH7VRX8L1ThSMSzjwF96aMsd14s7XzR4EzNuWwZDukfs0yavZk6l4o1M0mb
tbJi7hE4cz13KRHYvIkKMdZGYUnzRzZUDlsj2imakk3BR6GXnxZ1ST6062g+QxiL
AJFLABEBAAGJBHIEGAEKACYCGwIWIQQx2VyrbYDSYiRKF1CkdiDoAeR+lQUCX9UL
DQUJCS5xpwJAwXQgBBkBCgAdFiEEuNUxXaAAcsCoYIifzjbhFyAuOEIFAlppAGYA
CgkQzjbhFyAuOELmrQ/9H9wrWsWa21STZdxUmyU2sh9VXAWEHl1Ey0fVTznDM0Fl
zx5YSR/TmmnE36rpaz31Ttkx8SP914oV+mMgseecdya9Bf6uZL9Cv7V3KEsJBRL/
ncrOWQBHP/Xy1X+mLD6A19xq7H4RihSLj0LeK2YVjrJzJ7wMf4mKXuBayQeAHImU
WRCRTbmK3umh2nB5V0iPd/XZEIiYtiTPe+7E/va6+0bBvOumF3a+Z0iui7eU4hFC
7Jk71D0dcg09SlIaNoMOrw7cMC3j2pMdKtsj8+0I6WBv14PhhqPAsnjdf7I/4NfK
L7Jav8T/gDS01uA2Jxm72d+wr+eSjOBXa6x8CEbTqfkjAGxsWENThCp6zDkaXSDd
JsV0va47vjzG8+wTDAvPy5IxIM/KZZdl4uWM+mF5K+q+eSTOHe7aLF2OdcussoBA
A18zm994dAkG1COX/qpxanxx2bv/2IvCGPg+x6JtAN8ji2kncWu3dWGQdE5XbVjc
fDwgsUPpp04G27Mr/x+HpEbgZ5SdA0dAqJktlNvCcHALhlblCWrsh/1QNjT/2iG8
wsjcpEy/s4tWAuV4PTa4xvZ1JPS7Z7Eo5aBy9ZGOWG9SrHEiHnhkUsiswbHBOEjd
pBSkmNElDcv9fRUahVCTPfvWBATFDrQyMjJBSm+cV8c/iFQM7isVSu8W7E0eetsJ
EKR2IOgB5H6Vv9sP/1dxTvH0N0UoEoxIG/hnirEkbRpljdvqy4/uikYBKyQgSbo8
VITTjea7gIhDztil9WZYt35jbOmoaGM2Z6TP2LEDOWgljYUNq9pl9Sc2GS8cNtEO
WxExzGOc1Flo730dX3A85Ks3+0WPXZjLDcRRcPVkFd5WLQQDV1YVYopWkuQBC+Br
4q3uv+sk+bw6gDa9+zFBbDuegdsYuTXrFHoxHz2GRv9Yb7ULCMgpFeNKDgtQq91u
RqewoTwQp9tlp91LH/hh7R0Q4DRgeFDkLnVRXwSKjVvCrT5cBgImGwtFTGS4egoy
MDKd/KKjZllp1ahRCln1XfmFQyQVMVvuF/JTtt31n6KwXwK2yxIlXB01xvRH+Ees
AWeRYWKWXydaAY/9Ve0/PLFlgsr/XUGvt0GoEKe7odD3nZgg6015+/8JTroKw19L
NZkhdfFMl11Zi0j5k3UbyzjYVpFSd8K2o0VoOG1LFsPp8tlRxNoVzpId0CX1au/p
y1H7Wy/39mzriRG3rw+mJAQbBjN09putCltXFXpOEWk08n/N3vufCVQUoSu/2Bqw
2HYj8VtToQp+O5dG3XxvDHINtInP1yr2Wcw2plna0KoXLwv/lZgDm3LN+eCWpG6d
N/xk25DTSqTHArUQIEkhcHYK6GnyxUcvoKtG88hXtqEPYXiK08FZYAUPTnDYuQIN
BFppAIkBEADDjvQZUs1NoqJpxkD2QDBudU1DBCaeI1D6CancMtb5FebPUxgFlDMd
CBGOun48dY5i87gDhT/qS3gP/Mv9rjKJmcG9JHfhpXdW73owxrcsQ96nxxVJNEVl
UHJw00z8C9eGWqr0SzSoE33K/PkzSkgtsaotF6+3uCerWulweulmGa5dpVfV0mbS
aVw8VmrhZ5NmCeodyy/lR85rPik5pb32NT6v7xBkgkfS0VYtPB2E5gW1pXX/jEOi
Mfq9idOEP9lxrNXV9j49Lr0JQCwAcrYbQ2+VPe6eacJEjzJ/6HiUqhPrYdnvydmb
hU+xmv2NjGp2UnDZDEhzQfwm6fMx+8Nx2uPzCnXQGoyRBwiC/KcdW0F1ZPKdSXqH
NKoOF62pLvIMSmfI3ZVOrTohArfr1kFEYVDv9Nl7oY+qg2rZEc2srOF74a9Z46bR
TDPsEQzE2UMCvu3+rofhSD7aRotlKeDCvbe2s0yE4Man457Xc3LXh8Gva8CzCOLE
2eMhNTsHIZk68WgXp3/uvE4Xy42myrk1AV8XXDdlWgx0Kc/I6tE59O5NVPSfuGvH
1a15KKx0F6euEnYDKKpQ5PDR6dSn61po0tfbt96m044G/xQFjrfhHei4jji9Ogd9
vlXVAi2vn3+NCSHFP5l3igLByBHy9iLIdmz7yQuus/1nwRmxOHOf2QARAQABiQI8
BBgBCgAmAhsMFiEEMdlcq22A0mIkShdQpHYg6AHkfpUFAl/VCxkFCQkucZAACgkQ
pHYg6AHkfpVPSRAAmheYkYJmtDbkzPBBnj5mbCIQN1/G5PI9eixc/TXWFOXtcjU1
mJlJpSidHJyLRrx7r0c+N+s8vnY/JuUBsNoMJMER+Mv/CFW4iFi59V534SyAb2S0
7NINJnFNkXBY62CDz9KsMuv/MdSv2yLhPH2Tfrm/eDRQesj1PanE4U1cgjWyJRc/
IOlaRHvTasWDLgwbQi8ykt+4xUWzL/YKHzB+KyyzBK7vPBXqySX8ka4BOw7SDwG5
lX2gtmhk4AGBwVChLXKflqVx1WXj4DPOt0kmOKVnKFyvUijK58M0A2FMgFMXDTIS
DRtoZPdx/rkODXxgS+W+27NcYAnxJiM0cQqizEnQh7PQ1KzgdChPejYXMKe9lwdn
ssMUxrBpbuAuagEf+pebNjD2eaNR4p8kfaDdGn53q55ysDvoyxKvnVQGSk1FAR9Q
s4N5a4f02U7dzlyEhEfIcuUlRCfnlpn4n725YIhHheDig5zKWoEZCkNIfiRcGzDl
8Drj+tlZiUR+gDkIoWSBaCkKbIQlc8qCYy6Hm7oZBaol6xKlUnTMK2rjK8fR4i8r
bVDWBAaWj3jcDHJ0Jg3fS/qBpeya/JXMp89TR8NK5Ys7PZpWbor+puXBYyXDAVx3
rXQ7JBA5klHPxrgjso1S/LqwscKLENtrVjdjhryLBmPifrmofJRnrpiHIEa5Ag0E
WmkAswEQAL0hKwsRybQzkNGpJP+ElLSwFHd7XQhr+qIwLllpumWtnIK/DHmv8SpW
FqAYajmRTXipFcBHH25x2jIIliZidn0a9826l+sMzrFadMC6/W4pitP71TeqZzwn
pAuHs14YL7Wiy0aJQnfbCpRzPq3kYyOXmhmY7lPWO0WdUpR6W8wUbleK5XOVDDRx
aIC/M3hhDOxZOMzQ+pdn4BaOFQQ0ygsRkqOudbuc0R1giYRt1i6gMeT8gfzL9jlw
HcJ+aVnxdUQQ4uC47oKo/+lg7qh7LsiW79pQC1Bcdm8lhRmqtxe6ub60ecjax3XU
1ILIEfIFCv6M7LRUAwz0bqk35spgkJqrGGKkdeWEKAFHg2QWR2F0zy+HdlPLfKxO
uhaccpwc9EJtf744GS0SXa2AXr32j56n7CFcEjFcIQPBC6OJn6eA3hOVUYGZ7SrT
4fsmZiFAdGEkvLKFuNhju1Hj2EJQUY1pm4GSBco7BR8x+QqoYrt5clU3WxRMNfTR
0Rtuzsh4xskXNVMMgvKOahAtxENv2M2Cx6zJPVL5dmaysP7d6QRVeOQA5PwkcZ5Q
qK6JtDZj2jpaKQH4Za715kiIcdqMDSkwxa6avc0kARHvfFcBR4hwDm1GAlaKG7eH
8TOGGQIk8x2F3s4l8mTJVLWTP/uJYnkYBdqANYo5t1NIQLvwLFV3ABEBAAGJAjwE
GAEKACYCGyAWIQQx2VyrbYDSYiRKF1CkdiDoAeR+lQUCX9ULIwUJCS5xcAAKCRCk
diDoAeR+leekD/sF7aHH0W35ckWrXZlfSp0qHPWrBUaLBI9OAUHenRhgs4SbK0D4
wqEiu0C5iDQojpXAeALQ8g/1pUsZ1yuFqYbGYWrHkA0Pm+P3tAGB4LMZ41YfvROP
uaiW/+IMJbWllgRtaDt8/NtCgs30WI9I+az5M29HcGfvEwEUykrBx3dE9T+1ui3O
capdd+GMvdAAsX5PyVkjWgZ7GrZeH8mG7UysYfT4qthxEtQfZ/u8ceSduKA46ugh
C2eafIDNvluqn7BU4oKxME61u6C8BN2yHLI6LV0Tr4z5H8joVbM4BSFMwLVGlsXf
HhB8kLiErN6bXolxsjARlmYiD9S9H2AcYidr6RYXf2EVFSpBG59xn1WTDN+DsHQf
7btNPEPl/OPxa3OQjG+xn8USddiP0N0B4xsyzMNCCKDgvXXcIhX55KG9eh3Tc98S
fEyhxu8ybZBIGmTJysPKxijfvSgQF+RPNTsz9lvXqkoK7RTgeYMschpjJEznCLbt
M6eTDb5z0G5uLXh6+dYxtDOlPogI5OHd+G51LwCjvrQ+AtIUCgafuemwA9mpFT2b
svb/qcxSVUb44bVaNHn1JHebX2YbokGtBOm1x2PI5fT8n6YIIYz3jKYOZAYdUT7x
6qURyNjOfG4aPJIATwuh4GSNuxUG40+yuT+XfQF24mu1esS1J3wzRloJ7w==
=K3x+
-----END PGP PUBLIC KEY BLOCK-----

71
libsndfile.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package libsndfile
#
# Copyright (c) 2019 SUSE LLC
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -18,41 +18,30 @@
%define lname %{name}1
Name: libsndfile
Version: 1.0.28
Version: 1.0.31
Release: 0
Summary: Development/Libraries/C and C++
License: LGPL-2.1-or-later
Group: System/Libraries
URL: http://www.mega-nerd.com/libsndfile
Source0: http://www.mega-nerd.com/%{name}/files/%{name}-%{version}.tar.gz
Source1: http://www.mega-nerd.com/%{name}/files/%{name}-%{version}.tar.gz.asc
URL: https://libsndfile.github.io/libsndfile/
Source0: https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2
Source1: https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2.sig
Source2: %{name}.keyring
Source3: baselibs.conf
# PATCH-FIX-UPSTREAM
Patch1: 0001-FLAC-Fix-a-buffer-read-overrun.patch
Patch2: 0002-src-flac.c-Fix-a-buffer-read-overflow.patch
Patch10: 0010-src-aiff.c-Fix-a-buffer-read-overflow.patch
Patch20: 0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch
Patch30: 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
# not yet upstreamed, https://github.com/erikd/libsndfile/issues/317
Patch31: 0031-sfe_copy_data_fp-check-value-of-max-variable.patch
# not yet upstreamed
Patch32: libsndfile-CVE-2017-17456-alaw-range-check.patch
Patch33: libsndfile-CVE-2017-17457-ulaw-range-check.patch
Patch34: sndfile-deinterlace-channels-check.patch
# not yet upstreamed, CVE-2018-19758, bsc#1117954
Patch40: libsndfile-wav-loop-count-fix.patch
# PATCH-FIX-OPENSUSE
Patch100: sndfile-ocloexec.patch
BuildRequires: cmake
BuildRequires: flac-devel
BuildRequires: gcc-c++
BuildRequires: libopus-devel
BuildRequires: libtool
BuildRequires: libvorbis-devel
BuildRequires: pkg-config
BuildRequires: pkgconfig
BuildRequires: python3
BuildRequires: speex-devel
Obsoletes: libsnd
Provides: libsnd
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
Libsndfile is a C library for reading and writing sound files, such as
@ -87,64 +76,38 @@ libsndfile library.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch10 -p1
%patch20 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch40 -p1
%patch100 -p1
%autopatch -p1
%build
%define warn_flags -W -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter
autoreconf --force --install
CFLAGS="%{optflags} %{warn_flags}"
export CFLAGS
%configure \
--disable-silent-rules \
--disable-static \
--disable-full-suite \
--with-pic \
--enable-experimental
make %{?_smp_mflags}
%cmake -DENABLE_EXPERIMENTAL=ON -DBUILD_EXAMPLES=OFF -DCMAKE_INSTALL_DOCDIR=%{_defaultdocdir}/libsndfile
%cmake_build
%install
%make_install
# remove unnecessary files
find %{buildroot} -type f -name "*.la" -delete -print
%cmake_install
# remove programs; built in another spec file
rm -rf %{buildroot}%{_bindir}
rm -rf %{buildroot}%{_mandir}/man1
# remove binaries from examples directory
make -C examples distclean
rm -rf %{buildroot}%{_datadir}/doc/libsndfile
%post -n %{lname} -p /sbin/ldconfig
%postun -n %{lname} -p /sbin/ldconfig
%check
pushd src
make %{?_smp_mflags} check
popd
# check requires -DBUILD_SHARED_LIBS=off
%files -n %{lname}
%defattr(-, root, root)
%{_libdir}/libsndfile.so.1*
%files devel
%defattr(-, root, root)
%doc AUTHORS ChangeLog NEWS README
%doc doc/*.html doc/*.jpg doc/*.css doc/*.HOWTO
%license COPYING
%{_libdir}/libsndfile.so
%{_includedir}/sndfile.h
%{_includedir}/sndfile.hh
%{_libdir}/pkgconfig/*.pc
%{_libdir}/cmake/SndFile
%doc examples
%doc %{_defaultdocdir}/libsndfile
%changelog

12
sndfile-deinterlace-channels-check.patch
View File

@ -1,11 +1,11 @@
diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c
index 5366031075ab..712cb96cda76 100644
--- a/programs/sndfile-deinterleave.c
+++ b/programs/sndfile-deinterleave.c
@@ -89,6 +89,11 @@ main (int argc, char **argv)
exit (1) ;
Index: libsndfile-1.0.31/programs/sndfile-deinterleave.c
===================================================================
--- libsndfile-1.0.31.orig/programs/sndfile-deinterleave.c
+++ libsndfile-1.0.31/programs/sndfile-deinterleave.c
@@ -96,6 +96,11 @@ main (int argc, char **argv)
} ;
+ if (sfinfo.channels > MAX_CHANNELS)
+ { printf ("\nError : Too many channels %d in input file '%s'.\n", sfinfo.channels, argv[1]) ;
+ exit (1) ;