From 26ebaac2a758d4851431158db83e24923eb39acc97b5976fd872e9420ce2bc40 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 29 May 2007 23:16:47 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pulseaudio?expand=0&rev=3 --- pulseaudio-0.9.5-dos-vulns-fix.diff | 92 +++++++++++++++++ pulseaudio-0.9.5-esd-max-samplesize.diff | 14 +++ pulseaudio-0.9.5-firefox-workaround.diff | 20 ++++ pulseaudio-0.9.5-javasound-support.diff | 115 +++++++++++++++++++++ pulseaudio-0.9.5-wrong-endian-convert.diff | 57 ++++++++++ pulseaudio.changes | 9 ++ pulseaudio.spec | 20 +++- 7 files changed, 325 insertions(+), 2 deletions(-) create mode 100644 pulseaudio-0.9.5-dos-vulns-fix.diff create mode 100644 pulseaudio-0.9.5-esd-max-samplesize.diff create mode 100644 pulseaudio-0.9.5-firefox-workaround.diff create mode 100644 pulseaudio-0.9.5-javasound-support.diff create mode 100644 pulseaudio-0.9.5-wrong-endian-convert.diff diff --git a/pulseaudio-0.9.5-dos-vulns-fix.diff b/pulseaudio-0.9.5-dos-vulns-fix.diff new file mode 100644 index 0000000..bd83a76 --- /dev/null +++ b/pulseaudio-0.9.5-dos-vulns-fix.diff @@ -0,0 +1,92 @@ +Fix from Ubuntu: + +Include fixes for potential DoS vuln from +http://pulseaudio.org/ticket/67 + +diff -urNad pulseaudio-0.9.5-7ubuntu1~/src/modules/module-volume-restore.c pulseaudio-0.9.5-7ubuntu1/src/modules/module-volume-restore.c +--- pulseaudio-0.9.5-7ubuntu1~/src/modules/module-volume-restore.c 2007-05-08 06:39:31.000000000 -0400 ++++ pulseaudio-0.9.5-7ubuntu1/src/modules/module-volume-restore.c 2007-05-25 01:22:16.000000000 -0400 +@@ -435,6 +435,7 @@ + u->modified = 0; + + m->userdata = u; ++ u->sink_input_hook_slot = u->source_output_hook_slot = NULL; + + if (load_rules(u) < 0) + goto fail; +diff -urNad pulseaudio-0.9.5-7ubuntu1~/src/modules/rtp/sap.c pulseaudio-0.9.5-7ubuntu1/src/modules/rtp/sap.c +--- pulseaudio-0.9.5-7ubuntu1~/src/modules/rtp/sap.c 2007-05-08 06:39:32.000000000 -0400 ++++ pulseaudio-0.9.5-7ubuntu1/src/modules/rtp/sap.c 2007-05-25 01:22:29.000000000 -0400 +@@ -142,9 +142,6 @@ + goto fail; + } + +- if (!size) +- return 0; +- + buf = pa_xnew(char, size+1); + buf[size] = 0; + +diff -urNad pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/protocol-native.c pulseaudio-0.9.5-7ubuntu1/src/pulsecore/protocol-native.c +--- pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/protocol-native.c 2007-05-08 06:39:33.000000000 -0400 ++++ pulseaudio-0.9.5-7ubuntu1/src/pulsecore/protocol-native.c 2007-05-25 01:19:40.000000000 -0400 +@@ -760,7 +760,8 @@ + CHECK_VALIDITY(c->pstream, pa_cvolume_valid(&volume), tag, PA_ERR_INVALID); + CHECK_VALIDITY(c->pstream, map.channels == ss.channels && volume.channels == ss.channels, tag, PA_ERR_INVALID); + CHECK_VALIDITY(c->pstream, maxlength > 0 && maxlength <= MAX_MEMBLOCKQ_LENGTH, tag, PA_ERR_INVALID); +- ++ CHECK_VALIDITY(c->pstream, maxlength >= pa_frame_size(&ss), tag, PA_ERR_INVALID); ++ + if (sink_index != PA_INVALID_INDEX) { + sink = pa_idxset_get_by_index(c->protocol->core->sinks, sink_index); + CHECK_VALIDITY(c->pstream, sink, tag, PA_ERR_NOENTITY); +diff -urNad pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/pstream.c pulseaudio-0.9.5-7ubuntu1/src/pulsecore/pstream.c +--- pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/pstream.c 2007-05-08 06:39:33.000000000 -0400 ++++ pulseaudio-0.9.5-7ubuntu1/src/pulsecore/pstream.c 2007-05-25 01:18:45.000000000 -0400 +@@ -585,7 +585,7 @@ + + flags = ntohl(p->read.descriptor[PA_PSTREAM_DESCRIPTOR_FLAGS]); + +- if (!p->import && (flags & PA_FLAG_SHMMASK) != 0) { ++ if (!p->use_shm && (flags & PA_FLAG_SHMMASK) != 0) { + pa_log_warn("Recieved SHM frame on a socket where SHM is disabled."); + return -1; + } +@@ -615,7 +615,7 @@ + + length = ntohl(p->read.descriptor[PA_PSTREAM_DESCRIPTOR_LENGTH]); + +- if (length > FRAME_SIZE_MAX_ALLOW) { ++ if (length > FRAME_SIZE_MAX_ALLOW || length <= 0) { + pa_log_warn("Recieved invalid frame size : %lu", (unsigned long) length); + return -1; + } +diff -urNad pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/sample-util.c pulseaudio-0.9.5-7ubuntu1/src/pulsecore/sample-util.c +--- pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/sample-util.c 2007-05-25 01:15:11.000000000 -0400 ++++ pulseaudio-0.9.5-7ubuntu1/src/pulsecore/sample-util.c 2007-05-25 01:20:30.000000000 -0400 +@@ -35,13 +35,25 @@ + #include "sample-util.h" + #include "endianmacros.h" + ++#define PA_SILENCE_MAX (1024*1024*1) ++ + pa_memblock *pa_silence_memblock_new(pa_mempool *pool, const pa_sample_spec *spec, size_t length) { ++ size_t fs; + assert(pool); + assert(spec); + + if (length == 0) + length = pa_bytes_per_second(spec)/20; /* 50 ms */ + ++ if (length > PA_SILENCE_MAX) ++ length = PA_SILENCE_MAX; ++ ++ fs = pa_frame_size(spec); ++ length = ((PA_SILENCE_MAX+fs-1) / fs) * fs; ++ ++ if (length <= 0) ++ length = fs; ++ + return pa_silence_memblock(pa_memblock_new(pool, length), spec); + } + diff --git a/pulseaudio-0.9.5-esd-max-samplesize.diff b/pulseaudio-0.9.5-esd-max-samplesize.diff new file mode 100644 index 0000000..7756162 --- /dev/null +++ b/pulseaudio-0.9.5-esd-max-samplesize.diff @@ -0,0 +1,14 @@ +Increase cache size of esd + +diff -urNad pulseaudio-0.9.5~/src/pulsecore/protocol-esound.c pulseaudio-0.9.5/src/pulsecore/protocol-esound.c +--- pulseaudio-0.9.5~/src/pulsecore/protocol-esound.c 2006-08-20 01:06:45.000000000 +0200 ++++ pulseaudio-0.9.5/src/pulsecore/protocol-esound.c 2007-03-06 14:13:17.000000000 +0100 +@@ -68,7 +68,7 @@ + #define RECORD_BUFFER_SECONDS (5) + #define RECORD_BUFFER_FRAGMENTS (100) + +-#define MAX_CACHE_SAMPLE_SIZE (1024000) ++#define MAX_CACHE_SAMPLE_SIZE (2048000) + + #define SCACHE_PREFIX "esound." + diff --git a/pulseaudio-0.9.5-firefox-workaround.diff b/pulseaudio-0.9.5-firefox-workaround.diff new file mode 100644 index 0000000..5d618de --- /dev/null +++ b/pulseaudio-0.9.5-firefox-workaround.diff @@ -0,0 +1,20 @@ +work around bug in firefox which apparently misuses access() as NULL +pointer test. + +diff -urNad pulseaudio~/src/utils/padsp.c pulseaudio/src/utils/padsp.c +--- pulseaudio~/src/utils/padsp.c 2006-08-18 23:29:26.000000000 +0200 ++++ pulseaudio/src/utils/padsp.c 2006-10-19 00:13:47.082198231 +0200 +@@ -2121,6 +2121,13 @@ + } + + int access(const char *pathname, int mode) { ++ ++ if (!pathname) { ++ /* Firefox needs this. See #27 */ ++ errno = EFAULT; ++ return -1; ++ } ++ + debug(DEBUG_LEVEL_VERBOSE, __FILE__": access(%s)\n", pathname); + + if (strcmp(pathname, "/dev/dsp") != 0 && diff --git a/pulseaudio-0.9.5-javasound-support.diff b/pulseaudio-0.9.5-javasound-support.diff new file mode 100644 index 0000000..3694e74 --- /dev/null +++ b/pulseaudio-0.9.5-javasound-support.diff @@ -0,0 +1,115 @@ +implement a few more ioctl()s, including a subset of +SNDCTL_DSP_GETOPTR. Just enough to make JavaSound work. + +@DPATCH@ +diff -urNad pulseaudio~/src/utils/padsp.c pulseaudio/src/utils/padsp.c +--- pulseaudio~/src/utils/padsp.c 2006-10-19 00:16:53.841869981 +0200 ++++ pulseaudio/src/utils/padsp.c 2006-10-19 00:17:03.458470981 +0200 +@@ -88,6 +88,8 @@ + pa_cvolume sink_volume, source_volume; + uint32_t sink_index, source_index; + int volume_modify_count; ++ ++ int optr_n_blocks; + + PA_LLIST_FIELDS(fd_info); + }; +@@ -574,6 +576,7 @@ + i->volume_modify_count = 0; + i->sink_index = (uint32_t) -1; + i->source_index = (uint32_t) -1; ++ i->optr_n_blocks = 0; + PA_LLIST_INIT(fd_info, i); + + reset_params(i); +@@ -1947,6 +1950,8 @@ + free_streams(i); + dsp_flush_socket(i); + reset_params(i); ++ ++ i->optr_n_blocks = 0; + + pa_threaded_mainloop_unlock(i->mainloop); + break; +@@ -2035,14 +2040,76 @@ + break; + } + ++ case SOUND_PCM_READ_RATE: ++ debug(DEBUG_LEVEL_NORMAL, __FILE__": SOUND_PCM_READ_RATE\n"); ++ ++ pa_threaded_mainloop_lock(i->mainloop); ++ *(int*) argp = i->sample_spec.rate; ++ pa_threaded_mainloop_unlock(i->mainloop); ++ break; ++ ++ case SOUND_PCM_READ_CHANNELS: ++ debug(DEBUG_LEVEL_NORMAL, __FILE__": SOUND_PCM_READ_CHANNELS\n"); ++ ++ pa_threaded_mainloop_lock(i->mainloop); ++ *(int*) argp = i->sample_spec.channels; ++ pa_threaded_mainloop_unlock(i->mainloop); ++ break; ++ ++ case SOUND_PCM_READ_BITS: ++ debug(DEBUG_LEVEL_NORMAL, __FILE__": SOUND_PCM_READ_BITS\n"); ++ ++ pa_threaded_mainloop_lock(i->mainloop); ++ *(int*) argp = pa_sample_size(&i->sample_spec)*8; ++ pa_threaded_mainloop_unlock(i->mainloop); ++ break; ++ ++ case SNDCTL_DSP_GETOPTR: { ++ count_info *info; ++ ++ debug(DEBUG_LEVEL_NORMAL, __FILE__": SNDCTL_DSP_GETODELAY\n"); ++ ++ info = (count_info*) argp; ++ memset(info, 0, sizeof(*info)); ++ ++ pa_threaded_mainloop_lock(i->mainloop); ++ ++ for (;;) { ++ pa_usec_t usec; ++ ++ PLAYBACK_STREAM_CHECK_DEAD_GOTO(i, exit_loop); ++ ++ if (pa_stream_get_time(i->play_stream, &usec) >= 0) { ++ size_t k = pa_usec_to_bytes(usec, &i->sample_spec); ++ int m; ++ ++ info->bytes = (int) k; ++ m = k / i->fragment_size; ++ info->blocks = m - i->optr_n_blocks; ++ i->optr_n_blocks = m; ++ ++ break; ++ } ++ ++ if (pa_context_errno(i->context) != PA_ERR_NODATA) { ++ debug(DEBUG_LEVEL_NORMAL, __FILE__": pa_stream_get_latency(): %s\n", pa_strerror(pa_context_errno(i->context))); ++ break; ++ } ++ ++ pa_threaded_mainloop_wait(i->mainloop); ++ } ++ ++ pa_threaded_mainloop_unlock(i->mainloop); ++ ++ debug(DEBUG_LEVEL_NORMAL, __FILE__": GETOPTR bytes=%i, blocks=%i, ptr=%i\n", info->bytes, info->blocks, info->ptr); ++ ++ break; ++ } ++ + case SNDCTL_DSP_GETIPTR: + debug(DEBUG_LEVEL_NORMAL, __FILE__": invalid ioctl SNDCTL_DSP_GETIPTR\n"); + goto inval; +- +- case SNDCTL_DSP_GETOPTR: +- debug(DEBUG_LEVEL_NORMAL, __FILE__": invalid ioctl SNDCTL_DSP_GETOPTR\n"); +- goto inval; +- ++ + default: + debug(DEBUG_LEVEL_NORMAL, __FILE__": unknown ioctl 0x%08lx\n", request); + diff --git a/pulseaudio-0.9.5-wrong-endian-convert.diff b/pulseaudio-0.9.5-wrong-endian-convert.diff new file mode 100644 index 0000000..6f9202a --- /dev/null +++ b/pulseaudio-0.9.5-wrong-endian-convert.diff @@ -0,0 +1,57 @@ +Fix float32le <-> float32ne <-> float32be sample converters + +diff -urNad pulseaudio~/src/pulsecore/sample-util.c pulseaudio/src/pulsecore/sample-util.c +--- pulseaudio~/src/pulsecore/sample-util.c 2006-08-18 23:38:49.000000000 +0200 ++++ pulseaudio/src/pulsecore/sample-util.c 2006-10-19 00:19:56.233268731 +0200 +@@ -68,6 +68,7 @@ + case PA_SAMPLE_S16LE: + case PA_SAMPLE_S16BE: + case PA_SAMPLE_FLOAT32: ++ case PA_SAMPLE_FLOAT32RE: + c = 0; + break; + case PA_SAMPLE_ALAW: +diff -urNad pulseaudio~/src/pulsecore/sconv.c pulseaudio/src/pulsecore/sconv.c +--- pulseaudio~/src/pulsecore/sconv.c 2006-08-18 23:29:25.000000000 +0200 ++++ pulseaudio/src/pulsecore/sconv.c 2006-10-19 00:19:56.229268481 +0200 +@@ -72,6 +72,22 @@ + oil_memcpy(b, a, sizeof(float) * n); + } + ++static void float32re_to_float32ne(unsigned n, const void *a, float *b) { ++ assert(a); ++ assert(b); ++ ++ while (n-- > 0) ++ ((uint32_t *)b)[n] = UINT32_SWAP (((uint32_t *)a)[n]); ++} ++ ++static void float32re_from_float32ne(unsigned n, const float *a, void *b) { ++ assert(a); ++ assert(b); ++ ++ while (n-- > 0) ++ ((uint32_t *)b)[n] = UINT32_SWAP (((uint32_t *)a)[n]); ++} ++ + static void ulaw_to_float32ne(unsigned n, const void *a, float *b) { + const uint8_t *ca = a; + +@@ -140,6 +156,8 @@ + return pa_sconv_s16be_to_float32ne; + case PA_SAMPLE_FLOAT32NE: + return float32ne_to_float32ne; ++ case PA_SAMPLE_FLOAT32RE: ++ return float32re_to_float32ne; + case PA_SAMPLE_ALAW: + return alaw_to_float32ne; + case PA_SAMPLE_ULAW: +@@ -159,6 +177,8 @@ + return pa_sconv_s16be_from_float32ne; + case PA_SAMPLE_FLOAT32NE: + return float32ne_from_float32ne; ++ case PA_SAMPLE_FLOAT32RE: ++ return float32re_from_float32ne; + case PA_SAMPLE_ALAW: + return alaw_from_float32ne; + case PA_SAMPLE_ULAW: diff --git a/pulseaudio.changes b/pulseaudio.changes index 3755a82..0c36db9 100644 --- a/pulseaudio.changes +++ b/pulseaudio.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue May 29 19:22:56 CEST 2007 - tiwai@suse.de + +- fix possible remote DoS (#260326) +- fix wrong endian conversion of float data +- add a workaround for firefox with LD_PRELOAD wrapper +- add the missing support of ioctls for JavaSound +- increase ESD max samplesize + ------------------------------------------------------------------- Tue Apr 24 12:01:42 CEST 2007 - tiwai@suse.de diff --git a/pulseaudio.spec b/pulseaudio.spec index 6cb056c..1f8394b 100644 --- a/pulseaudio.spec +++ b/pulseaudio.spec @@ -14,7 +14,7 @@ Name: pulseaudio BuildRequires: alsa-devel doxygen jack-devel liboil-devel libsamplerate-devel libsndfile-devel Summary: A Networked Sound Server Version: 0.9.5 -Release: 38 +Release: 53 License: GNU General Public License (GPL), GNU Library General Public License v. 2.0 and 2.1 (LGPL) Group: System/Sound Daemons Source: %{name}-%{version}.tar.bz2 @@ -22,6 +22,11 @@ Source1: default.pa Patch: pulseaudio-0.9.5-framesize.patch Patch1: pulseaudio-0.9.5-suspend.patch Patch2: pulseaudio-0.9.5-userconf.patch +Patch3: pulseaudio-0.9.5-dos-vulns-fix.diff +Patch4: pulseaudio-0.9.5-wrong-endian-convert.diff +Patch5: pulseaudio-0.9.5-firefox-workaround.diff +Patch6: pulseaudio-0.9.5-javasound-support.diff +Patch7: pulseaudio-0.9.5-esd-max-samplesize.diff URL: http://pulseaudio.org BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -69,10 +74,15 @@ Authors: Pierre Ossman %prep -%setup +%setup -q %patch %patch1 %patch2 -p2 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 cp /usr/share/gettext/config.rpath . %{?suse_update_config:%{suse_update_config -f}} autoreconf --force --install @@ -122,6 +132,12 @@ test "$RPM_BUILD_ROOT" != "/" -a -d "$RPM_BUILD_ROOT" && rm -rf $RPM_BUILD_ROOT %{_includedir}/pulse* %changelog +* Tue May 29 2007 - tiwai@suse.de +- fix possible remote DoS (#260326) +- fix wrong endian conversion of float data +- add a workaround for firefox with LD_PRELOAD wrapper +- add the missing support of ioctls for JavaSound +- increase ESD max samplesize * Tue Apr 24 2007 - tiwai@suse.de - disable static library, don't use ltdl install - fix requires of devel package