pool/wavpack
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 723265 from multimedia:libs

Browse Source 
- Update to version 5.1.0~git20190420.22977b2:
  * Switch to github service to collect all the CVE fixes as releases
    are not really happening often
  * bsc#1133384 CVE-2019-11498
  * bsc#1141337 CVE-2019-1010315
  * bsc#1141338 CVE-2019-1010318
  * bsc#1141339 CVE-2019-1010317
  * bsc#1141334 CVE-2019-1010319
- Remove merged patches:
  * CVE-2018-19840.patch
  * CVE-2018-19841.patch
  * CVE-2018-7253.patch
  * CVE-2018-7254.patch
  * wavpack-CVE-2018-6767.patch

OBS-URL: https://build.opensuse.org/request/show/723265
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/wavpack?expand=0&rev=27
This commit is contained in:
Dominique Leuenberger 2019-08-16 13:32:36 +00:00 committed by Git OBS Bridge
commit 0160af707a
10 changed files with 43 additions and 295 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
CVE-2018-19840.patch
View File

@ -1,28 +0,0 @@
From 070ef6f138956d9ea9612e69586152339dbefe51 Mon Sep 17 00:00:00 2001
From: David Bryant <david@wavpack.com>
Date: Thu, 29 Nov 2018 21:00:42 -0800
Subject: [PATCH] issue #53: error out on zero sample rate
---
src/pack_utils.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/pack_utils.c b/src/pack_utils.c
index 2253f0d..2a83497 100644
--- a/src/pack_utils.c
+++ b/src/pack_utils.c
@@ -195,6 +195,11 @@ int WavpackSetConfiguration64 (WavpackContext *wpc, WavpackConfig *config, int64
int num_chans = config->num_channels;
int i;
+ if (!config->sample_rate) {
+ strcpy (wpc->error_message, "sample rate cannot be zero!");
+ return FALSE;
+ }
+
wpc->stream_version = (config->flags & CONFIG_COMPATIBLE_WRITE) ? CUR_STREAM_VERS : MAX_STREAM_VERS;
if ((config->qmode & QMODE_DSD_AUDIO) && config->bytes_per_sample == 1 && config->bits_per_sample == 8) {
--
2.20.1

32
CVE-2018-19841.patch
View File

@ -1,32 +0,0 @@
From bba5389dc598a92bdf2b297c3ea34620b6679b5b Mon Sep 17 00:00:00 2001
From: David Bryant <david@wavpack.com>
Date: Thu, 29 Nov 2018 21:53:51 -0800
Subject: [PATCH] issue #54: fix potential out-of-bounds heap read
---
src/open_utils.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/open_utils.c b/src/open_utils.c
index 80051fc..4fe0d67 100644
--- a/src/open_utils.c
+++ b/src/open_utils.c
@@ -1258,13 +1258,13 @@ int WavpackVerifySingleBlock (unsigned char *buffer, int verify_checksum)
#endif
if (meta_bc == 4) {
- if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff) || *dp++ != ((csum >> 16) & 0xff) || *dp++ != ((csum >> 24) & 0xff))
+ if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff) || dp[2] != ((csum >> 16) & 0xff) || dp[3] != ((csum >> 24) & 0xff))
return FALSE;
}
else {
csum ^= csum >> 16;
- if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff))
+ if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff))
return FALSE;
}
--
2.20.1

33
CVE-2018-7253.patch
View File

@ -1,33 +0,0 @@
From 36a24c7881427d2e1e4dc1cef58f19eee0d13aec Mon Sep 17 00:00:00 2001
From: David Bryant <david@wavpack.com>
Date: Sat, 10 Feb 2018 16:01:39 -0800
Subject: [PATCH] issue #28, do not overwrite heap on corrupt DSDIFF file
Upstream: merged
---
cli/dsdiff.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/cli/dsdiff.c b/cli/dsdiff.c
index 410dc1c..c016df9 100644
--- a/cli/dsdiff.c
+++ b/cli/dsdiff.c
@@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
error_line ("dsdiff file version = 0x%08x", version);
}
else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
- char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
+ char *prop_chunk;
+
+ if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) {
+ error_line ("%s is not a valid .DFF file!", infilename);
+ return WAVPACK_SOFT_ERROR;
+ }
+
+ if (debug_logging_mode)
+ error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
+
+ prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) ||
bcount != dff_chunk_header.ckDataSize) {

67
CVE-2018-7254.patch
View File

@ -1,67 +0,0 @@
From 8e3fe45a7bac31d9a3b558ae0079e2d92a04799e Mon Sep 17 00:00:00 2001
From: David Bryant <david@wavpack.com>
Date: Sun, 11 Feb 2018 16:37:47 -0800
Subject: [PATCH] issue #28, fix buffer overflows and bad allocs on corrupt CAF
files
Upstream: merged
---
cli/caff.c | 30 +++++++++++++++++++++++-------
1 file changed, 23 insertions(+), 7 deletions(-)
diff --git a/cli/caff.c b/cli/caff.c
index ae57c4b..6248a71 100644
--- a/cli/caff.c
+++ b/cli/caff.c
@@ -89,8 +89,8 @@ typedef struct
#define CAFChannelDescriptionFormat "LLLLL"
-static const char TMH_full [] = { 1,2,3,13,9,10,5,6,12,14,15,16,17,9,4,18,7,8,19,20,21 };
-static const char TMH_std [] = { 1,2,3,11,8,9,5,6,10,12,13,14,15,7,4,16 };
+static const char TMH_full [] = { 1,2,3,13,9,10,5,6,12,14,15,16,17,9,4,18,7,8,19,20,21,0 };
+static const char TMH_std [] = { 1,2,3,11,8,9,5,6,10,12,13,14,15,7,4,16,0 };
static struct {
uint32_t mChannelLayoutTag; // Core Audio layout, 100 - 146 in high word, num channels in low word
@@ -274,10 +274,19 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
}
}
else if (!strncmp (caf_chunk_header.mChunkType, "chan", 4)) {
- CAFChannelLayout *caf_channel_layout = malloc ((size_t) caf_chunk_header.mChunkSize);
+ CAFChannelLayout *caf_channel_layout;
- if (caf_chunk_header.mChunkSize < sizeof (CAFChannelLayout) ||
- !DoReadFile (infile, caf_channel_layout, (uint32_t) caf_chunk_header.mChunkSize, &bcount) ||
+ if (caf_chunk_header.mChunkSize < sizeof (CAFChannelLayout) || caf_chunk_header.mChunkSize > 1024) {
+ error_line ("this .CAF file has an invalid 'chan' chunk!");
+ return WAVPACK_SOFT_ERROR;
+ }
+
+ if (debug_logging_mode)
+ error_line ("'chan' chunk is %d bytes", (int) caf_chunk_header.mChunkSize);
+
+ caf_channel_layout = malloc ((size_t) caf_chunk_header.mChunkSize);
+
+ if (!DoReadFile (infile, caf_channel_layout, (uint32_t) caf_chunk_header.mChunkSize, &bcount) ||
bcount != caf_chunk_header.mChunkSize) {
error_line ("%s is not a valid .CAF file!", infilename);
free (caf_channel_layout);
@@ -495,8 +504,15 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
}
else { // just copy unknown chunks to output file
- int bytes_to_copy = (uint32_t) caf_chunk_header.mChunkSize;
- char *buff = malloc (bytes_to_copy);
+ uint32_t bytes_to_copy = (uint32_t) caf_chunk_header.mChunkSize;
+ char *buff;
+
+ if (caf_chunk_header.mChunkSize < 0 || caf_chunk_header.mChunkSize > 1048576) {
+ error_line ("%s is not a valid .CAF file!", infilename);
+ return WAVPACK_SOFT_ERROR;
+ }
+
+ buff = malloc (bytes_to_copy);
if (debug_logging_mode)
error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",

17
_service Normal file
View File

@ -0,0 +1,17 @@
<services>
<service name="tar_scm" mode="disabled">
<param name="version">5.1.0</param>
<param name="versionformat">5.1.0~git%cd.%h</param>
<param name="url">git@github.com:dbry/WavPack.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="changesgenerate">enable</param>
<param name="filename">wavpack</param>
</service>
<service name="recompress" mode="disabled">
<param name="compression">xz</param>
<param name="file">*.tar</param>
</service>
<service name="set_version" mode="disabled"/>
</services>

3
wavpack-5.1.0.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1939627d5358d1da62bc6158d63f7ed12905552f3a799c799ee90296a7612944
size 824331

3
wavpack-5.1.0~git20190420.22977b2.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7cb645554cfba4759cbe03999854c005d2db612d3b7aefe88256ed9123336ec7
size 1068516

112
wavpack-CVE-2018-6767.patch
View File

@ -1,112 +0,0 @@
From d5bf76b5a88d044a1be1d5656698e3ba737167e5 Mon Sep 17 00:00:00 2001
From: David Bryant <david@wavpack.com>
Date: Sun, 4 Feb 2018 11:28:15 -0800
Subject: [PATCH] issue #27, do not overwrite stack on corrupt RF64 file
---
cli/riff.c | 39 ++++++++++++++++++++++++++++++++-------
1 file changed, 32 insertions(+), 7 deletions(-)
diff --git a/cli/riff.c b/cli/riff.c
index 8b1af45..de98c1e 100644
--- a/cli/riff.c
+++ b/cli/riff.c
@@ -42,6 +42,7 @@ typedef struct {
#pragma pack(pop)
+#define CS64ChunkFormat "4D"
#define DS64ChunkFormat "DDDL"
#define WAVPACK_NO_ERROR 0
@@ -101,13 +102,13 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
if (!strncmp (chunk_header.ckID, "ds64", 4)) {
if (chunk_header.ckSize < sizeof (DS64Chunk) ||
- !DoReadFile (infile, &ds64_chunk, chunk_header.ckSize, &bcount) ||
- bcount != chunk_header.ckSize) {
+ !DoReadFile (infile, &ds64_chunk, sizeof (DS64Chunk), &bcount) ||
+ bcount != sizeof (DS64Chunk)) {
error_line ("%s is not a valid .WAV file!", infilename);
return WAVPACK_SOFT_ERROR;
}
else if (!(config->qmode & QMODE_NO_STORE_WRAPPER) &&
- !WavpackAddWrapper (wpc, &ds64_chunk, chunk_header.ckSize)) {
+ !WavpackAddWrapper (wpc, &ds64_chunk, sizeof (DS64Chunk))) {
error_line ("%s", WavpackGetErrorMessage (wpc));
return WAVPACK_SOFT_ERROR;
}
@@ -315,10 +316,11 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples, int qmode)
{
- int do_rf64 = 0, write_junk = 1;
+ int do_rf64 = 0, write_junk = 1, table_length = 0;
ChunkHeader ds64hdr, datahdr, fmthdr;
RiffChunkHeader riffhdr;
DS64Chunk ds64_chunk;
+ CS64Chunk cs64_chunk;
JunkChunk junkchunk;
WaveHeader wavhdr;
uint32_t bcount;
@@ -380,6 +382,7 @@ int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples,
strncpy (riffhdr.formType, "WAVE", sizeof (riffhdr.formType));
total_riff_bytes = sizeof (riffhdr) + wavhdrsize + sizeof (datahdr) + ((total_data_bytes + 1) & ~(int64_t)1);
if (do_rf64) total_riff_bytes += sizeof (ds64hdr) + sizeof (ds64_chunk);
+ total_riff_bytes += table_length * sizeof (CS64Chunk);
if (write_junk) total_riff_bytes += sizeof (junkchunk);
strncpy (fmthdr.ckID, "fmt ", sizeof (fmthdr.ckID));
strncpy (datahdr.ckID, "data", sizeof (datahdr.ckID));
@@ -394,11 +397,12 @@ int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples,
if (do_rf64) {
strncpy (ds64hdr.ckID, "ds64", sizeof (ds64hdr.ckID));
- ds64hdr.ckSize = sizeof (ds64_chunk);
+ ds64hdr.ckSize = sizeof (ds64_chunk) + (table_length * sizeof (CS64Chunk));
CLEAR (ds64_chunk);
ds64_chunk.riffSize64 = total_riff_bytes;
ds64_chunk.dataSize64 = total_data_bytes;
ds64_chunk.sampleCount64 = total_samples;
+ ds64_chunk.tableLength = table_length;
riffhdr.ckSize = (uint32_t) -1;
datahdr.ckSize = (uint32_t) -1;
WavpackNativeToLittleEndian (&ds64hdr, ChunkHeaderFormat);
@@ -409,6 +413,14 @@ int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples,
datahdr.ckSize = (uint32_t) total_data_bytes;
}
+ // this "table" is just a dummy placeholder for testing (normally not written)
+
+ if (table_length) {
+ strncpy (cs64_chunk.ckID, "dmmy", sizeof (cs64_chunk.ckID));
+ cs64_chunk.chunkSize64 = 12345678;
+ WavpackNativeToLittleEndian (&cs64_chunk, CS64ChunkFormat);
+ }
+
// write the RIFF chunks up to just before the data starts
WavpackNativeToLittleEndian (&riffhdr, ChunkHeaderFormat);
@@ -418,8 +430,21 @@ int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples,
if (!DoWriteFile (outfile, &riffhdr, sizeof (riffhdr), &bcount) || bcount != sizeof (riffhdr) ||
(do_rf64 && (!DoWriteFile (outfile, &ds64hdr, sizeof (ds64hdr), &bcount) || bcount != sizeof (ds64hdr))) ||
- (do_rf64 && (!DoWriteFile (outfile, &ds64_chunk, sizeof (ds64_chunk), &bcount) || bcount != sizeof (ds64_chunk))) ||
- (write_junk && (!DoWriteFile (outfile, &junkchunk, sizeof (junkchunk), &bcount) || bcount != sizeof (junkchunk))) ||
+ (do_rf64 && (!DoWriteFile (outfile, &ds64_chunk, sizeof (ds64_chunk), &bcount) || bcount != sizeof (ds64_chunk)))) {
+ error_line ("can't write .WAV data, disk probably full!");
+ return FALSE;
+ }
+
+ // again, this is normally not written except for testing
+
+ while (table_length--)
+ if (!DoWriteFile (outfile, &cs64_chunk, sizeof (cs64_chunk), &bcount) || bcount != sizeof (cs64_chunk)) {
+ error_line ("can't write .WAV data, disk probably full!");
+ return FALSE;
+ }
+
+
+ if ((write_junk && (!DoWriteFile (outfile, &junkchunk, sizeof (junkchunk), &bcount) || bcount != sizeof (junkchunk))) ||
!DoWriteFile (outfile, &fmthdr, sizeof (fmthdr), &bcount) || bcount != sizeof (fmthdr) ||
!DoWriteFile (outfile, &wavhdr, wavhdrsize, &bcount) || bcount != wavhdrsize ||
!DoWriteFile (outfile, &datahdr, sizeof (datahdr), &bcount) || bcount != sizeof (datahdr)) {

18
wavpack.changes
View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Wed Aug 14 10:04:20 UTC 2019 - tchvatal@suse.com
- Update to version 5.1.0~git20190420.22977b2:
* Switch to github service to collect all the CVE fixes as releases
are not really happening often
* bsc#1133384 CVE-2019-11498
* bsc#1141337 CVE-2019-1010315
* bsc#1141338 CVE-2019-1010318
* bsc#1141339 CVE-2019-1010317
* bsc#1141334 CVE-2019-1010319
- Remove merged patches:
* CVE-2018-19840.patch
* CVE-2018-19841.patch
* CVE-2018-7253.patch
* CVE-2018-7254.patch
* wavpack-CVE-2018-6767.patch
-------------------------------------------------------------------
Mon Jan 7 19:29:45 CET 2019 - sbrabec@suse.com

25
wavpack.spec
View File

@ -18,23 +18,14 @@
%define soname 1
Name: wavpack
Version: 5.1.0
Version: 5.1.0~git20190420.22977b2
Release: 0
Summary: Hybrid Lossless Audio Compression Format
License: BSD-3-Clause
Group: Productivity/Multimedia/Sound/Editors and Convertors
Url: http://www.wavpack.com/
Source0: http://www.wavpack.com/%{name}-%{version}.tar.bz2
URL: http://www.wavpack.com/
Source0: %{name}-%{version}.tar.xz
Source99: baselibs.conf
# PATCH-FIX-UPSTREAM bsc#1079746 CVE-2018-6767 Crafted wav file can trigger
# a stack buffer overflow when parsing the file
Patch0: wavpack-CVE-2018-6767.patch
Patch1: CVE-2018-7253.patch
Patch2: CVE-2018-7254.patch
# PATCH-FIX-SECURITY CVE-2018-19840.patch bsc1120930 CVE-2018-19840 sbrabec@suse.cz -- Fix denial-of-service (resource exhaustion caused by an infinite loop).
Patch3: CVE-2018-19840.patch
# PATCH-FIX-SECURITY CVE-2018-19841.patch bsc1120929 CVE-2018-19841 sbrabec@suse.cz -- Fix denial-of-service (out-of-bounds read and application crash).
Patch4: CVE-2018-19841.patch
BuildRequires: libtool
BuildRequires: pkgconfig
@ -78,11 +69,6 @@ applications that want to make use of wavpack.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build
autoreconf -fiv
@ -91,7 +77,6 @@ make %{?_smp_mflags}
%install
%make_install
# not needed
find %{buildroot} -type f -name "*.la" -delete -print
%check
@ -101,8 +86,8 @@ make %{?_smp_mflags} check
%postun -n libwavpack%{soname} -p /sbin/ldconfig
%files
# AUTHORS NEWS are empty
%doc ChangeLog README COPYING
%license COPYING
%doc ChangeLog README.md
%{_bindir}/wavpack
%{_bindir}/wvgain
%{_bindir}/wvunpack