diff --git a/aubio-wavread-input-validation.patch b/aubio-wavread-input-validation.patch new file mode 100644 index 0000000..23fe06f --- /dev/null +++ b/aubio-wavread-input-validation.patch @@ -0,0 +1,39 @@ +From 25ecb7338cebc5b8c79092347839c78349ec33f1 Mon Sep 17 00:00:00 2001 +From: Paul Brossier +Date: Tue, 6 Feb 2018 22:32:59 +0100 +Subject: [PATCH] src/io/source_wavread.c: add some input validation (closes: + #158) + +--- + src/io/source_wavread.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/src/io/source_wavread.c ++++ b/src/io/source_wavread.c +@@ -189,6 +189,26 @@ aubio_source_wavread_t * new_aubio_sourc + // BitsPerSample + bytes_read += fread(buf, 1, 2, s->fid); + bitspersample = read_little_endian(buf, 2); ++ ++ if ( channels == 0 ) { ++ AUBIO_ERR("source_wavread: Failed opening %s (number of channels can not be 0)\n", s->path); ++ goto beach; ++ } ++ ++ if ( sr == 0 ) { ++ AUBIO_ERR("source_wavread: Failed opening %s (samplerate can not be 0)\n", s->path); ++ goto beach; ++ } ++ ++ if ( byterate == 0 ) { ++ AUBIO_ERR("source_wavread: Failed opening %s (byterate can not be 0)\n", s->path); ++ goto beach; ++ } ++ ++ if ( bitspersample == 0 ) { ++ AUBIO_ERR("source_wavread: Failed opening %s (bitspersample can not be 0)\n", s->path); ++ goto beach; ++ } + #if 0 + if ( bitspersample != 16 ) { + AUBIO_ERR("source_wavread: can not process %dbit file %s\n", diff --git a/aubio.changes b/aubio.changes index f655257..b1096c8 100644 --- a/aubio.changes +++ b/aubio.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Mar 23 16:41:03 CET 2018 - tiwai@suse.de + +- Fix divide-by-zero at wavread (CVE-2017-17054, bsc#1070399): + aubio-wavread-input-validation.patch + ------------------------------------------------------------------- Mon Jan 1 17:38:57 UTC 2018 - coolo@suse.com diff --git a/aubio.spec b/aubio.spec index 8505e64..4f09d97 100644 --- a/aubio.spec +++ b/aubio.spec @@ -19,7 +19,7 @@ Name: aubio %define libpkgname libaubio5 Summary: Library for real-time audio labelling -License: GPL-3.0+ +License: GPL-3.0-or-later Group: Development/Libraries/C and C++ BuildRequires: alsa-devel BuildRequires: doxygen @@ -41,6 +41,7 @@ Release: 0 Source: http://aubio.org/pub/%{name}-%{version}.tar.bz2 Source1: http://aubio.org/pub/%{name}-%{version}.tar.bz2.asc Source99: baselibs.conf +Patch1: aubio-wavread-input-validation.patch Url: http://aubio.org BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires %{libpkgname} = %{version}-%{release} @@ -82,6 +83,7 @@ This package includes the example programs for aubio library. %prep %setup -q +%patch1 -p1 sed -e "s,/lib,/%_lib," src/wscript_build > src/wscript_build.new diff -u src/wscript_build src/wscript_build.new || : mv src/wscript_build.new src/wscript_build diff --git a/python-aubio.spec b/python-aubio.spec index 2dbed3c..d263947 100644 --- a/python-aubio.spec +++ b/python-aubio.spec @@ -21,7 +21,7 @@ Name: python-aubio Version: 0.4.6 Release: 0 Summary: A collection of tools for music analysis -License: GPL-3.0+ +License: GPL-3.0-or-later Group: Development/Languages/Python Url: http://aubio.org/ Source: http://aubio.org/pub/aubio-%{version}.tar.bz2