main/libsndfile: security fixes (CVE-2017-17456, CVE-2017-17457, CVE-2018-19661, CVE-2018-19662)

This is upstream commit 8ddc442d539ca775d80cdbc7af17a718634a743f

Partially fixes #9232

2 files changed, 96 insertions, 1 deletions

diff --git a/main/libsndfile/APKBUILD b/main/libsndfile/APKBUILD
index c2e5e77b95..9611731276 100644
--- a/main/libsndfile/APKBUILD
+++ b/main/libsndfile/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libsndfile
 pkgver=1.0.28
-pkgrel=5
+pkgrel=6
 pkgdesc="A C library for reading and writing files containing sampled sound"
 url="http://www.mega-nerd.com/libsndfile"
 arch="all"
@@ -16,12 +16,18 @@ source="http://www.mega-nerd.com/$pkgname/files/$pkgname-$pkgver.tar.gz
 	CVE-2017-8362.patch
 	CVE-2017-12562.patch
 	CVE-2018-13139.patch
+	CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
 	fix-rf64-varargs-bug.patch
 	"
 # sporadic testsuite failures on armhf
 case $CARCH in arm*) options="!check";; esac
 
 # secfixes:
+#   1.0.28-r6:
+#     - CVE-2017-17456
+#     - CVE-2017-17457
+#     - CVE-2018-19661
+#     - CVE-2018-19662
 #   1.0.28-r4:
 #     - CVE-2018-13139
 #   1.0.28-r2:
@@ -62,4 +68,5 @@ f98c40696fca3e7bca867df993de55bb4145c23428e65d1a669182eb2293046478ac727ae7f94bb7
 dfd4b5f1c7471fc416eed5c6040580a020543f145de9103751adaad6ce1c5c6a22abc1cf0ffd381aed3072644cd5ee03ba3598265aa7d202d63167da251cb595  CVE-2017-8362.patch
 814139567d90fb07908014e858c341fe933e04dca69b88ad66078910888237bbeba94f85d9e1489883c424f35fca312eb98c21ae2b122d9289bb6418725cd02e  CVE-2017-12562.patch
 33817e7c85180635fa239e4ea38973b18312878522639f43071188a995f0e1a35dbca6d133555fb0875292b4b609950ae38e747a6b1949f8ae840db9dc3a2805  CVE-2018-13139.patch
+ba3e5321713dbc118f45dac6f86049a15e6ba54fc788776eb267b1b165a0853bec278d8b066c71372cd243c852faa6781bef6a71d108e7cdbc64fb77fa3afc0a  CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
 0b7ce6bd6c1ec825521974c36b8c6eb5edd17d3c57d5ae3de287fb34a6be7108bc9511abb497538eef36e5883b84f4137fad6fe9a1d150345111de9f068838f9  fix-rf64-varargs-bug.patch"
diff --git a/main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch b/main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
new file mode 100644
index 0000000000..5b58114dbe
--- /dev/null
+++ b/main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
@@ -0,0 +1,88 @@
+commit 8ddc442d539ca775d80cdbc7af17a718634a743f
+Author: Hugo Lefeuvre <hle@owl.eu.com>
+Date:   Mon Dec 24 06:43:48 2018 +0100
+
+    a/ulaw: fix multiple buffer overflows (#432)
+    
+    i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
+    properly, leading to buffer underflow. INT_MIN is a special value
+    since - INT_MIN cannot be represented as int.
+    
+    In this case round - INT_MIN to INT_MAX and proceed as usual.
+    
+    f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
+    properly, leading to null pointer dereference.
+    
+    In this case, arbitrarily set the buffer value to 0.
+    
+    This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
+    fixes #344 (CVE-2017-17456 and CVE-2017-17457).
+
+diff --git a/src/alaw.c b/src/alaw.c
+index 063fd1a2..4220224c 100644
+--- a/src/alaw.c
++++ b/src/alaw.c
+@@ -19,6 +19,7 @@
+ #include	"sfconfig.h"
+ 
+ #include	<math.h>
++#include	<limits.h>
+ 
+ #include	"sndfile.h"
+ #include	"common.h"
+@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2alaw_array (const int *ptr, int count, unsigned char *buffer)
+ {	while (--count >= 0)
+-	{	if (ptr [count] >= 0)
++	{	if (ptr [count] == INT_MIN)
++			buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
++		else if (ptr [count] >= 0)
+ 			buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
+ 		else
+ 			buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
+@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ {	while (--count >= 0)
+-	{	if (ptr [count] >= 0)
++	{	if (!isfinite (ptr [count]))
++			buffer [count] = 0 ;
++		else if (ptr [count] >= 0)
+ 			buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
+ 		else
+ 			buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
+diff --git a/src/ulaw.c b/src/ulaw.c
+index e50b4cb5..b6070ade 100644
+--- a/src/ulaw.c
++++ b/src/ulaw.c
+@@ -19,6 +19,7 @@
+ #include	"sfconfig.h"
+ 
+ #include	<math.h>
++#include	<limits.h>
+ 
+ #include	"sndfile.h"
+ #include	"common.h"
+@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
+ {	while (--count >= 0)
+-	{	if (ptr [count] >= 0)
++	{	if (ptr [count] == INT_MIN)
++			buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
++		else if (ptr [count] >= 0)
+ 			buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
+ 		else
+ 			buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
+@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ {	while (--count >= 0)
+-	{	if (ptr [count] >= 0)
++	{	if (!isfinite (ptr [count]))
++			buffer [count] = 0 ;
++		else if (ptr [count] >= 0)
+ 			buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
+ 		else
+ 			buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;