diff options
Diffstat (limited to 'main')
-rw-r--r-- | main/libsndfile/APKBUILD | 9 | ||||
-rw-r--r-- | main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch | 88 |
2 files changed, 96 insertions, 1 deletions
diff --git a/main/libsndfile/APKBUILD b/main/libsndfile/APKBUILD index c2e5e77b95..9611731276 100644 --- a/main/libsndfile/APKBUILD +++ b/main/libsndfile/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libsndfile pkgver=1.0.28 -pkgrel=5 +pkgrel=6 pkgdesc="A C library for reading and writing files containing sampled sound" url="http://www.mega-nerd.com/libsndfile" arch="all" @@ -16,12 +16,18 @@ source="http://www.mega-nerd.com/$pkgname/files/$pkgname-$pkgver.tar.gz CVE-2017-8362.patch CVE-2017-12562.patch CVE-2018-13139.patch + CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch fix-rf64-varargs-bug.patch " # sporadic testsuite failures on armhf case $CARCH in arm*) options="!check";; esac # secfixes: +# 1.0.28-r6: +# - CVE-2017-17456 +# - CVE-2017-17457 +# - CVE-2018-19661 +# - CVE-2018-19662 # 1.0.28-r4: # - CVE-2018-13139 # 1.0.28-r2: @@ -62,4 +68,5 @@ f98c40696fca3e7bca867df993de55bb4145c23428e65d1a669182eb2293046478ac727ae7f94bb7 dfd4b5f1c7471fc416eed5c6040580a020543f145de9103751adaad6ce1c5c6a22abc1cf0ffd381aed3072644cd5ee03ba3598265aa7d202d63167da251cb595 CVE-2017-8362.patch 814139567d90fb07908014e858c341fe933e04dca69b88ad66078910888237bbeba94f85d9e1489883c424f35fca312eb98c21ae2b122d9289bb6418725cd02e CVE-2017-12562.patch 33817e7c85180635fa239e4ea38973b18312878522639f43071188a995f0e1a35dbca6d133555fb0875292b4b609950ae38e747a6b1949f8ae840db9dc3a2805 CVE-2018-13139.patch +ba3e5321713dbc118f45dac6f86049a15e6ba54fc788776eb267b1b165a0853bec278d8b066c71372cd243c852faa6781bef6a71d108e7cdbc64fb77fa3afc0a CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch 0b7ce6bd6c1ec825521974c36b8c6eb5edd17d3c57d5ae3de287fb34a6be7108bc9511abb497538eef36e5883b84f4137fad6fe9a1d150345111de9f068838f9 fix-rf64-varargs-bug.patch" diff --git a/main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch b/main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch new file mode 100644 index 0000000000..5b58114dbe --- /dev/null +++ b/main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch @@ -0,0 +1,88 @@ +commit 8ddc442d539ca775d80cdbc7af17a718634a743f +Author: Hugo Lefeuvre <hle@owl.eu.com> +Date: Mon Dec 24 06:43:48 2018 +0100 + + a/ulaw: fix multiple buffer overflows (#432) + + i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN + properly, leading to buffer underflow. INT_MIN is a special value + since - INT_MIN cannot be represented as int. + + In this case round - INT_MIN to INT_MAX and proceed as usual. + + f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN + properly, leading to null pointer dereference. + + In this case, arbitrarily set the buffer value to 0. + + This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and + fixes #344 (CVE-2017-17456 and CVE-2017-17457). + +diff --git a/src/alaw.c b/src/alaw.c +index 063fd1a2..4220224c 100644 +--- a/src/alaw.c ++++ b/src/alaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include <math.h> ++#include <limits.h> + + #include "sndfile.h" + #include "common.h" +@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2alaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; + else + buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; +@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; +diff --git a/src/ulaw.c b/src/ulaw.c +index e50b4cb5..b6070ade 100644 +--- a/src/ulaw.c ++++ b/src/ulaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include <math.h> ++#include <limits.h> + + #include "sndfile.h" + #include "common.h" +@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2ulaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; + else + buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; +@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; |