diff --git a/SOURCES/0001-ModuleState-handle-compress-decompress-init-failure.patch b/SOURCES/0001-ModuleState-handle-compress-decompress-init-failure.patch new file mode 100644 index 0000000..aea872d --- /dev/null +++ b/SOURCES/0001-ModuleState-handle-compress-decompress-init-failure.patch @@ -0,0 +1,31 @@ +From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Thu, 27 Sep 2018 10:48:45 +0200 +Subject: [PATCH 1/3] ModuleState: handle compress/decompress init failure + +When the unit initcompress or initdecompress function fails, +m_fileModule is NULL. Return AF_FAIL in that case instead of +causing NULL pointer dereferences later. + +Fixes #49 +--- + libaudiofile/modules/ModuleState.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp +index 0c29d7a..070fd9b 100644 +--- a/libaudiofile/modules/ModuleState.cpp ++++ b/libaudiofile/modules/ModuleState.cpp +@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track) + m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok, + file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames); + ++ if (!m_fileModule) ++ return AF_FAIL; ++ + if (unit->needsRebuffer) + { + assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP); +-- +2.17.1 + diff --git a/SOURCES/0002-ALAC-set-chunk-frameCount-to-0-on-short-read.patch b/SOURCES/0002-ALAC-set-chunk-frameCount-to-0-on-short-read.patch new file mode 100644 index 0000000..a8064bf --- /dev/null +++ b/SOURCES/0002-ALAC-set-chunk-frameCount-to-0-on-short-read.patch @@ -0,0 +1,24 @@ +From 941774c8c0e79007196d7f1e7afdc97689f869b3 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Thu, 27 Sep 2018 12:09:45 +0200 +Subject: [PATCH 2/3] ALAC: set chunk frameCount to 0 on short read + +--- + libaudiofile/modules/ALAC.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libaudiofile/modules/ALAC.cpp b/libaudiofile/modules/ALAC.cpp +index 7593c11..478e2af 100644 +--- a/libaudiofile/modules/ALAC.cpp ++++ b/libaudiofile/modules/ALAC.cpp +@@ -240,6 +240,7 @@ void ALAC::runPull() + if (read(m_inChunk->buffer, bytesPerPacket) < bytesPerPacket) + { + reportReadError(0, m_track->f.framesPerPacket); ++ m_outChunk->frameCount = 0; + return; + } + +-- +2.17.1 + diff --git a/SOURCES/0003-SimpleModule-set-output-chunk-framecount-after-pull.patch b/SOURCES/0003-SimpleModule-set-output-chunk-framecount-after-pull.patch new file mode 100644 index 0000000..1b9375b --- /dev/null +++ b/SOURCES/0003-SimpleModule-set-output-chunk-framecount-after-pull.patch @@ -0,0 +1,29 @@ +From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Thu, 27 Sep 2018 12:11:12 +0200 +Subject: [PATCH 3/3] SimpleModule: set output chunk framecount after pull + +After pulling the data, set the output chunk to the amount of +frames we pulled so that the next module in the chain has the correct +frame count. + +Fixes #50 and #51 +--- + libaudiofile/modules/SimpleModule.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp +index 2bae1eb..e87932c 100644 +--- a/libaudiofile/modules/SimpleModule.cpp ++++ b/libaudiofile/modules/SimpleModule.cpp +@@ -26,6 +26,7 @@ + void SimpleModule::runPull() + { + pull(m_outChunk->frameCount); ++ m_outChunk->frameCount = m_inChunk->frameCount; + run(*m_inChunk, *m_outChunk); + } + +-- +2.17.1 + diff --git a/SOURCES/audiofile-0.3.6-CVE-2015-7747.patch b/SOURCES/audiofile-0.3.6-CVE-2015-7747.patch new file mode 100644 index 0000000..fae65f6 --- /dev/null +++ b/SOURCES/audiofile-0.3.6-CVE-2015-7747.patch @@ -0,0 +1,12 @@ +diff -Nurb --strip-trailing-cr audiofile-0.3.6-orig/libaudiofile/modules/ModuleState.cpp audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp +--- audiofile-0.3.6-orig/libaudiofile/modules/ModuleState.cpp 2013-03-06 06:30:03.000000000 +0100 ++++ audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp 2015-10-08 11:29:51.846082162 +0200 +@@ -402,7 +402,7 @@ + addModule(new Transform(outfc, in.pcm, out.pcm)); + + if (in.channelCount != out.channelCount) +- addModule(new ApplyChannelMatrix(infc, isReading, ++ addModule(new ApplyChannelMatrix(outfc, isReading, + in.channelCount, out.channelCount, + in.pcm.minClip, in.pcm.maxClip, + track->channelMatrix)); diff --git a/SOURCES/audiofile-0.3.6-left-shift-neg.patch b/SOURCES/audiofile-0.3.6-left-shift-neg.patch new file mode 100644 index 0000000..deef23c --- /dev/null +++ b/SOURCES/audiofile-0.3.6-left-shift-neg.patch @@ -0,0 +1,48 @@ +diff -Nurb --strip-trailing-cr audiofile-0.3.6-orig/libaudiofile/modules/SimpleModule.h audiofile-0.3.6/libaudiofile/modules/SimpleModule.h +--- audiofile-0.3.6-orig/libaudiofile/modules/SimpleModule.h 2013-03-06 06:30:03.000000000 +0100 ++++ audiofile-0.3.6/libaudiofile/modules/SimpleModule.h 2016-02-03 21:19:43.065454454 +0100 +@@ -123,7 +123,7 @@ + typedef typename IntTypes::UnsignedType UnsignedType; + + static const int kScaleBits = (Format + 1) * CHAR_BIT - 1; +- static const int kMinSignedValue = -1 << kScaleBits; ++ static const int kMinSignedValue = 0-(1U< + { +diff -Nurb --strip-trailing-cr audiofile-0.3.6-orig/test/FloatToInt.cpp audiofile-0.3.6/test/FloatToInt.cpp +--- audiofile-0.3.6-orig/test/FloatToInt.cpp 2013-02-11 18:23:26.000000000 +0100 ++++ audiofile-0.3.6/test/FloatToInt.cpp 2016-02-03 21:21:14.714510229 +0100 +@@ -115,7 +115,7 @@ + EXPECT_EQ(readData[i], expectedData[i]); + } + +-static const int32_t kMinInt24 = -1<<23; ++static const int32_t kMinInt24 = 0-(1U<<23); + static const int32_t kMaxInt24 = (1<<23) - 1; + + TEST_F(FloatToIntTest, Int24) +diff -Nurb --strip-trailing-cr audiofile-0.3.6-orig/test/IntToFloat.cpp audiofile-0.3.6/test/IntToFloat.cpp +--- audiofile-0.3.6-orig/test/IntToFloat.cpp 2013-02-11 18:23:26.000000000 +0100 ++++ audiofile-0.3.6/test/IntToFloat.cpp 2016-02-03 21:20:57.380445355 +0100 +@@ -117,7 +117,7 @@ + EXPECT_EQ(readData[i], expectedData[i]); + } + +-static const int32_t kMinInt24 = -1<<23; ++static const int32_t kMinInt24 = 0-(1U<<23); + static const int32_t kMaxInt24 = (1<<23) - 1; + + TEST_F(IntToFloatTest, Int24) +diff -Nurb --strip-trailing-cr audiofile-0.3.6-orig/test/Sign.cpp audiofile-0.3.6/test/Sign.cpp +--- audiofile-0.3.6-orig/test/Sign.cpp 2013-02-11 18:23:26.000000000 +0100 ++++ audiofile-0.3.6/test/Sign.cpp 2016-02-03 21:20:38.742450826 +0100 +@@ -116,7 +116,7 @@ + EXPECT_EQ(readData[i], expectedData[i]); + } + +-static const int32_t kMinInt24 = -1<<23; ++static const int32_t kMinInt24 = 0-(1U<<23); + static const int32_t kMaxInt24 = (1<<23) - 1; + static const uint32_t kMaxUInt24 = (1<<24) - 1; + diff --git a/SOURCES/audiofile-0.3.6-narrowing.patch b/SOURCES/audiofile-0.3.6-narrowing.patch new file mode 100644 index 0000000..f701d89 --- /dev/null +++ b/SOURCES/audiofile-0.3.6-narrowing.patch @@ -0,0 +1,52 @@ +diff -Nur audiofile-0.3.6-orig/test/NeXT.cpp audiofile-0.3.6/test/NeXT.cpp +--- audiofile-0.3.6-orig/test/NeXT.cpp 2013-02-11 18:23:26.000000000 +0100 ++++ audiofile-0.3.6/test/NeXT.cpp 2016-02-04 10:37:32.457140823 +0100 +@@ -37,13 +37,13 @@ + + #include "TestUtilities.h" + +-const char kDataUnspecifiedLength[] = ++const signed char kDataUnspecifiedLength[] = + { + '.', 's', 'n', 'd', + 0, 0, 0, 24, // offset of 24 bytes +- 0xff, 0xff, 0xff, 0xff, // unspecified length ++ -1, -1, -1, -1, // unspecified length + 0, 0, 0, 3, // 16-bit linear +- 0, 0, 172, 68, // 44100 Hz ++ 0, 0, -84, 68, // 44100 Hz (0xAC44) + 0, 0, 0, 1, // 1 channel + 0, 1, + 0, 1, +@@ -57,13 +57,13 @@ + 0, 55 + }; + +-const char kDataTruncated[] = ++const signed char kDataTruncated[] = + { + '.', 's', 'n', 'd', + 0, 0, 0, 24, // offset of 24 bytes + 0, 0, 0, 20, // length of 20 bytes + 0, 0, 0, 3, // 16-bit linear +- 0, 0, 172, 68, // 44100 Hz ++ 0, 0, -84, 68, // 44100 Hz (0xAC44) + 0, 0, 0, 1, // 1 channel + 0, 1, + 0, 1, +@@ -152,13 +152,13 @@ + ASSERT_EQ(::unlink(testFileName.c_str()), 0); + } + +-const char kDataZeroChannels[] = ++const signed char kDataZeroChannels[] = + { + '.', 's', 'n', 'd', + 0, 0, 0, 24, // offset of 24 bytes + 0, 0, 0, 2, // 2 bytes + 0, 0, 0, 3, // 16-bit linear +- 0, 0, 172, 68, // 44100 Hz ++ 0, 0, -84, 68, // 44100 Hz (0xAC44) + 0, 0, 0, 0, // 0 channels + 0, 1 + }; diff --git a/SOURCES/audiofile-0.3.6-pull42.patch b/SOURCES/audiofile-0.3.6-pull42.patch new file mode 100644 index 0000000..3fab300 --- /dev/null +++ b/SOURCES/audiofile-0.3.6-pull42.patch @@ -0,0 +1,176 @@ +diff -Nur audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp audiofile-0.3.6-pull42/libaudiofile/modules/BlockCodec.cpp +--- audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp 2013-03-06 06:30:03.000000000 +0100 ++++ audiofile-0.3.6-pull42/libaudiofile/modules/BlockCodec.cpp 2017-03-10 15:40:02.000000000 +0100 +@@ -52,8 +52,9 @@ + // Decompress into m_outChunk. + for (int i=0; i(m_inChunk->buffer) + i * m_bytesPerPacket, +- static_cast(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount); ++ if (decodeBlock(static_cast(m_inChunk->buffer) + i * m_bytesPerPacket, ++ static_cast(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0) ++ break; + + framesRead += m_framesPerPacket; + } +diff -Nur audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp audiofile-0.3.6-pull42/libaudiofile/modules/MSADPCM.cpp +--- audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp 2013-03-06 06:30:03.000000000 +0100 ++++ audiofile-0.3.6-pull42/libaudiofile/modules/MSADPCM.cpp 2017-03-10 15:40:02.000000000 +0100 +@@ -101,24 +101,60 @@ + 768, 614, 512, 409, 307, 230, 230, 230 + }; + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++bool multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ ++ + // Compute a linear PCM value from the given differential coded value. + static int16_t decodeSample(ms_adpcm_state &state, +- uint8_t code, const int16_t *coefficient) ++ uint8_t code, const int16_t *coefficient, bool *ok=NULL) + { + int linearSample = (state.sample1 * coefficient[0] + + state.sample2 * coefficient[1]) >> 8; ++ int delta; + + linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta; + + linearSample = clamp(linearSample, MIN_INT16, MAX_INT16); + +- int delta = (state.delta * adaptationTable[code]) >> 8; ++ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta)) ++ { ++ if (ok) *ok=false; ++ _af_error(AF_BAD_COMPRESSION, "Error decoding sample"); ++ return 0; ++ } ++ delta >>= 8; + if (delta < 16) + delta = 16; + + state.delta = delta; + state.sample2 = state.sample1; + state.sample1 = linearSample; ++ if (ok) *ok=true; + + return static_cast(linearSample); + } +@@ -212,13 +248,16 @@ + { + uint8_t code; + int16_t newSample; ++ bool ok; + + code = *encoded >> 4; +- newSample = decodeSample(*state[0], code, coefficient[0]); ++ newSample = decodeSample(*state[0], code, coefficient[0], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + code = *encoded & 0x0f; +- newSample = decodeSample(*state[1], code, coefficient[1]); ++ newSample = decodeSample(*state[1], code, coefficient[1], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + encoded++; +diff -Nur audiofile-0.3.6/libaudiofile/WAVE.cpp audiofile-0.3.6-pull42/libaudiofile/WAVE.cpp +--- audiofile-0.3.6/libaudiofile/WAVE.cpp 2013-03-06 06:30:03.000000000 +0100 ++++ audiofile-0.3.6-pull42/libaudiofile/WAVE.cpp 2017-03-10 15:40:02.000000000 +0100 +@@ -281,6 +281,12 @@ + + /* numCoefficients should be at least 7. */ + assert(numCoefficients >= 7 && numCoefficients <= 255); ++ if (numCoefficients < 7 || numCoefficients > 255) ++ { ++ _af_error(AF_BAD_HEADER, ++ "Bad number of coefficients"); ++ return AF_FAIL; ++ } + + m_msadpcmNumCoefficients = numCoefficients; + +@@ -834,6 +840,8 @@ + } + + TrackSetup *track = setup->getTrack(); ++ if (!track) ++ return AF_NULL_FILESETUP; + + if (track->f.isCompressed()) + { +diff -Nur audiofile-0.3.6/sfcommands/sfconvert.c audiofile-0.3.6-pull42/sfcommands/sfconvert.c +--- audiofile-0.3.6/sfcommands/sfconvert.c 2013-03-06 06:30:03.000000000 +0100 ++++ audiofile-0.3.6-pull42/sfcommands/sfconvert.c 2017-03-10 15:40:02.000000000 +0100 +@@ -45,6 +45,33 @@ + void usageerror (void); + bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid); + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++bool multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ + int main (int argc, char **argv) + { + if (argc == 2) +@@ -323,8 +350,11 @@ + { + int frameSize = afGetVirtualFrameSize(infile, trackid, 1); + +- const int kBufferFrameCount = 65536; +- void *buffer = malloc(kBufferFrameCount * frameSize); ++ int kBufferFrameCount = 65536; ++ int bufferSize; ++ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) ++ kBufferFrameCount /= 2; ++ void *buffer = malloc(bufferSize); + + AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK); + AFframecount totalFramesWritten = 0; diff --git a/SOURCES/audiofile-0.3.6-pull43.patch b/SOURCES/audiofile-0.3.6-pull43.patch new file mode 100644 index 0000000..4ad1152 --- /dev/null +++ b/SOURCES/audiofile-0.3.6-pull43.patch @@ -0,0 +1,21 @@ +diff -Nur audiofile-0.3.6/libaudiofile/modules/IMA.cpp audiofile-0.3.6-pull43/libaudiofile/modules/IMA.cpp +--- audiofile-0.3.6/libaudiofile/modules/IMA.cpp 2013-03-06 06:30:03.000000000 +0100 ++++ audiofile-0.3.6-pull43/libaudiofile/modules/IMA.cpp 2017-03-06 18:06:35.000000000 +0100 +@@ -169,7 +169,7 @@ + if (encoded[1] & 0x80) + m_adpcmState[c].previousValue -= 0x10000; + +- m_adpcmState[c].index = encoded[2]; ++ m_adpcmState[c].index = clamp(encoded[2], 0, 88); + + *decoded++ = m_adpcmState[c].previousValue; + +@@ -210,7 +210,7 @@ + predictor -= 0x10000; + + state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16); +- state.index = encoded[1] & 0x7f; ++ state.index = clamp(encoded[1] & 0x7f, 0, 88); + encoded += 2; + + for (int n=0; nbuffer, m_bytesPerPacket * blockCount); +- int blocksRead = bytesRead >= 0 ? bytesRead / m_bytesPerPacket : 0; ++ int blocksRead = (bytesRead >= 0 && m_bytesPerPacket > 0) ? bytesRead / m_bytesPerPacket : 0; + + // Decompress into m_outChunk. + for (int i=0; if.sampleWidth = 16; diff --git a/SPECS/audiofile.spec b/SPECS/audiofile.spec index 73691b4..ee3b6fa 100644 --- a/SPECS/audiofile.spec +++ b/SPECS/audiofile.spec @@ -1,7 +1,7 @@ Summary: A library for accessing various audio file formats Name: audiofile Version: 0.3.6 -Release: 4%{?dist} +Release: 9%{?dist} Epoch: 1 License: LGPLv2+ and GPL+ and ASL 2.0 Group: System Environment/Libraries @@ -10,6 +10,19 @@ URL: http://audiofile.68k.org/ BuildRequires: libtool BuildRequires: alsa-lib-devel +Patch0: audiofile-0.3.6-CVE-2015-7747.patch +# fixes to make build with GCC 6 +Patch1: audiofile-0.3.6-left-shift-neg.patch +Patch2: audiofile-0.3.6-narrowing.patch +# pull requests #42,#43,#44 +Patch3: audiofile-0.3.6-pull42.patch +Patch4: audiofile-0.3.6-pull43.patch +Patch5: audiofile-0.3.6-pull44.patch +Patch6: 0001-ModuleState-handle-compress-decompress-init-failure.patch +Patch7: 0002-ALAC-set-chunk-frameCount-to-0-on-short-read.patch +Patch8: 0003-SimpleModule-set-output-chunk-framecount-after-pull.patch + + %description The Audio File library is an implementation of the Audio File Library from SGI, which provides an API for accessing audio file formats like @@ -31,6 +44,15 @@ other resources you can use to develop Audio File applications. %prep %setup -q +%patch0 -p1 -b .CVE-2015-7747 +%patch1 -p1 -b .left-shift-neg +%patch2 -p1 -b .narrowing-conversion +%patch3 -p1 -b .pull42 +%patch4 -p1 -b .pull43 +%patch5 -p1 -b .pull44 +%patch6 -p1 -b .b6 +%patch7 -p1 -b .b7 +%patch8 -p1 -b .b8 %build %configure --disable-static @@ -67,6 +89,28 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog +* Thu Sep 27 2018 Wim Taymans - 1:0.3.6-9 +- Apply security patches. CVE-2018-17095, CVE-2018-13440 +- Resolves: rhbz#1600369, rhbz#1601014, rhbz#1637128 + +* Fri Feb 09 2018 Igor Gnatenko - 1:0.3.6-8 +- Escape macros in %%changelog + +* Sun Mar 12 2017 Michael Schwendt - 1:0.3.6-7 +- Merge upstream pull requests #42,#43,#44 from Agostino Sarubbo to fix + security issues. CVE-2017-6827, CVE-2017-6828, + CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, + CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, + CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, CVE-2017-6839 + +* Wed Feb 3 2016 Michael Schwendt - 1:0.3.6-6 +- patch to compile with GCC 6 + +* Thu Oct 8 2015 Michael Schwendt - 1:0.3.6-5 +- Merge fix from upstream pull request #25 for CVE-2015-7747. + Test conversion from e.g. 16-bit LE stereo to 8-bit LE mono + no longer causes corruption. + * Fri Jan 24 2014 Daniel Mach - 1:0.3.6-4 - Mass rebuild 2014-01-24 @@ -194,7 +238,7 @@ rm -rf $RPM_BUILD_ROOT - upgrade to 0.1.11. * Mon Aug 14 2000 Than Ngo -- add ldconfig to %post and %postun (Bug #15413) +- add ldconfig to %%post and %%postun (Bug #15413) * Fri Aug 11 2000 Jonathan Blandford - Up Epoch and release @@ -227,7 +271,7 @@ rm -rf $RPM_BUILD_ROOT - Version 0.1.6 * Sun Feb 21 1999 Michael Fulbright -- Removed libtoolize from %build +- Removed libtoolize from %%build * Wed Feb 3 1999 Jonathan Blandfor - Newer version with bug fix. Upped release.