diff options
Diffstat (limited to 'meta/recipes-multimedia/libsndfile/libsndfile1')
13 files changed, 807 insertions, 671 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch deleted file mode 100644 index a4679cef2a..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch +++ /dev/null @@ -1,107 +0,0 @@ -This patch fixes #429 (CVE-2018-19661 CVE-2018-19662) and #344 (CVE-2017-17456 -CVE-2017-17457). As per -https://github.com/erikd/libsndfile/issues/344#issuecomment-448504425 it also -fixes #317 (CVE-2017-14245 CVE-2017-14246). - -CVE: CVE-2017-14245 CVE-2017-14246 -CVE: CVE-2017-17456 CVE-2017-17457 -CVE: CVE-2018-19661 CVE-2018-19662 - -Upstream-Status: Backport [8ddc442d539ca775d80cdbc7af17a718634a743f] -Signed-off-by: Ross Burton <ross.burton@intel.com> - -From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Mon, 7 Jan 2019 15:55:03 +0800 -Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432) - -i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN -properly, leading to buffer underflow. INT_MIN is a special value -since - INT_MIN cannot be represented as int. - -In this case round - INT_MIN to INT_MAX and proceed as usual. - -f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN -properly, leading to null pointer dereference. - -In this case, arbitrarily set the buffer value to 0. - -This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and -fixes #344 (CVE-2017-17456 and CVE-2017-17457). - ---- - src/alaw.c | 9 +++++++-- - src/ulaw.c | 9 +++++++-- - 2 files changed, 14 insertions(+), 4 deletions(-) - -diff --git a/src/alaw.c b/src/alaw.c -index 063fd1a..4220224 100644 ---- a/src/alaw.c -+++ b/src/alaw.c -@@ -19,6 +19,7 @@ - #include "sfconfig.h" - - #include <math.h> -+#include <limits.h> - - #include "sndfile.h" - #include "common.h" -@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) - static inline void - i2alaw_array (const int *ptr, int count, unsigned char *buffer) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (ptr [count] == INT_MIN) -+ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; -+ else if (ptr [count] >= 0) - buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; - else - buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; -@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact - static inline void - d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (!isfinite (ptr [count])) -+ buffer [count] = 0 ; -+ else if (ptr [count] >= 0) - buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; - else - buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; -diff --git a/src/ulaw.c b/src/ulaw.c -index e50b4cb..b6070ad 100644 ---- a/src/ulaw.c -+++ b/src/ulaw.c -@@ -19,6 +19,7 @@ - #include "sfconfig.h" - - #include <math.h> -+#include <limits.h> - - #include "sndfile.h" - #include "common.h" -@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) - static inline void - i2ulaw_array (const int *ptr, int count, unsigned char *buffer) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (ptr [count] == INT_MIN) -+ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; -+ else if (ptr [count] >= 0) - buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; - else - buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; -@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact - static inline void - d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (!isfinite (ptr [count])) -+ buffer [count] = 0 ; -+ else if (ptr [count] >= 0) - buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; - else - buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch deleted file mode 100644 index 491dae3114..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch +++ /dev/null @@ -1,96 +0,0 @@ -Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in -libsndfile through 1.0.28 allows remote attackers to cause a denial of service -(application crash) or possibly have unspecified other impact. - -CVE: CVE-2017-12562 -Upstream-Status: Backport [cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8] -Signed-off-by: Ross Burton <ross.burton@intel.com> - -From b6a9d7e95888ffa77d8c75ce3f03e6c7165587cd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de> -Date: Wed, 14 Jun 2017 12:25:40 +0200 -Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings - in binheader - -Fixes the following problems: - 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes. - 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the - big switch statement by an amount (16 bytes) which is enough for all cases - where only a single value gets added. Cases 's', 'S', 'p' however - additionally write an arbitrary length block of data and again enlarge the - buffer to the required amount. However, the required space calculation does - not take into account the size of the length field which gets output before - the data. - 3. Buffer size requirement calculation in case 'S' does not account for the - padding byte ("size += (size & 1) ;" happens after the calculation which - uses "size"). - 4. Case 'S' can overrun the header buffer by 1 byte when no padding is - involved - ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while - the buffer is only guaranteed to have "size" space available). - 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte - beyond the space which is guaranteed to be allocated in the header buffer. - 6. Case 's' can overrun the provided source string by 1 byte if padding is - involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;" - where "size" is "strlen (strptr) + 1" (which includes the 0 terminator, - plus optionally another 1 which is padding and not guaranteed to be - readable via the source string pointer). - -Closes: https://github.com/erikd/libsndfile/issues/292 ---- - src/common.c | 15 +++++++-------- - 1 file changed, 7 insertions(+), 8 deletions(-) - -diff --git a/src/common.c b/src/common.c -index 1a6204ca..6b2a2ee9 100644 ---- a/src/common.c -+++ b/src/common.c -@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) - /* Write a C string (guaranteed to have a zero terminator). */ - strptr = va_arg (argptr, char *) ; - size = strlen (strptr) + 1 ; -- size += (size & 1) ; - -- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16)) -+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) - return count ; - - if (psf->rwf_endian == SF_ENDIAN_BIG) -- header_put_be_int (psf, size) ; -+ header_put_be_int (psf, size + (size & 1)) ; - else -- header_put_le_int (psf, size) ; -+ header_put_le_int (psf, size + (size & 1)) ; - memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ; -+ size += (size & 1) ; - psf->header.indx += size ; - psf->header.ptr [psf->header.indx - 1] = 0 ; - count += 4 + size ; -@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) - */ - strptr = va_arg (argptr, char *) ; - size = strlen (strptr) ; -- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) -+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) - return count ; - if (psf->rwf_endian == SF_ENDIAN_BIG) - header_put_be_int (psf, size) ; - else - header_put_le_int (psf, size) ; -- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ; -+ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ; - size += (size & 1) ; - psf->header.indx += size ; -- psf->header.ptr [psf->header.indx] = 0 ; - count += 4 + size ; - break ; - -@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) - size = (size & 1) ? size : size + 1 ; - size = (size > 254) ? 254 : size ; - -- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) -+ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size)) - return count ; - - header_put_byte (psf, size) ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch deleted file mode 100644 index 39b4ec1101..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 85c877d5072866aadbe8ed0c3e0590fbb5e16788 Mon Sep 17 00:00:00 2001 -From: Fabian Greffrath <fabian@greffrath.com> -Date: Thu, 28 Sep 2017 12:15:04 +0200 -Subject: [PATCH] double64_init: Check psf->sf.channels against upper bound - -This prevents division by zero later in the code. - -While the trivial case to catch this (i.e. sf.channels < 1) has already -been covered, a crafted file may report a number of channels that is -so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets -miscalculated to zero (if this makes sense) in the determination of the -blockwidth. Since we only support a limited number of channels anyway, -make sure to check here as well. - -CVE: CVE-2017-14634 - -Closes: https://github.com/erikd/libsndfile/issues/318 - -Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788] - -Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com> -Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> ---- - src/double64.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/double64.c b/src/double64.c -index b318ea8..78dfef7 100644 ---- a/src/double64.c -+++ b/src/double64.c -@@ -91,7 +91,7 @@ int - double64_init (SF_PRIVATE *psf) - { static int double64_caps ; - -- if (psf->sf.channels < 1) -+ if (psf->sf.channels < 1 || psf->sf.channels > SF_MAX_CHANNELS) - { psf_log_printf (psf, "double64_init : internal error : channels = %d\n", psf->sf.channels) ; - return SFE_INTERNAL ; - } ; --- -2.13.3 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-6892.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-6892.patch deleted file mode 100644 index 89552ac2d9..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-6892.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f833c53cb596e9e1792949f762e0b33661822748 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Tue, 23 May 2017 20:15:24 +1000 -Subject: [PATCH] src/aiff.c: Fix a buffer read overflow - -Secunia Advisory SA76717. - -Found by: Laurent Delosieres, Secunia Research at Flexera Software - -CVE: CVE-2017-6892 -Upstream-Status: Backport - -Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> - ---- - src/aiff.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/aiff.c b/src/aiff.c -index 5b5f9f5..45864b7 100644 ---- a/src/aiff.c -+++ b/src/aiff.c -@@ -1759,7 +1759,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword) - psf_binheader_readf (psf, "j", dword - bytesread) ; - - if (map_info->channel_map != NULL) -- { size_t chanmap_size = psf->sf.channels * sizeof (psf->channel_map [0]) ; -+ { size_t chanmap_size = SF_MIN (psf->sf.channels, layout_tag & 0xffff) * sizeof (psf->channel_map [0]) ; - - free (psf->channel_map) ; - --- -1.9.1 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8361-8365.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8361-8365.patch deleted file mode 100644 index ac99516bb3..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8361-8365.patch +++ /dev/null @@ -1,73 +0,0 @@ -From fd0484aba8e51d16af1e3a880f9b8b857b385eb3 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Wed, 12 Apr 2017 19:45:30 +1000 -Subject: [PATCH] FLAC: Fix a buffer read overrun - -Buffer read overrun occurs when reading a FLAC file that switches -from 2 channels to one channel mid-stream. Only option is to -abort the read. - -Closes: https://github.com/erikd/libsndfile/issues/230 - -CVE: CVE-2017-8361 CVE-2017-8365 - -Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - src/common.h | 1 + - src/flac.c | 13 +++++++++++++ - src/sndfile.c | 1 + - 3 files changed, 15 insertions(+) - -diff --git a/src/common.h b/src/common.h -index 0bd810c..e2669b6 100644 ---- a/src/common.h -+++ b/src/common.h -@@ -725,6 +725,7 @@ enum - SFE_FLAC_INIT_DECODER, - SFE_FLAC_LOST_SYNC, - SFE_FLAC_BAD_SAMPLE_RATE, -+ SFE_FLAC_CHANNEL_COUNT_CHANGED, - SFE_FLAC_UNKOWN_ERROR, - - SFE_WVE_NOT_WVE, -diff --git a/src/flac.c b/src/flac.c -index 84de0e2..986a7b8 100644 ---- a/src/flac.c -+++ b/src/flac.c -@@ -434,6 +434,19 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_ - - switch (metadata->type) - { case FLAC__METADATA_TYPE_STREAMINFO : -+ if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) -+ { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" -+ "Nothing to be but to error out.\n" , -+ psf->sf.channels, metadata->data.stream_info.channels) ; -+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; -+ return ; -+ } ; -+ -+ if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate) -+ { psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n" -+ "Carrying on as if nothing happened.", -+ psf->sf.samplerate, metadata->data.stream_info.sample_rate) ; -+ } ; - psf->sf.channels = metadata->data.stream_info.channels ; - psf->sf.samplerate = metadata->data.stream_info.sample_rate ; - psf->sf.frames = metadata->data.stream_info.total_samples ; -diff --git a/src/sndfile.c b/src/sndfile.c -index 4187561..e2a87be 100644 ---- a/src/sndfile.c -+++ b/src/sndfile.c -@@ -245,6 +245,7 @@ ErrorStruct SndfileErrors [] = - { SFE_FLAC_INIT_DECODER , "Error : problem with initialization of the flac decoder." }, - { SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." }, - { SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." }, -+ { SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." }, - { SFE_FLAC_UNKOWN_ERROR , "Error : unknown error in flac decoder." }, - - { SFE_WVE_NOT_WVE , "Error : not a WVE file." }, --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8362.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8362.patch deleted file mode 100644 index 9ee7e46a6d..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8362.patch +++ /dev/null @@ -1,59 +0,0 @@ -From ef1dbb2df1c0e741486646de40bd638a9c4cd808 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Fri, 14 Apr 2017 15:19:16 +1000 -Subject: [PATCH] src/flac.c: Fix a buffer read overflow - -A file (generated by a fuzzer) which increased the number of channels -from one frame to the next could cause a read beyond the end of the -buffer provided by libFLAC. Only option is to abort the read. - -Closes: https://github.com/erikd/libsndfile/issues/231 - -CVE: CVE-2017-8362 - -Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - src/flac.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/flac.c b/src/flac.c -index 5a4f8c2..e4f9aaa 100644 ---- a/src/flac.c -+++ b/src/flac.c -@@ -169,6 +169,14 @@ flac_buffer_copy (SF_PRIVATE *psf) - const int32_t* const *buffer = pflac->wbuffer ; - unsigned i = 0, j, offset, channels, len ; - -+ if (psf->sf.channels != (int) frame->header.channels) -+ { psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n" -+ "Nothing to do but to error out.\n" , -+ psf->sf.channels, frame->header.channels) ; -+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; -+ return 0 ; -+ } ; -+ - /* - ** frame->header.blocksize is variable and we're using a constant blocksize - ** of FLAC__MAX_BLOCK_SIZE. -@@ -202,7 +210,6 @@ flac_buffer_copy (SF_PRIVATE *psf) - return 0 ; - } ; - -- - len = SF_MIN (pflac->len, frame->header.blocksize) ; - - if (pflac->remain % channels != 0) -@@ -436,7 +443,7 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_ - { case FLAC__METADATA_TYPE_STREAMINFO : - if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) - { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" -- "Nothing to be but to error out.\n" , -+ "Nothing to do but to error out.\n" , - psf->sf.channels, metadata->data.stream_info.channels) ; - psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; - return ; --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8363.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8363.patch deleted file mode 100644 index e526e5a346..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-8363.patch +++ /dev/null @@ -1,37 +0,0 @@ -From cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Wed, 12 Apr 2017 20:19:34 +1000 -Subject: [PATCH] src/flac.c: Fix another memory leak - -When the FLAC decoder was passed a malformed file, the associated -`FLAC__StreamDecoder` object was not getting released. - -Closes: https://github.com/erikd/libsndfile/issues/233 - -CVE: CVE-2017-8363 - -Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - src/flac.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/flac.c b/src/flac.c -index 986a7b8..5a4f8c2 100644 ---- a/src/flac.c -+++ b/src/flac.c -@@ -841,7 +841,9 @@ flac_read_header (SF_PRIVATE *psf) - - psf_log_printf (psf, "End\n") ; - -- if (psf->error == 0) -+ if (psf->error != 0) -+ FLAC__stream_decoder_delete (pflac->fsd) ; -+ else - { FLAC__uint64 position ; - - FLAC__stream_decoder_get_decode_position (pflac->fsd, &position) ; --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch deleted file mode 100644 index 707373d414..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch +++ /dev/null @@ -1,37 +0,0 @@ -CVE: CVE-2018-13139 -Upstream-Status: Backport [9dc989eb89cd697e19897afa616d6ab0debe4822] -Signed-off-by: Ross Burton <ross.burton@intel.com> - -From 9dc989eb89cd697e19897afa616d6ab0debe4822 Mon Sep 17 00:00:00 2001 -From: "Brett T. Warden" <brett.t.warden@intel.com> -Date: Tue, 28 Aug 2018 12:01:17 -0700 -Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave - -Allocated buffer has space for only 16 channels. Verify that input file -meets this limit. - -Fixes #397 ---- - programs/sndfile-deinterleave.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c -index e27593e2..cb497e1f 100644 ---- a/programs/sndfile-deinterleave.c -+++ b/programs/sndfile-deinterleave.c -@@ -89,6 +89,13 @@ main (int argc, char **argv) - exit (1) ; - } ; - -+ if (sfinfo.channels > MAX_CHANNELS) -+ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n", -+ argv [1], sfinfo.channels, MAX_CHANNELS) ; -+ exit (1) ; -+ } ; -+ -+ - state.channels = sfinfo.channels ; - sfinfo.channels = 1 ; - --- -2.11.0 diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch deleted file mode 100644 index 8ded2c0f85..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 6f3266277bed16525f0ac2f0f03ff4626f1923e5 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Thu, 8 Mar 2018 18:00:21 +1100 -Subject: [PATCH] Fix max channel count bug - -The code was allowing files to be written with a channel count of exactly -`SF_MAX_CHANNELS` but was failing to read some file formats with the same -channel count. - -Upstream-Status: Backport [https://github.com/erikd/libsndfile/ -commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5] - -CVE: CVE-2018-19432 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> - ---- - src/aiff.c | 6 +++--- - src/rf64.c | 4 ++-- - src/w64.c | 4 ++-- - src/wav.c | 4 ++-- - 4 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/src/aiff.c b/src/aiff.c -index fbd43cb..6386bce 100644 ---- a/src/aiff.c -+++ b/src/aiff.c -@@ -1,5 +1,5 @@ - /* --** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com> -+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com> - ** Copyright (C) 2005 David Viens <davidv@plogue.com> - ** - ** This program is free software; you can redistribute it and/or modify -@@ -950,7 +950,7 @@ aiff_read_header (SF_PRIVATE *psf, COMM_ - if (psf->sf.channels < 1) - return SFE_CHANNEL_COUNT_ZERO ; - -- if (psf->sf.channels >= SF_MAX_CHANNELS) -+ if (psf->sf.channels > SF_MAX_CHANNELS) - return SFE_CHANNEL_COUNT ; - - if (! (found_chunk & HAVE_FORM)) -@@ -1030,7 +1030,7 @@ aiff_read_comm_chunk (SF_PRIVATE *psf, C - psf_log_printf (psf, " Sample Rate : %d\n", samplerate) ; - psf_log_printf (psf, " Frames : %u%s\n", comm_fmt->numSampleFrames, (comm_fmt->numSampleFrames == 0 && psf->filelength > 104) ? " (Should not be 0)" : "") ; - -- if (comm_fmt->numChannels < 1 || comm_fmt->numChannels >= SF_MAX_CHANNELS) -+ if (comm_fmt->numChannels < 1 || comm_fmt->numChannels > SF_MAX_CHANNELS) - { psf_log_printf (psf, " Channels : %d (should be >= 1 and < %d)\n", comm_fmt->numChannels, SF_MAX_CHANNELS) ; - return SFE_CHANNEL_COUNT_BAD ; - } ; -diff --git a/src/rf64.c b/src/rf64.c -index d57f0f3..876cd45 100644 ---- a/src/rf64.c -+++ b/src/rf64.c -@@ -1,5 +1,5 @@ - /* --** Copyright (C) 2008-2017 Erik de Castro Lopo <erikd@mega-nerd.com> -+** Copyright (C) 2008-2018 Erik de Castro Lopo <erikd@mega-nerd.com> - ** Copyright (C) 2009 Uli Franke <cls@nebadje.org> - ** - ** This program is free software; you can redistribute it and/or modify -@@ -382,7 +382,7 @@ rf64_read_header (SF_PRIVATE *psf, int * - if (psf->sf.channels < 1) - return SFE_CHANNEL_COUNT_ZERO ; - -- if (psf->sf.channels >= SF_MAX_CHANNELS) -+ if (psf->sf.channels > SF_MAX_CHANNELS) - return SFE_CHANNEL_COUNT ; - - /* WAVs can be little or big endian */ -diff --git a/src/w64.c b/src/w64.c -index 939b716..a37d2c5 100644 ---- a/src/w64.c -+++ b/src/w64.c -@@ -1,5 +1,5 @@ - /* --** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com> -+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com> - ** - ** This program is free software; you can redistribute it and/or modify - ** it under the terms of the GNU Lesser General Public License as published by -@@ -383,7 +383,7 @@ w64_read_header (SF_PRIVATE *psf, int *b - if (psf->sf.channels < 1) - return SFE_CHANNEL_COUNT_ZERO ; - -- if (psf->sf.channels >= SF_MAX_CHANNELS) -+ if (psf->sf.channels > SF_MAX_CHANNELS) - return SFE_CHANNEL_COUNT ; - - psf->endian = SF_ENDIAN_LITTLE ; /* All W64 files are little endian. */ -diff --git a/src/wav.c b/src/wav.c -index 7bd97bc..dc97545 100644 ---- a/src/wav.c -+++ b/src/wav.c -@@ -1,5 +1,5 @@ - /* --** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com> -+** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com> - ** Copyright (C) 2004-2005 David Viens <davidv@plogue.com> - ** - ** This program is free software; you can redistribute it and/or modify -@@ -627,7 +627,7 @@ wav_read_header (SF_PRIVATE *psf, int *b - if (psf->sf.channels < 1) - return SFE_CHANNEL_COUNT_ZERO ; - -- if (psf->sf.channels >= SF_MAX_CHANNELS) -+ if (psf->sf.channels > SF_MAX_CHANNELS) - return SFE_CHANNEL_COUNT ; - - if (format != WAVE_FORMAT_PCM && (parsestage & HAVE_fact) == 0) --- -1.7.9.5 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch deleted file mode 100644 index c3586f9dfc..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch +++ /dev/null @@ -1,34 +0,0 @@ -There is a heap-based buffer over-read at wav.c in wav_write_header in -libsndfile 1.0.28 that will cause a denial of service. - -CVE: CVE-2018-19758 -Upstream-Status: Backport [42132c543358cee9f7c3e9e9b15bb6c1063a608e] -Signed-off-by: Ross Burton <ross.burton@intel.com> - -From c12173b0197dd0c5cfa2cd27977e982d2ae59486 Mon Sep 17 00:00:00 2001 -From: Erik de Castro Lopo <erikd@mega-nerd.com> -Date: Tue, 1 Jan 2019 20:11:46 +1100 -Subject: [PATCH] src/wav.c: Fix heap read overflow - -This is CVE-2018-19758. - -Closes: https://github.com/erikd/libsndfile/issues/435 ---- - src/wav.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/wav.c b/src/wav.c -index e8405b55..6fb94ae8 100644 ---- a/src/wav.c -+++ b/src/wav.c -@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) - psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ - psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; - -+ /* Loop count is signed 16 bit number so we limit it range to something sensible. */ -+ psf->instrument->loop_count &= 0x7fff ; - for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) - { int type ; - --- -2.11.0 diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch deleted file mode 100644 index ab37211399..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001 -From: Emilio Pozuelo Monfort <pochu27@gmail.com> -Date: Tue, 5 Mar 2019 11:27:17 +0100 -Subject: [PATCH] wav_write_header: don't read past the array end - -CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder. - -CVE: CVE-2019-3832 -Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e] -Signed-off-by: Ross Burton <ross.burton@intel.com> - -If loop_count is bigger than the array, truncate it to the array -length (and not to 32k). - -CVE-2019-3832 - ---- - src/wav.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/wav.c b/src/wav.c -index daae3cc..8851549 100644 ---- a/src/wav.c -+++ b/src/wav.c -@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) - psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ - psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; - -- /* Loop count is signed 16 bit number so we limit it range to something sensible. */ -- psf->instrument->loop_count &= 0x7fff ; -+ /* Make sure we don't read past the loops array end. */ -+ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops)) -+ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ; -+ - for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) - { int type ; - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/cve-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/cve-2022-33065.patch new file mode 100644 index 0000000000..fa4b2fc08b --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/cve-2022-33065.patch @@ -0,0 +1,739 @@ +From c7ce5b0ebeeb58934825077d1324960aa0747718 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Tue, 10 Oct 2023 16:10:34 -0400 +Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation + +The clang sanitizer warns of a possible signed integer overflow when +calculating the `dataend` value in `mat4_read_header()`. + +``` +src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in +src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in +``` + +Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of +`dataend` before performing the calculation, to avoid the issue. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/789 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Upstream-Status: Backport [9a829113c88a51e57c1e46473e90609e4b7df151] + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/mat4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mat4.c b/src/mat4.c +index 0b1b414b..575683ba 100644 +--- a/src/mat4.c ++++ b/src/mat4.c +@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf) + psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ; + } + else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth) +- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ; ++ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ; + + psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ; + +From 842303f984b2081481e74cb84a9a24ecbe3dec1a Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 16:36:02 -0400 +Subject: [PATCH] au: avoid int overflow while calculating data_end + +At several points in au_read_header(), we calculate the functional end +of the data segment by adding the (int)au_fmt.dataoffset and the +(int)au_fmt.datasize. This can overflow the implicit int_32 return value +and cause undefined behavior. + +Instead, precalculate the value and assign it to a 64-bit +(sf_count_t)data_end variable. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/au.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/au.c b/src/au.c +index 62bd691d..f68f2587 100644 +--- a/src/au.c ++++ b/src/au.c +@@ -291,6 +291,7 @@ static int + au_read_header (SF_PRIVATE *psf) + { AU_FMT au_fmt ; + int marker, dword ; ++ sf_count_t data_end ; + + memset (&au_fmt, 0, sizeof (au_fmt)) ; + psf_binheader_readf (psf, "pm", 0, &marker) ; +@@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf) + return SFE_AU_EMBED_BAD_LEN ; + } ; + ++ data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ; + if (psf->fileoffset > 0) +- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ; ++ { psf->filelength = data_end ; + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; + } +- else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength) ++ else if (au_fmt.datasize == -1 || data_end == psf->filelength) + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; +- else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength) +- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ; ++ else if (data_end < psf->filelength) ++ { psf->filelength = data_end ; + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; + } + else +From 0754d3380a54e3fbdde0f684b88955c80c79f58f Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 16:46:29 -0400 +Subject: [PATCH] avr: fix int overflow in avr_read_header() + +Pre-cast hdr.frames to sf_count_t, to provide the calculation with +enough numeric space to avoid an int-overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/avr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/avr.c b/src/avr.c +index 6c78ff69..1bc1ffc9 100644 +--- a/src/avr.c ++++ b/src/avr.c +@@ -162,7 +162,7 @@ avr_read_header (SF_PRIVATE *psf) + psf->endian = SF_ENDIAN_BIG ; + + psf->dataoffset = AVR_HDR_SIZE ; +- psf->datalength = hdr.frames * (hdr.rez / 8) ; ++ psf->datalength = (sf_count_t) hdr.frames * (hdr.rez / 8) ; + + if (psf->fileoffset > 0) + psf->filelength = AVR_HDR_SIZE + psf->datalength ; +From 6ac31a68a614e2bba4a05b54e5558d6270c98376 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 16:54:21 -0400 +Subject: [PATCH] sds: fix int overflow warning in sample calculations + +The sds_*byte_read() functions compose their uint_32 sample buffers by +shifting 7bit samples into a 32bit wide buffer, and adding them +together. Because the 7bit samples are stored in 32bit ints, code +fuzzers become concerned that the addition operation can overflow and +cause undefined behavior. + +Instead, bitwise-OR the bytes together - which should accomplish the +same arithmetic operation, without risking an int-overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> + +Do the same for the 3byte and 4byte read functions. +--- + src/sds.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/sds.c b/src/sds.c +index 6bc76171..2a0f164c 100644 +--- a/src/sds.c ++++ b/src/sds.c +@@ -454,7 +454,7 @@ sds_2byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 2) +- { sample = arith_shift_left (ucptr [k], 25) + arith_shift_left (ucptr [k + 1], 18) ; ++ { sample = arith_shift_left (ucptr [k], 25) | arith_shift_left (ucptr [k + 1], 18) ; + psds->read_samples [k / 2] = (int) (sample - 0x80000000) ; + } ; + +@@ -498,7 +498,7 @@ sds_3byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 3) +- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) ; ++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) ; + psds->read_samples [k / 3] = (int) (sample - 0x80000000) ; + } ; + +@@ -542,7 +542,7 @@ sds_4byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 4) +- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) + (ucptr [k + 3] << 4) ; ++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) | (ucptr [k + 3] << 4) ; + psds->read_samples [k / 4] = (int) (sample - 0x80000000) ; + } ; + +From 96428e1dd4998f1cd47df24f8fe9b0da35d7b947 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 17:26:51 -0400 +Subject: [PATCH] aiff: fix int overflow when counting header elements + +aiff_read_basc_chunk() tries to count the AIFF header size by keeping +track of the bytes returned by psf_binheader_readf(). Though improbable, +it is technically possible for these added bytes to exceed the int-sized +`count` accumulator. + +Use a 64-bit sf_count_t type for `count`, to ensure that it always has +enough numeric space. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/aiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/aiff.c b/src/aiff.c +index a2bda8f4..6b244302 100644 +--- a/src/aiff.c ++++ b/src/aiff.c +@@ -1702,7 +1702,7 @@ static int + aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize) + { const char * type_str ; + basc_CHUNK bc ; +- int count ; ++ sf_count_t count ; + + count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ; + count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ; +From b352c350d35bf978e4d3a32e5d9df1f2284445f4 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 17:43:02 -0400 +Subject: [PATCH] ircam: fix int overflow in ircam_read_header() + +When reading the IRCAM header, it is possible for the calculated +blockwidth to exceed the bounds of a signed int32. + +Use a 64bit sf_count_t to store the blockwidth. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/common.h | 2 +- + src/ircam.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/common.h b/src/common.h +index d92eabde..5369cb67 100644 +--- a/src/common.h ++++ b/src/common.h +@@ -439,7 +439,7 @@ typedef struct sf_private_tag + sf_count_t datalength ; /* Length in bytes of the audio data. */ + sf_count_t dataend ; /* Offset to file tailer. */ + +- int blockwidth ; /* Size in bytes of one set of interleaved samples. */ ++ sf_count_t blockwidth ; /* Size in bytes of one set of interleaved samples. */ + int bytewidth ; /* Size in bytes of one sample (one channel). */ + + void *dither ; +diff --git a/src/ircam.c b/src/ircam.c +index 8e7cdba8..3d73ba44 100644 +--- a/src/ircam.c ++++ b/src/ircam.c +@@ -171,35 +171,35 @@ ircam_read_header (SF_PRIVATE *psf) + switch (encoding) + { case IRCAM_PCM_16 : + psf->bytewidth = 2 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_16 ; + break ; + + case IRCAM_PCM_32 : + psf->bytewidth = 4 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_32 ; + break ; + + case IRCAM_FLOAT : + psf->bytewidth = 4 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_FLOAT ; + break ; + + case IRCAM_ALAW : + psf->bytewidth = 1 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ALAW ; + break ; + + case IRCAM_ULAW : + psf->bytewidth = 1 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ; + break ; +From 3bcd291e57867f88f558fa6f80990e84311df78c Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Wed, 11 Oct 2023 16:12:22 -0400 +Subject: [PATCH] mat4/mat5: fix int overflow when calculating blockwidth + +Pre-cast the components of the blockwidth calculation to sf_count_t to +avoid overflowing integers during calculation. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/mat4.c | 2 +- + src/mat5.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/mat4.c b/src/mat4.c +index 575683ba..9f046f0c 100644 +--- a/src/mat4.c ++++ b/src/mat4.c +@@ -104,7 +104,7 @@ mat4_open (SF_PRIVATE *psf) + + psf->container_close = mat4_close ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + switch (subformat) + { case SF_FORMAT_PCM_16 : +diff --git a/src/mat5.c b/src/mat5.c +index da5a6eca..20f0ea64 100644 +--- a/src/mat5.c ++++ b/src/mat5.c +@@ -114,7 +114,7 @@ mat5_open (SF_PRIVATE *psf) + + psf->container_close = mat5_close ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + switch (subformat) + { case SF_FORMAT_PCM_U8 : +From c177e292d47ef73b1d3c1bb391320299a0ed2ff9 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Mon, 16 Oct 2023 12:37:47 -0400 +Subject: [PATCH] common: fix int overflow in psf_binheader_readf() + +The psf_binheader_readf() function attempts to count and return the +number of bytes traversed in the header. During this accumulation, it is +possible to overflow the int-sized byte_count variable. + +Avoid this overflow by checking that the accumulated bytes do not exceed +INT_MAX and throwing an error if they do. This implies that files with +multi-gigabyte headers threaten to produce this error, but I imagine +those files don't really exist - and this error is better than the +undefined behavior which would have resulted previously. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +--- + src/common.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/src/common.c b/src/common.c +index 1c3d951d..7f6cceca 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -18,6 +18,7 @@ + + #include <config.h> + ++#include <limits.h> + #include <stdarg.h> + #include <string.h> + #if HAVE_UNISTD_H +@@ -990,6 +991,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + double *doubleptr ; + char c ; + int byte_count = 0, count = 0 ; ++ int read_bytes = 0 ; + + if (! format) + return psf_ftell (psf) ; +@@ -998,6 +1000,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + + while ((c = *format++)) + { ++ read_bytes = 0 ; + if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16)) + break ; + +@@ -1014,7 +1017,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, ucptr, sizeof (int)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (int)) ; + *intptr = GET_MARKER (ucptr) ; + break ; + +@@ -1022,7 +1025,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ; ++ read_bytes = header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ; + { int k ; + intdata = 0 ; + for (k = 0 ; k < 16 ; k++) +@@ -1034,14 +1037,14 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case '1' : + charptr = va_arg (argptr, char*) ; + *charptr = 0 ; +- byte_count += header_read (psf, charptr, sizeof (char)) ; ++ read_bytes = header_read (psf, charptr, sizeof (char)) ; + break ; + + case '2' : /* 2 byte value with the current endian-ness */ + shortptr = va_arg (argptr, unsigned short*) ; + *shortptr = 0 ; + ucptr = (unsigned char*) shortptr ; +- byte_count += header_read (psf, ucptr, sizeof (short)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (short)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *shortptr = GET_BE_SHORT (ucptr) ; + else +@@ -1051,7 +1054,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case '3' : /* 3 byte value with the current endian-ness */ + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; +- byte_count += header_read (psf, sixteen_bytes, 3) ; ++ read_bytes = header_read (psf, sixteen_bytes, 3) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *intptr = GET_BE_3BYTE (sixteen_bytes) ; + else +@@ -1062,7 +1065,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, ucptr, sizeof (int)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (int)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *intptr = psf_get_be32 (ucptr, 0) ; + else +@@ -1072,7 +1075,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case '8' : /* 8 byte value with the current endian-ness */ + countptr = va_arg (argptr, sf_count_t *) ; + *countptr = 0 ; +- byte_count += header_read (psf, sixteen_bytes, 8) ; ++ read_bytes = header_read (psf, sixteen_bytes, 8) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + countdata = psf_get_be64 (sixteen_bytes, 0) ; + else +@@ -1083,7 +1086,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'f' : /* Float conversion */ + floatptr = va_arg (argptr, float *) ; + *floatptr = 0.0 ; +- byte_count += header_read (psf, floatptr, sizeof (float)) ; ++ read_bytes = header_read (psf, floatptr, sizeof (float)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *floatptr = float32_be_read ((unsigned char*) floatptr) ; + else +@@ -1093,7 +1096,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'd' : /* double conversion */ + doubleptr = va_arg (argptr, double *) ; + *doubleptr = 0.0 ; +- byte_count += header_read (psf, doubleptr, sizeof (double)) ; ++ read_bytes = header_read (psf, doubleptr, sizeof (double)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *doubleptr = double64_be_read ((unsigned char*) doubleptr) ; + else +@@ -1117,7 +1120,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + charptr = va_arg (argptr, char*) ; + count = va_arg (argptr, size_t) ; + memset (charptr, 0, count) ; +- byte_count += header_read (psf, charptr, count) ; ++ read_bytes = header_read (psf, charptr, count) ; + break ; + + case 'G' : +@@ -1128,7 +1131,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + if (psf->header.indx + count >= psf->header.len && psf_bump_header_allocation (psf, count)) + break ; + +- byte_count += header_gets (psf, charptr, count) ; ++ read_bytes = header_gets (psf, charptr, count) ; + break ; + + case 'z' : +@@ -1152,7 +1155,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'j' : /* Seek to position from current position. */ + count = va_arg (argptr, size_t) ; + header_seek (psf, count, SEEK_CUR) ; +- byte_count += count ; ++ read_bytes = count ; + break ; + + case '!' : /* Clear buffer, forcing re-read. */ +@@ -1164,8 +1167,17 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + psf->error = SFE_INTERNAL ; + break ; + } ; ++ ++ if (read_bytes > 0 && byte_count > (INT_MAX - read_bytes)) ++ { psf_log_printf (psf, "Header size exceeds INT_MAX. Aborting.", c) ; ++ psf->error = SFE_INTERNAL ; ++ break ; ++ } else ++ { byte_count += read_bytes ; + } ; + ++ } ; /*end while*/ ++ + va_end (argptr) ; + + return byte_count ; +From a23d563386e7c8d93dcdbe7d5b1d63cad6009116 Mon Sep 17 00:00:00 2001 +From: Alex Stewart <alex.stewart@ni.com> +Date: Thu, 19 Oct 2023 14:07:19 -0400 +Subject: [PATCH] nms_adpcm: fix int overflow in signal estimate + +It is possible (though functionally incorrect) for the signal estimate +calculation in nms_adpcm_update() to overflow the int value of s_e, +resulting in undefined behavior. + +Since adpcm state signal values are never practically larger than +16 bits, use smaller numeric sizes throughout the file to avoid the +overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Authored-by: Arthur Taylor <art@ified.ca> +Signed-off-by: Alex Stewart <alex.stewart@ni.com> +Rebased-by: Alex Stewart <alex.stewart@ni.com> +--- + src/nms_adpcm.c | 85 ++++++++++++++++++++++++------------------------- + 1 file changed, 42 insertions(+), 43 deletions(-) + +diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c +index 96d6ad26..460ea077 100644 +--- a/src/nms_adpcm.c ++++ b/src/nms_adpcm.c +@@ -48,36 +48,36 @@ + /* Variable names from ITU G.726 spec */ + struct nms_adpcm_state + { /* Log of the step size multiplier. Operated on by codewords. */ +- int yl ; ++ short yl ; + + /* Quantizer step size multiplier. Generated from yl. */ +- int y ; ++ short y ; + +- /* Coefficents of the pole predictor */ +- int a [2] ; ++ /* Coefficients of the pole predictor */ ++ short a [2] ; + +- /* Coefficents of the zero predictor */ +- int b [6] ; ++ /* Coefficients of the zero predictor */ ++ short b [6] ; + + /* Previous quantized deltas (multiplied by 2^14) */ +- int d_q [7] ; ++ short d_q [7] ; + + /* d_q [x] + s_ez [x], used by the pole-predictor for signs only. */ +- int p [3] ; ++ short p [3] ; + + /* Previous reconstructed signal values. */ +- int s_r [2] ; ++ short s_r [2] ; + + /* Zero predictor components of the signal estimate. */ +- int s_ez ; ++ short s_ez ; + + /* Signal estimate, (including s_ez). */ +- int s_e ; ++ short s_e ; + + /* The most recent codeword (enc:generated, dec:inputted) */ +- int Ik ; ++ char Ik ; + +- int parity ; ++ char parity ; + + /* + ** Offset into code tables for the bitrate. +@@ -109,7 +109,7 @@ typedef struct + } NMS_ADPCM_PRIVATE ; + + /* Pre-computed exponential interval used in the antilog approximation. */ +-static unsigned int table_expn [] = ++static unsigned short table_expn [] = + { 0x4000, 0x4167, 0x42d5, 0x444c, 0x45cb, 0x4752, 0x48e2, 0x4a7a, + 0x4c1b, 0x4dc7, 0x4f7a, 0x5138, 0x52ff, 0x54d1, 0x56ac, 0x5892, + 0x5a82, 0x5c7e, 0x5e84, 0x6096, 0x62b4, 0x64dd, 0x6712, 0x6954, +@@ -117,21 +117,21 @@ static unsigned int table_expn [] = + } ; + + /* Table mapping codewords to scale factor deltas. */ +-static int table_scale_factor_step [] = ++static short table_scale_factor_step [] = + { 0x0, 0x0, 0x0, 0x0, 0x4b0, 0x0, 0x0, 0x0, /* 2-bit */ + -0x3c, 0x0, 0x90, 0x0, 0x2ee, 0x0, 0x898, 0x0, /* 3-bit */ + -0x30, 0x12, 0x6b, 0xc8, 0x188, 0x2e0, 0x551, 0x1150, /* 4-bit */ + } ; + + /* Table mapping codewords to quantized delta interval steps. */ +-static unsigned int table_step [] = ++static unsigned short table_step [] = + { 0x73F, 0, 0, 0, 0x1829, 0, 0, 0, /* 2-bit */ + 0x3EB, 0, 0xC18, 0, 0x1581, 0, 0x226E, 0, /* 3-bit */ + 0x20C, 0x635, 0xA83, 0xF12, 0x1418, 0x19E3, 0x211A, 0x2BBA, /* 4-bit */ + } ; + + /* Binary search lookup table for quantizing using table_step. */ +-static int table_step_search [] = ++static short table_step_search [] = + { 0, 0x1F6D, 0, -0x1F6D, 0, 0, 0, 0, /* 2-bit */ + 0x1008, 0x1192, 0, -0x219A, 0x1656, -0x1656, 0, 0, /* 3-bit */ + 0x872, 0x1277, -0x8E6, -0x232B, 0xD06, -0x17D7, -0x11D3, 0, /* 4-bit */ +@@ -179,23 +179,23 @@ static sf_count_t nms_adpcm_seek (SF_PRIVATE *psf, int mode, sf_count_t offset) + ** Maps [1,20480] to [1,1024] in an exponential relationship. This is + ** approximately ret = b^exp where b = e^(ln(1024)/ln(20480)) ~= 1.0003385 + */ +-static inline int +-nms_adpcm_antilog (int exp) +-{ int ret ; ++static inline short ++nms_adpcm_antilog (short exp) ++{ int_fast32_t r ; + +- ret = 0x1000 ; +- ret += (((exp & 0x3f) * 0x166b) >> 12) ; +- ret *= table_expn [(exp & 0x7c0) >> 6] ; +- ret >>= (26 - (exp >> 11)) ; ++ r = 0x1000 ; ++ r += (((int_fast32_t) (exp & 0x3f) * 0x166b) >> 12) ; ++ r *= table_expn [(exp & 0x7c0) >> 6] ; ++ r >>= (26 - (exp >> 11)) ; + +- return ret ; ++ return (short) r ; + } /* nms_adpcm_antilog */ + + static void + nms_adpcm_update (struct nms_adpcm_state *s) + { /* Variable names from ITU G.726 spec */ +- int a1ul ; +- int fa1 ; ++ short a1ul, fa1 ; ++ int_fast32_t se ; + int i ; + + /* Decay and Modify the scale factor in the log domain based on the codeword. */ +@@ -222,7 +222,7 @@ nms_adpcm_update (struct nms_adpcm_state *s) + else if (fa1 > 256) + fa1 = 256 ; + +- s->a [0] = (0xff * s->a [0]) >> 8 ; ++ s->a [0] = (s->a [0] * 0xff) >> 8 ; + if (s->p [0] != 0 && s->p [1] != 0 && ((s->p [0] ^ s->p [1]) < 0)) + s->a [0] -= 192 ; + else +@@ -230,7 +230,7 @@ nms_adpcm_update (struct nms_adpcm_state *s) + fa1 = -fa1 ; + } + +- s->a [1] = fa1 + ((0xfe * s->a [1]) >> 8) ; ++ s->a [1] = fa1 + ((s->a [1] * 0xfe) >> 8) ; + if (s->p [0] != 0 && s->p [2] != 0 && ((s->p [0] ^ s->p [2]) < 0)) + s->a [1] -= 128 ; + else +@@ -250,19 +250,18 @@ nms_adpcm_update (struct nms_adpcm_state *s) + s->a [0] = a1ul ; + } ; + +- /* Compute the zero predictor estimate. Rotate past deltas too. */ +- s->s_ez = 0 ; ++ /* Compute the zero predictor estimate and rotate past deltas. */ ++ se = 0 ; + for (i = 5 ; i >= 0 ; i--) +- { s->s_ez += s->d_q [i] * s->b [i] ; ++ { se += (int_fast32_t) s->d_q [i] * s->b [i] ; + s->d_q [i + 1] = s->d_q [i] ; + } ; ++ s->s_ez = se >> 14 ; + +- /* Compute the signal estimate. */ +- s->s_e = s->a [0] * s->s_r [0] + s->a [1] * s->s_r [1] + s->s_ez ; +- +- /* Return to scale */ +- s->s_ez >>= 14 ; +- s->s_e >>= 14 ; ++ /* Complete the signal estimate. */ ++ se += (int_fast32_t) s->a [0] * s->s_r [0] ; ++ se += (int_fast32_t) s->a [1] * s->s_r [1] ; ++ s->s_e = se >> 14 ; + + /* Rotate members to prepare for next iteration. */ + s->s_r [1] = s->s_r [0] ; +@@ -274,7 +273,7 @@ nms_adpcm_update (struct nms_adpcm_state *s) + static int16_t + nms_adpcm_reconstruct_sample (struct nms_adpcm_state *s, uint8_t I) + { /* Variable names from ITU G.726 spec */ +- int dqx ; ++ int_fast32_t dqx ; + + /* + ** The ordering of the 12-bit right-shift is a precision loss. It agrees +@@ -308,17 +307,17 @@ nms_adpcm_codec_init (struct nms_adpcm_state *s, enum nms_enc_type type) + /* + ** nms_adpcm_encode_sample() + ** +-** Encode a linear 16-bit pcm sample into a 2,3, or 4 bit NMS-ADPCM codeword ++** Encode a linear 16-bit pcm sample into a 2, 3, or 4 bit NMS-ADPCM codeword + ** using and updating the predictor state. + */ + static uint8_t + nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl) + { /* Variable names from ITU G.726 spec */ +- int d ; ++ int_fast32_t d ; + uint8_t I ; + + /* Down scale the sample from 16 => ~14 bits. */ +- sl = (sl * 0x1fdf) / 0x7fff ; ++ sl = ((int_fast32_t) sl * 0x1fdf) / 0x7fff ; + + /* Compute estimate, and delta from actual value */ + nms_adpcm_update (s) ; +@@ -407,7 +406,7 @@ nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl) + */ + static int16_t + nms_adpcm_decode_sample (struct nms_adpcm_state *s, uint8_t I) +-{ int sl ; ++{ int_fast32_t sl ; + + nms_adpcm_update (s) ; + sl = nms_adpcm_reconstruct_sample (s, I) ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/noopus.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/noopus.patch new file mode 100644 index 0000000000..cb1778bede --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/noopus.patch @@ -0,0 +1,68 @@ +From 593256a3e386a4e17fe26cfbfb813cf4996447d7 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Mon, 4 Apr 2022 19:46:44 +0200 +Subject: [PATCH] Disable opus library + +We don't have opus in OE-Core which causes all the external libs to be disabled +silently. The silent issue is discussed in the link below and hints a patch +to make things configurable may be accepted. + +This patch removing the opus piece at least gets most of the functionality +we previously used back whilst the issue is discussed. + +Upstream-Status: Denied [https://github.com/libsndfile/libsndfile/pull/812] + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + configure.ac | 10 +++++----- + src/ogg_opus.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 727b67bc..f9d2e447 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -373,13 +373,13 @@ AS_IF([test -n "$PKG_CONFIG"], [ + enable_external_libs=yes + ]) + +- AS_IF([test "x$ac_cv_flac$ac_cv_ogg$ac_cv_vorbis$ac_cv_vorbisenc$ac_cv_opus" = "xyesyesyesyesyes"], [ ++ AS_IF([test "x$ac_cv_flac$ac_cv_ogg$ac_cv_vorbis$ac_cv_vorbisenc" = "xyesyesyesyes"], [ + HAVE_EXTERNAL_XIPH_LIBS=1 + enable_external_libs=yes + +- EXTERNAL_XIPH_CFLAGS="$FLAC_CFLAGS $VORBIS_CFLAGS $VORBISENC_CFLAGS $SPEEX_CFLAGS $OPUS_CFLAGS $OGG_CFLAGS " +- EXTERNAL_XIPH_LIBS="$FLAC_LIBS $VORBIS_LIBS $VORBISENC_LIBS $SPEEX_LIBS $OPUS_LIBS $OGG_LIBS " +- EXTERNAL_XIPH_REQUIRE="flac ogg vorbis vorbisenc opus" ++ EXTERNAL_XIPH_CFLAGS="$FLAC_CFLAGS $VORBIS_CFLAGS $VORBISENC_CFLAGS $SPEEX_CFLAGS $OGG_CFLAGS " ++ EXTERNAL_XIPH_LIBS="$FLAC_LIBS $VORBIS_LIBS $VORBISENC_LIBS $SPEEX_LIBS $OGG_LIBS " ++ EXTERNAL_XIPH_REQUIRE="flac ogg vorbis vorbisenc" + + if test x$ac_cv_speex = "xyes" ; then + EXTERNAL_XIPH_REQUIRE="$EXTERNAL_XIPH_REQUIRE speex" +@@ -788,7 +788,7 @@ AC_MSG_RESULT([ + + Experimental code : ................... ${enable_experimental:-no} + Using ALSA in example programs : ...... ${enable_alsa:-no} +- External FLAC/Ogg/Vorbis/Opus : ....... ${enable_external_libs:-no} ++ External FLAC/Ogg/Vorbis : ....... ${enable_external_libs:-no} + External MPEG Lame/MPG123 : ........... ${enable_mpeg:-no} + Building Octave interface : ........... ${OCTAVE_BUILD} + +diff --git a/src/ogg_opus.c b/src/ogg_opus.c +index dfa446ee..0d4fe57b 100644 +--- a/src/ogg_opus.c ++++ b/src/ogg_opus.c +@@ -159,7 +159,7 @@ + #include "sfendian.h" + #include "common.h" + +-#if HAVE_EXTERNAL_XIPH_LIBS ++#if 0 + + #include <ogg/ogg.h> + #include <opus/opus.h> +-- +2.30.2 + |