diff options
Diffstat (limited to 'meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch')
| -rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch | 107 |
1 files changed, 0 insertions, 107 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch deleted file mode 100644 index a4679cef2a..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch +++ /dev/null @@ -1,107 +0,0 @@ -This patch fixes #429 (CVE-2018-19661 CVE-2018-19662) and #344 (CVE-2017-17456 -CVE-2017-17457). As per -https://github.com/erikd/libsndfile/issues/344#issuecomment-448504425 it also -fixes #317 (CVE-2017-14245 CVE-2017-14246). - -CVE: CVE-2017-14245 CVE-2017-14246 -CVE: CVE-2017-17456 CVE-2017-17457 -CVE: CVE-2018-19661 CVE-2018-19662 - -Upstream-Status: Backport [8ddc442d539ca775d80cdbc7af17a718634a743f] -Signed-off-by: Ross Burton <ross.burton@intel.com> - -From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Mon, 7 Jan 2019 15:55:03 +0800 -Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432) - -i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN -properly, leading to buffer underflow. INT_MIN is a special value -since - INT_MIN cannot be represented as int. - -In this case round - INT_MIN to INT_MAX and proceed as usual. - -f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN -properly, leading to null pointer dereference. - -In this case, arbitrarily set the buffer value to 0. - -This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and -fixes #344 (CVE-2017-17456 and CVE-2017-17457). - ---- - src/alaw.c | 9 +++++++-- - src/ulaw.c | 9 +++++++-- - 2 files changed, 14 insertions(+), 4 deletions(-) - -diff --git a/src/alaw.c b/src/alaw.c -index 063fd1a..4220224 100644 ---- a/src/alaw.c -+++ b/src/alaw.c -@@ -19,6 +19,7 @@ - #include "sfconfig.h" - - #include <math.h> -+#include <limits.h> - - #include "sndfile.h" - #include "common.h" -@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) - static inline void - i2alaw_array (const int *ptr, int count, unsigned char *buffer) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (ptr [count] == INT_MIN) -+ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; -+ else if (ptr [count] >= 0) - buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; - else - buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; -@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact - static inline void - d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (!isfinite (ptr [count])) -+ buffer [count] = 0 ; -+ else if (ptr [count] >= 0) - buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; - else - buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; -diff --git a/src/ulaw.c b/src/ulaw.c -index e50b4cb..b6070ad 100644 ---- a/src/ulaw.c -+++ b/src/ulaw.c -@@ -19,6 +19,7 @@ - #include "sfconfig.h" - - #include <math.h> -+#include <limits.h> - - #include "sndfile.h" - #include "common.h" -@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) - static inline void - i2ulaw_array (const int *ptr, int count, unsigned char *buffer) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (ptr [count] == INT_MIN) -+ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; -+ else if (ptr [count] >= 0) - buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; - else - buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; -@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact - static inline void - d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) - { while (--count >= 0) -- { if (ptr [count] >= 0) -+ { if (!isfinite (ptr [count])) -+ buffer [count] = 0 ; -+ else if (ptr [count] >= 0) - buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; - else - buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; --- -2.7.4 - |