summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch25
-rw-r--r--media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch43
-rw-r--r--media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch26
-rw-r--r--media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch27
-rw-r--r--media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch25
-rw-r--r--media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch37
-rw-r--r--media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch97
-rw-r--r--media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch28
-rw-r--r--media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch30
-rw-r--r--media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch35
-rw-r--r--media-sound/sox/sox-14.4.2-r1.ebuild13
11 files changed, 386 insertions, 0 deletions
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch
new file mode 100644
index 000000000000..2b4448ed2d71
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch
@@ -0,0 +1,25 @@
+From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 16:29:28 +0000
+Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332)
+
+---
+ src/wav.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/wav.c b/src/wav.c
+index 3e80e692..3eaebfa7 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -712,6 +712,11 @@ static int startread(sox_format_t * ft)
+ else
+ lsx_report("User options overriding channels read in .wav header");
+
++ if (ft->signal.channels == 0) {
++ lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero");
++ return SOX_EOF;
++ }
++
+ if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond)
+ ft->signal.rate = dwSamplesPerSecond;
+ else
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch
new file mode 100644
index 000000000000..a9a5b2762199
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch
@@ -0,0 +1,43 @@
+From 93b6e4b5b0efa47b318151d39c35277fc06525f1 Mon Sep 17 00:00:00 2001
+Message-Id: <93b6e4b5b0efa47b318151d39c35277fc06525f1.1511192342.git.agx@sigxcpu.org>
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:36:58 +0100
+Subject: [PATCH] Handle vorbis_analysis_headerout errors
+
+This is related to
+
+ https://github.com/xiph/vorbis/pull/34
+
+but could also happen today with on other errors in the called function.
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882236
+Forwarded: sox-devel@lists.sourceforge.net
+---
+ src/vorbis.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+Index: sox/src/vorbis.c
+===================================================================
+--- sox.orig/src/vorbis.c
++++ sox/src/vorbis.c
+@@ -270,8 +270,11 @@ static int write_vorbis_header(sox_forma
+ vc.comment_lengths[i] = strlen(text);
+ }
+ }
+- vorbis_analysis_headerout( /* Build the packets */
+- &ve->vd, &vc, &header_main, &header_comments, &header_codebooks);
++ if (vorbis_analysis_headerout( /* Build the packets */
++ &ve->vd, &vc, &header_main, &header_comments, &header_codebooks) < 0) {
++ ret = HEADER_ERROR;
++ goto cleanup;
++ }
+
+ ogg_stream_packetin(&ve->os, &header_main); /* And stream them out */
+ ogg_stream_packetin(&ve->os, &header_comments);
+@@ -280,6 +283,7 @@ static int write_vorbis_header(sox_forma
+ while (ogg_stream_flush(&ve->os, &ve->og) && ret == HEADER_OK)
+ if (!oe_write_page(&ve->og, ft))
+ ret = HEADER_ERROR;
++cleanup:
+ for (i = 0; i < vc.comments; ++i)
+ free(vc.user_comments[i]);
+ free(vc.user_comments);
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch
new file mode 100644
index 000000000000..6cd8c2bb15f6
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch
@@ -0,0 +1,26 @@
+From 6cb44a44b9eda6b321ccdbf6483348d4a9798b00 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 16:43:35 +0000
+Subject: [PATCH] hcom: fix crash on input with corrupt dictionary
+ (CVE-2017-11358)
+
+---
+ src/hcom.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/hcom.c b/src/hcom.c
+index c62b020c..1b0e09dd 100644
+--- a/src/hcom.c
++++ b/src/hcom.c
+@@ -150,6 +150,11 @@ static int startread(sox_format_t * ft)
+ lsx_debug("%d %d",
+ p->dictionary[i].dict_leftson,
+ p->dictionary[i].dict_rightson);
++ if ((unsigned) p->dictionary[i].dict_leftson >= dictsize ||
++ (unsigned) p->dictionary[i].dict_rightson >= dictsize) {
++ lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary");
++ return SOX_EOF;
++ }
+ }
+ rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */
+ if (rc)
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch
new file mode 100644
index 000000000000..180d7d1c867b
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch
@@ -0,0 +1,27 @@
+From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 17:02:11 +0000
+Subject: [PATCH] wav: fix crash writing header when channel count >64k
+ (CVE-2017-11359)
+
+---
+ src/wav.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/wav.c b/src/wav.c
+index 3eaebfa7..fad334cf 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1379,6 +1379,12 @@ static int wavwritehdr(sox_format_t * ft, int second_header)
+ long blocksWritten = 0;
+ sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */
+
++ if (ft->signal.channels > UINT16_MAX) {
++ lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)",
++ ft->signal.channels);
++ return SOX_EOF;
++ }
++
+ dwSamplesPerSecond = ft->signal.rate;
+ wChannels = ft->signal.channels;
+ wBitsPerSample = ft->encoding.bits_per_sample;
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch
new file mode 100644
index 000000000000..473c383a663a
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch
@@ -0,0 +1,25 @@
+From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 16:21:23 +0000
+Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input
+ (CVE-2017-15370)
+
+Add the same check bad block size as was done for MS adpcm in commit
+f39c574b ("More checks for invalid MS ADPCM blocks").
+---
+ src/wav.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/wav.c b/src/wav.c
+index 5202556c..3e80e692 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -127,7 +127,7 @@ static unsigned short ImaAdpcmReadBlock(sox_format_t * ft)
+ /* work with partial blocks. Specs say it should be null */
+ /* padded but I guess this is better than trailing quiet. */
+ samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0);
+- if (samplesThisBlock == 0)
++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock)
+ {
+ lsx_warn("Premature EOF on .wav input file");
+ return 0;
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch
new file mode 100644
index 000000000000..cde253da4ecb
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch
@@ -0,0 +1,37 @@
+From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 15:57:48 +0000
+Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371)
+
+---
+ src/flac.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+Index: sox/src/flac.c
+===================================================================
+--- sox.orig/src/flac.c
++++ sox/src/flac.c
+@@ -119,9 +119,10 @@ static void decoder_metadata_callback(FL
+ p->total_samples = metadata->data.stream_info.total_samples;
+ }
+ else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) {
++ const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment;
+ size_t i;
+
+- if (metadata->data.vorbis_comment.num_comments == 0)
++ if (vc->num_comments == 0)
+ return;
+
+ if (ft->oob.comments != NULL) {
+@@ -129,8 +130,9 @@ static void decoder_metadata_callback(FL
+ return;
+ }
+
+- for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i)
+- sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry);
++ for (i = 0; i < vc->num_comments; ++i)
++ if (vc->comments[i].entry)
++ sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry);
+ }
+ }
+
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch
new file mode 100644
index 000000000000..8671213a98f3
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch
@@ -0,0 +1,97 @@
+From 3f7ed312614649e2695b54b398475d32be4f64f3 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 8 Nov 2017 00:29:14 +0000
+Subject: adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
+
+---
+ src/adpcm.c | 8 +++++++-
+ src/adpcm.h | 3 +++
+ src/wav.c | 5 ++++-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+Index: sox/src/adpcm.c
+===================================================================
+--- sox.orig/src/adpcm.c
++++ sox/src/adpcm.c
+@@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] =
+ { 392,-232}
+ };
+
++extern void *lsx_ms_adpcm_alloc(unsigned chans)
++{
++ return lsx_malloc(chans * sizeof(MsState_t));
++}
++
+ static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state,
+ sox_sample_t sample1, sox_sample_t sample2)
+ {
+@@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(s
+
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
+ const char *lsx_ms_adpcm_block_expand_i(
++ void *priv,
+ unsigned chans, /* total channels */
+ int nCoef,
+ const short *coef,
+@@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i(
+ const unsigned char *ip;
+ unsigned ch;
+ const char *errmsg = NULL;
+- MsState_t state[4]; /* One decompressor state for each channel */
++ MsState_t *state = priv; /* One decompressor state for each channel */
+
+ /* Read the four-byte header for each channel */
+ ip = ibuff;
+Index: sox/src/adpcm.h
+===================================================================
+--- sox.orig/src/adpcm.h
++++ sox/src/adpcm.h
+@@ -29,8 +29,11 @@
+ /* default coef sets */
+ extern const short lsx_ms_adpcm_i_coef[7][2];
+
++extern void *lsx_ms_adpcm_alloc(unsigned chans);
++
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
+ extern const char *lsx_ms_adpcm_block_expand_i(
++ void *priv,
+ unsigned chans, /* total channels */
+ int nCoef,
+ const short *coef,
+Index: sox/src/wav.c
+===================================================================
+--- sox.orig/src/wav.c
++++ sox/src/wav.c
+@@ -82,6 +82,7 @@ typedef struct {
+ /* following used by *ADPCM wav files */
+ unsigned short nCoefs; /* ADPCM: number of coef sets */
+ short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */
++ void *ms_adpcm_data; /* Private data of adpcm decoder */
+ unsigned char *packet; /* Temporary buffer for packets */
+ short *samples; /* interleaved samples buffer */
+ short *samplePtr; /* Pointer to current sample */
+@@ -175,7 +176,7 @@ static unsigned short AdpcmReadBlock(so
+ }
+ }
+
+- errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
++ errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
+
+ if (errmsg)
+ lsx_warn("%s", errmsg);
+@@ -791,6 +792,7 @@ static int startread(sox_format_t * ft)
+
+ /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */
+ wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short));
++ wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels);
+ {
+ int i, errct=0;
+ for (i=0; len>=2 && i < 2*wav->nCoefs; i++) {
+@@ -1216,6 +1218,7 @@ static int stopread(sox_format_t * ft)
+ free(wav->packet);
+ free(wav->samples);
+ free(wav->lsx_ms_adpcm_i_coefs);
++ free(wav->ms_adpcm_data);
+ free(wav->comment);
+ wav->comment = NULL;
+
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch
new file mode 100644
index 000000000000..d43ef50d1012
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch
@@ -0,0 +1,28 @@
+Description: This fixes a use after free and double free if an empty comment
+chunk follows a non-empty one.
+Author: Mans Rullgard <mans@mansr.com>
+Forwarded: not-needed
+---
+ src/aiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: sox/src/aiff.c
+===================================================================
+--- sox.orig/src/aiff.c
++++ sox/src/aiff.c
+@@ -62,7 +62,6 @@ int lsx_aiffstartread(sox_format_t * ft)
+ size_t ssndsize = 0;
+ char *annotation;
+ char *author;
+- char *comment = NULL;
+ char *copyright;
+ char *nametext;
+
+@@ -270,6 +269,7 @@ int lsx_aiffstartread(sox_format_t * ft)
+ free(annotation);
+ }
+ else if (strncmp(buf, "COMT", (size_t)4) == 0) {
++ char *comment = NULL;
+ rc = commentChunk(&comment, "Comment:", ft);
+ if (rc) {
+ /* Fail already called in function */
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch
new file mode 100644
index 000000000000..fd04bcdff131
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch
@@ -0,0 +1,30 @@
+Description: A corrupt header specifying zero channels would send read_channels()
+into an infinite loop. Prevent this by sanity checking the channel
+count in open_read(). Also add an upper bound to prevent overflow
+in multiplication.
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121
+Author: Mans Rullgard <mans@mansr.com>
+ Jaromír Mikeš <mira.mikes@seznam.cz>
+Forwarded: not-needed
+
+---
+ src/xa.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: sox/src/xa.c
+===================================================================
+--- sox.orig/src/xa.c
++++ sox/src/xa.c
+@@ -143,6 +143,12 @@ static int startread(sox_format_t * ft)
+ lsx_report("User options overriding rate read in .xa header");
+ }
+
++ if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) {
++ lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d",
++ ft->signal.channels);
++ return SOX_EOF;
++ }
++
+ /* Check for supported formats */
+ if (ft->encoding.bits_per_sample != 16) {
+ lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.",
diff --git a/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch
new file mode 100644
index 000000000000..4ebb31c0ae94
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch
@@ -0,0 +1,35 @@
+Description: wavpack: check errors when initializing
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881145
+Author: Eric Wong <normalperson@yhbt.net>
+ Jaromír Mikeš <mira.mikes@seznam.cz>
+Forwarded: not-needed
+
+ src/wavpack.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/wavpack.c b/src/wavpack.c
+index 9e525cd4..b7e8dafa 100644
+--- a/src/wavpack.c
++++ b/src/wavpack.c
+@@ -65,6 +65,10 @@ static int start_read(sox_format_t * ft)
+ char msg[80];
+
+ p->codec = WavpackOpenFileInputEx(&io_fns, ft, NULL, msg, OPEN_NORMALIZE, 0);
++ if (!p->codec) {
++ lsx_fail_errno(ft, SOX_EHDR, "%s", msg);
++ return SOX_EOF;
++ }
+ ft->encoding.bits_per_sample = WavpackGetBytesPerSample(p->codec) << 3;
+ ft->signal.channels = WavpackGetNumChannels(p->codec);
+ if (WavpackGetSampleRate(p->codec) && ft->signal.rate && ft->signal.rate != WavpackGetSampleRate(p->codec))
+@@ -108,6 +112,10 @@ static int start_write(sox_format_t * ft)
+ uint64_t size64;
+
+ p->codec = WavpackOpenFileOutput(ft_write_b_buf, ft, NULL);
++ if (!p->codec) {
++ lsx_fail_errno(ft, SOX_ENOMEM, "WavPack error creating output instance");
++ return SOX_EOF;
++ }
+ memset(&config, 0, sizeof(config));
+ config.bytes_per_sample = ft->encoding.bits_per_sample >> 3;
+ config.bits_per_sample = ft->encoding.bits_per_sample;
diff --git a/media-sound/sox/sox-14.4.2-r1.ebuild b/media-sound/sox/sox-14.4.2-r1.ebuild
index 8ebda3df10b8..d757a4e70b42 100644
--- a/media-sound/sox/sox-14.4.2-r1.ebuild
+++ b/media-sound/sox/sox-14.4.2-r1.ebuild
@@ -46,6 +46,19 @@ DEPEND="${RDEPEND}
DOCS=( AUTHORS ChangeLog NEWS README )
+PATCHES=(
+ "${FILESDIR}"/${P}-CVE-2017-11332.patch
+ "${FILESDIR}"/${P}-CVE-2017-11333.patch
+ "${FILESDIR}"/${P}-CVE-2017-11358.patch
+ "${FILESDIR}"/${P}-CVE-2017-11359.patch
+ "${FILESDIR}"/${P}-CVE-2017-15370.patch
+ "${FILESDIR}"/${P}-CVE-2017-15371.patch
+ "${FILESDIR}"/${P}-CVE-2017-15372.patch
+ "${FILESDIR}"/${P}-CVE-2017-15642.patch
+ "${FILESDIR}"/${P}-CVE-2017-18189.patch
+ "${FILESDIR}"/${P}-wavpack-chk-errors-on-init.patch
+)
+
src_prepare() {
default
sed -i -e 's:CFLAGS="-g":CFLAGS="$CFLAGS -g":' configure.ac || die #386027