[SCM] audiofile/debian/jessie: Import Debian changes 0.3.6-2+deb8u2
sramacher at users.alioth.debian.org
sramacher at users.alioth.debian.org
Thu Mar 23 08:28:51 UTC 2017
The following commit has been merged in the debian/jessie branch:
commit 242f0192363e1c3148116d58942ad2624a311425
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Sat Mar 18 19:28:56 2017 +0100
Import Debian changes 0.3.6-2+deb8u2
audiofile (0.3.6-2+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* Address several vulnerabilities (Closes: #857651)
- Always check the number of coefficients (CVE-2017-6827 CVE-2017-6828
CVE-2017-6832 CVE-2017-6833 CVE-2017-6835 CVE-2017-6837)
- clamp index values to fix index overflow in IMA.cpp (CVE-2017-6829)
- Check for multiplication overflow in sfconvert (CVE-2017-6830
CVE-2017-6834 CVE-2017-6836 CVE-2017-6838)
- Actually fail when error occurs in parseFormat (CVE-2017-6831)
- Check for multiplication overflow in MSADPCM decodeSample
(CVE-2017-6839)
* Fix signature of multiplyCheckOverflow. It returns a bool, not an int
* Check for division by zero in BlockCodec::runPull
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index b408e6c..0000000
--- a/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/.pc
diff --git a/debian/changelog b/debian/changelog
index 9f9f1f2..9819ae1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+audiofile (0.3.6-2+deb8u2) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Address several vulnerabilities (Closes: #857651)
+ - Always check the number of coefficients (CVE-2017-6827 CVE-2017-6828
+ CVE-2017-6832 CVE-2017-6833 CVE-2017-6835 CVE-2017-6837)
+ - clamp index values to fix index overflow in IMA.cpp (CVE-2017-6829)
+ - Check for multiplication overflow in sfconvert (CVE-2017-6830
+ CVE-2017-6834 CVE-2017-6836 CVE-2017-6838)
+ - Actually fail when error occurs in parseFormat (CVE-2017-6831)
+ - Check for multiplication overflow in MSADPCM decodeSample
+ (CVE-2017-6839)
+ * Fix signature of multiplyCheckOverflow. It returns a bool, not an int
+ * Check for division by zero in BlockCodec::runPull
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 18 Mar 2017 19:28:56 +0100
+
audiofile (0.3.6-2+deb8u1) jessie; urgency=high
* Team upload.
diff --git a/debian/patches/Actually-fail-when-error-occurs-in-parseFormat.patch b/debian/patches/Actually-fail-when-error-occurs-in-parseFormat.patch
new file mode 100644
index 0000000..158e6e4
--- /dev/null
+++ b/debian/patches/Actually-fail-when-error-occurs-in-parseFormat.patch
@@ -0,0 +1,40 @@
+From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa at kde.org>
+Date: Mon, 6 Mar 2017 18:59:26 +0100
+Subject: [PATCH] Actually fail when error occurs in parseFormat
+
+When there's an unsupported number of bits per sample or an invalid
+number of samples per block, don't only print an error message using
+the error handler, but actually stop parsing the file.
+
+This fixes #35 (also reported at
+https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
+https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
+)
+---
+ libaudiofile/WAVE.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..d762249 100644
+--- a/libaudiofile/WAVE.cpp
++++ b/libaudiofile/WAVE.cpp
+@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ {
+ _af_error(AF_BAD_NOT_IMPLEMENTED,
+ "IMA ADPCM compression supports only 4 bits per sample");
++ return AF_FAIL;
+ }
+
+ int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
+@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ {
+ _af_error(AF_BAD_CODEC_CONFIG,
+ "Invalid samples per block for IMA ADPCM compression");
++ return AF_FAIL;
+ }
+
+ track->f.sampleWidth = 16;
+--
+2.11.0
+
diff --git a/debian/patches/Always-check-the-number-of-coefficients.patch b/debian/patches/Always-check-the-number-of-coefficients.patch
new file mode 100644
index 0000000..292fdfe
--- /dev/null
+++ b/debian/patches/Always-check-the-number-of-coefficients.patch
@@ -0,0 +1,34 @@
+From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa at kde.org>
+Date: Mon, 6 Mar 2017 12:51:22 +0100
+Subject: [PATCH] Always check the number of coefficients
+
+When building the library with NDEBUG, asserts are eliminated
+so it's better to always check that the number of coefficients
+is inside the array range.
+
+This fixes the 00191-audiofile-indexoob issue in #41
+---
+ libaudiofile/WAVE.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..61f9541 100644
+--- a/libaudiofile/WAVE.cpp
++++ b/libaudiofile/WAVE.cpp
+@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+
+ /* numCoefficients should be at least 7. */
+ assert(numCoefficients >= 7 && numCoefficients <= 255);
++ if (numCoefficients < 7 || numCoefficients > 255)
++ {
++ _af_error(AF_BAD_HEADER,
++ "Bad number of coefficients");
++ return AF_FAIL;
++ }
+
+ m_msadpcmNumCoefficients = numCoefficients;
+
+--
+2.11.0
+
diff --git a/debian/patches/Check-for-division-by-zero-in-BlockCodec-runPull.patch b/debian/patches/Check-for-division-by-zero-in-BlockCodec-runPull.patch
new file mode 100644
index 0000000..e001133
--- /dev/null
+++ b/debian/patches/Check-for-division-by-zero-in-BlockCodec-runPull.patch
@@ -0,0 +1,21 @@
+From: Antonio Larrosa <larrosa at kde.org>
+Date: Thu, 9 Mar 2017 10:21:18 +0100
+Subject: Check for division by zero in BlockCodec::runPull
+
+---
+ libaudiofile/modules/BlockCodec.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
+index 4731be1..eb2fb4d 100644
+--- a/libaudiofile/modules/BlockCodec.cpp
++++ b/libaudiofile/modules/BlockCodec.cpp
+@@ -47,7 +47,7 @@ void BlockCodec::runPull()
+
+ // Read the compressed data.
+ ssize_t bytesRead = read(m_inChunk->buffer, m_bytesPerPacket * blockCount);
+- int blocksRead = bytesRead >= 0 ? bytesRead / m_bytesPerPacket : 0;
++ int blocksRead = (bytesRead >= 0 && m_bytesPerPacket > 0) ? bytesRead / m_bytesPerPacket : 0;
+
+ // Decompress into m_outChunk.
+ for (int i=0; i<blocksRead; i++)
diff --git a/debian/patches/Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch b/debian/patches/Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
new file mode 100644
index 0000000..84be8b8
--- /dev/null
+++ b/debian/patches/Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
@@ -0,0 +1,120 @@
+From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa at kde.org>
+Date: Mon, 6 Mar 2017 13:43:53 +0100
+Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample
+
+Check for multiplication overflow (using __builtin_mul_overflow
+if available) in MSADPCM.cpp decodeSample and return an empty
+decoded block if an error occurs.
+
+This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41
+---
+ libaudiofile/modules/BlockCodec.cpp | 5 ++--
+ libaudiofile/modules/MSADPCM.cpp | 47 +++++++++++++++++++++++++++++++++----
+ 2 files changed, 46 insertions(+), 6 deletions(-)
+
+diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
+index 45925e8..4731be1 100644
+--- a/libaudiofile/modules/BlockCodec.cpp
++++ b/libaudiofile/modules/BlockCodec.cpp
+@@ -52,8 +52,9 @@ void BlockCodec::runPull()
+ // Decompress into m_outChunk.
+ for (int i=0; i<blocksRead; i++)
+ {
+- decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
+- static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount);
++ if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
++ static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0)
++ break;
+
+ framesRead += m_framesPerPacket;
+ }
+diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
+index 8ea3c85..ef9c38c 100644
+--- a/libaudiofile/modules/MSADPCM.cpp
++++ b/libaudiofile/modules/MSADPCM.cpp
+@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] =
+ 768, 614, 512, 409, 307, 230, 230, 230
+ };
+
++int firstBitSet(int x)
++{
++ int position=0;
++ while (x!=0)
++ {
++ x>>=1;
++ ++position;
++ }
++ return position;
++}
++
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++int multiplyCheckOverflow(int a, int b, int *result)
++{
++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
++ return __builtin_mul_overflow(a, b, result);
++#else
++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
++ return true;
++ *result = a * b;
++ return false;
++#endif
++}
++
++
+ // Compute a linear PCM value from the given differential coded value.
+ static int16_t decodeSample(ms_adpcm_state &state,
+- uint8_t code, const int16_t *coefficient)
++ uint8_t code, const int16_t *coefficient, bool *ok=NULL)
+ {
+ int linearSample = (state.sample1 * coefficient[0] +
+ state.sample2 * coefficient[1]) >> 8;
++ int delta;
+
+ linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta;
+
+ linearSample = clamp(linearSample, MIN_INT16, MAX_INT16);
+
+- int delta = (state.delta * adaptationTable[code]) >> 8;
++ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta))
++ {
++ if (ok) *ok=false;
++ _af_error(AF_BAD_COMPRESSION, "Error decoding sample");
++ return 0;
++ }
++ delta >>= 8;
+ if (delta < 16)
+ delta = 16;
+
+ state.delta = delta;
+ state.sample2 = state.sample1;
+ state.sample1 = linearSample;
++ if (ok) *ok=true;
+
+ return static_cast<int16_t>(linearSample);
+ }
+@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded)
+ {
+ uint8_t code;
+ int16_t newSample;
++ bool ok;
+
+ code = *encoded >> 4;
+- newSample = decodeSample(*state[0], code, coefficient[0]);
++ newSample = decodeSample(*state[0], code, coefficient[0], &ok);
++ if (!ok) return 0;
+ *decoded++ = newSample;
+
+ code = *encoded & 0x0f;
+- newSample = decodeSample(*state[1], code, coefficient[1]);
++ newSample = decodeSample(*state[1], code, coefficient[1], &ok);
++ if (!ok) return 0;
+ *decoded++ = newSample;
+
+ encoded++;
+--
+2.11.0
+
diff --git a/debian/patches/Check-for-multiplication-overflow-in-sfconvert.patch b/debian/patches/Check-for-multiplication-overflow-in-sfconvert.patch
new file mode 100644
index 0000000..46c7457
--- /dev/null
+++ b/debian/patches/Check-for-multiplication-overflow-in-sfconvert.patch
@@ -0,0 +1,70 @@
+From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa at kde.org>
+Date: Mon, 6 Mar 2017 13:54:52 +0100
+Subject: [PATCH] Check for multiplication overflow in sfconvert
+
+Checks that a multiplication doesn't overflow when
+calculating the buffer size, and if it overflows,
+reduce the buffer size instead of failing.
+
+This fixes the 00192-audiofile-signintoverflow-sfconvert case
+in #41
+---
+ sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 80a1bc4..970a3e4 100644
+--- a/sfcommands/sfconvert.c
++++ b/sfcommands/sfconvert.c
+@@ -45,6 +45,33 @@ void printusage (void);
+ void usageerror (void);
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
+
++int firstBitSet(int x)
++{
++ int position=0;
++ while (x!=0)
++ {
++ x>>=1;
++ ++position;
++ }
++ return position;
++}
++
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++int multiplyCheckOverflow(int a, int b, int *result)
++{
++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
++ return __builtin_mul_overflow(a, b, result);
++#else
++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
++ return true;
++ *result = a * b;
++ return false;
++#endif
++}
++
+ int main (int argc, char **argv)
+ {
+ if (argc == 2)
+@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+ int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+
+- const int kBufferFrameCount = 65536;
+- void *buffer = malloc(kBufferFrameCount * frameSize);
++ int kBufferFrameCount = 65536;
++ int bufferSize;
++ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
++ kBufferFrameCount /= 2;
++ void *buffer = malloc(bufferSize);
+
+ AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
+ AFframecount totalFramesWritten = 0;
+--
+2.11.0
+
diff --git a/debian/patches/Fix-signature-of-multiplyCheckOverflow.-It-returns-a.patch b/debian/patches/Fix-signature-of-multiplyCheckOverflow.-It-returns-a.patch
new file mode 100644
index 0000000..d667ba8
--- /dev/null
+++ b/debian/patches/Fix-signature-of-multiplyCheckOverflow.-It-returns-a.patch
@@ -0,0 +1,40 @@
+From ce536d707b8e2a26baca77320398c45238224ca7 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa at kde.org>
+Date: Fri, 10 Mar 2017 15:40:02 +0100
+Subject: [PATCH] Fix signature of multiplyCheckOverflow. It returns a bool,
+ not an int
+
+---
+ libaudiofile/modules/MSADPCM.cpp | 2 +-
+ sfcommands/sfconvert.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
+index ef9c38c..d8c9553 100644
+--- a/libaudiofile/modules/MSADPCM.cpp
++++ b/libaudiofile/modules/MSADPCM.cpp
+@@ -116,7 +116,7 @@ int firstBitSet(int x)
+ #define __has_builtin(x) 0
+ #endif
+
+-int multiplyCheckOverflow(int a, int b, int *result)
++bool multiplyCheckOverflow(int a, int b, int *result)
+ {
+ #if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
+ return __builtin_mul_overflow(a, b, result);
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 970a3e4..367f7a5 100644
+--- a/sfcommands/sfconvert.c
++++ b/sfcommands/sfconvert.c
+@@ -60,7 +60,7 @@ int firstBitSet(int x)
+ #define __has_builtin(x) 0
+ #endif
+
+-int multiplyCheckOverflow(int a, int b, int *result)
++bool multiplyCheckOverflow(int a, int b, int *result)
+ {
+ #if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
+ return __builtin_mul_overflow(a, b, result);
+--
+2.11.0
+
diff --git a/debian/patches/clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch b/debian/patches/clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
new file mode 100644
index 0000000..83b0e06
--- /dev/null
+++ b/debian/patches/clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
@@ -0,0 +1,37 @@
+From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa at kde.org>
+Date: Mon, 6 Mar 2017 18:02:31 +0100
+Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp
+
+This fixes #33
+(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981
+and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/)
+---
+ libaudiofile/modules/IMA.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp
+index 7476d44..df4aad6 100644
+--- a/libaudiofile/modules/IMA.cpp
++++ b/libaudiofile/modules/IMA.cpp
+@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded)
+ if (encoded[1] & 0x80)
+ m_adpcmState[c].previousValue -= 0x10000;
+
+- m_adpcmState[c].index = encoded[2];
++ m_adpcmState[c].index = clamp(encoded[2], 0, 88);
+
+ *decoded++ = m_adpcmState[c].previousValue;
+
+@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded)
+ predictor -= 0x10000;
+
+ state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
+- state.index = encoded[1] & 0x7f;
++ state.index = clamp(encoded[1] & 0x7f, 0, 88);
+ encoded += 2;
+
+ for (int n=0; n<m_framesPerPacket; n+=2)
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index b317802..b7d61a7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,8 @@
CVE-2015-7747.patch
+Always-check-the-number-of-coefficients.patch
+clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
+Check-for-multiplication-overflow-in-sfconvert.patch
+Actually-fail-when-error-occurs-in-parseFormat.patch
+Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
+Fix-signature-of-multiplyCheckOverflow.-It-returns-a.patch
+Check-for-division-by-zero-in-BlockCodec-runPull.patch
--
audiofile packaging
More information about the pkg-multimedia-commits
mailing list