[SCM] sox/master: Add patches to fix CVE's.
mira-guest at users.alioth.debian.org
mira-guest at users.alioth.debian.org
Sun Nov 5 21:17:18 UTC 2017
The following commit has been merged in the master branch:
commit e1ce22edecc52bfe9b1e03623ee19678be2a3321
Author: Jaromír Mikeš <mira.mikes at seznam.cz>
Date: Sun Nov 5 22:04:44 2017 +0100
Add patches to fix CVE's.
diff --git a/debian/patches/0005-CVE-2017-15371.patch b/debian/patches/0005-CVE-2017-15371.patch
new file mode 100644
index 0000000..6b10f34
--- /dev/null
+++ b/debian/patches/0005-CVE-2017-15371.patch
@@ -0,0 +1,36 @@
+From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans at mansr.com>
+Date: Sun, 5 Nov 2017 15:57:48 +0000
+Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371)
+
+---
+ src/flac.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/flac.c b/src/flac.c
+index 0d7829ec..07f45c1b 100644
+--- a/src/flac.c
++++ b/src/flac.c
+@@ -119,9 +119,10 @@ static void decoder_metadata_callback(FLAC__StreamDecoder const * const flac, FL
+ p->total_samples = metadata->data.stream_info.total_samples;
+ }
+ else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) {
++ const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment;
+ size_t i;
+
+- if (metadata->data.vorbis_comment.num_comments == 0)
++ if (vc->num_comments == 0)
+ return;
+
+ if (ft->oob.comments != NULL) {
+@@ -129,8 +130,9 @@ static void decoder_metadata_callback(FLAC__StreamDecoder const * const flac, FL
+ return;
+ }
+
+- for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i)
+- sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry);
++ for (i = 0; i < vc->num_comments; ++i)
++ if (vc->comments[i].entry)
++ sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry);
+ }
+ }
diff --git a/debian/patches/0006-CVE-2017-11358.patch b/debian/patches/0006-CVE-2017-11358.patch
new file mode 100644
index 0000000..6cd8c2b
--- /dev/null
+++ b/debian/patches/0006-CVE-2017-11358.patch
@@ -0,0 +1,26 @@
+From 6cb44a44b9eda6b321ccdbf6483348d4a9798b00 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans at mansr.com>
+Date: Sun, 5 Nov 2017 16:43:35 +0000
+Subject: [PATCH] hcom: fix crash on input with corrupt dictionary
+ (CVE-2017-11358)
+
+---
+ src/hcom.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/hcom.c b/src/hcom.c
+index c62b020c..1b0e09dd 100644
+--- a/src/hcom.c
++++ b/src/hcom.c
+@@ -150,6 +150,11 @@ static int startread(sox_format_t * ft)
+ lsx_debug("%d %d",
+ p->dictionary[i].dict_leftson,
+ p->dictionary[i].dict_rightson);
++ if ((unsigned) p->dictionary[i].dict_leftson >= dictsize ||
++ (unsigned) p->dictionary[i].dict_rightson >= dictsize) {
++ lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary");
++ return SOX_EOF;
++ }
+ }
+ rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */
+ if (rc)
diff --git a/debian/patches/0007-CVE-2017-15370.patch b/debian/patches/0007-CVE-2017-15370.patch
new file mode 100644
index 0000000..473c383
--- /dev/null
+++ b/debian/patches/0007-CVE-2017-15370.patch
@@ -0,0 +1,25 @@
+From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans at mansr.com>
+Date: Sun, 5 Nov 2017 16:21:23 +0000
+Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input
+ (CVE-2017-15370)
+
+Add the same check bad block size as was done for MS adpcm in commit
+f39c574b ("More checks for invalid MS ADPCM blocks").
+---
+ src/wav.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/wav.c b/src/wav.c
+index 5202556c..3e80e692 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -127,7 +127,7 @@ static unsigned short ImaAdpcmReadBlock(sox_format_t * ft)
+ /* work with partial blocks. Specs say it should be null */
+ /* padded but I guess this is better than trailing quiet. */
+ samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0);
+- if (samplesThisBlock == 0)
++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock)
+ {
+ lsx_warn("Premature EOF on .wav input file");
+ return 0;
diff --git a/debian/patches/0008-CVE-2017-11332.patch b/debian/patches/0008-CVE-2017-11332.patch
new file mode 100644
index 0000000..80204b6
--- /dev/null
+++ b/debian/patches/0008-CVE-2017-11332.patch
@@ -0,0 +1,26 @@
+From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans at mansr.com>
+Date: Sun, 5 Nov 2017 16:29:28 +0000
+Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332)
+
+---
+ src/wav.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/wav.c b/src/wav.c
+index 3e80e692..3eaebfa7 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -712,6 +712,11 @@ static int startread(sox_format_t * ft)
+ else
+ lsx_report("User options overriding channels read in .wav header");
+
++ if (ft->signal.channels == 0) {
++ lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero");
++ return SOX_EOF;
++ }
++
+ if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond)
+ ft->signal.rate = dwSamplesPerSecond;
+ else
+
diff --git a/debian/patches/0009-CVE-2017-11359.patch b/debian/patches/0009-CVE-2017-11359.patch
new file mode 100644
index 0000000..180d7d1
--- /dev/null
+++ b/debian/patches/0009-CVE-2017-11359.patch
@@ -0,0 +1,27 @@
+From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans at mansr.com>
+Date: Sun, 5 Nov 2017 17:02:11 +0000
+Subject: [PATCH] wav: fix crash writing header when channel count >64k
+ (CVE-2017-11359)
+
+---
+ src/wav.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/wav.c b/src/wav.c
+index 3eaebfa7..fad334cf 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1379,6 +1379,12 @@ static int wavwritehdr(sox_format_t * ft, int second_header)
+ long blocksWritten = 0;
+ sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */
+
++ if (ft->signal.channels > UINT16_MAX) {
++ lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)",
++ ft->signal.channels);
++ return SOX_EOF;
++ }
++
+ dwSamplesPerSecond = ft->signal.rate;
+ wChannels = ft->signal.channels;
+ wBitsPerSample = ft->encoding.bits_per_sample;
--
sox packaging
More information about the pkg-multimedia-commits
mailing list