diff options
Diffstat (limited to 'media-sound/sox/files')
10 files changed, 0 insertions, 373 deletions
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch deleted file mode 100644 index 2b4448ed2d71..000000000000 --- a/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001 -From: Mans Rullgard <mans@mansr.com> -Date: Sun, 5 Nov 2017 16:29:28 +0000 -Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332) - ---- - src/wav.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/wav.c b/src/wav.c -index 3e80e692..3eaebfa7 100644 ---- a/src/wav.c -+++ b/src/wav.c -@@ -712,6 +712,11 @@ static int startread(sox_format_t * ft) - else - lsx_report("User options overriding channels read in .wav header"); - -+ if (ft->signal.channels == 0) { -+ lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero"); -+ return SOX_EOF; -+ } -+ - if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond) - ft->signal.rate = dwSamplesPerSecond; - else diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch deleted file mode 100644 index a9a5b2762199..000000000000 --- a/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 93b6e4b5b0efa47b318151d39c35277fc06525f1 Mon Sep 17 00:00:00 2001 -Message-Id: <93b6e4b5b0efa47b318151d39c35277fc06525f1.1511192342.git.agx@sigxcpu.org> -From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> -Date: Wed, 15 Nov 2017 18:36:58 +0100 -Subject: [PATCH] Handle vorbis_analysis_headerout errors - -This is related to - - https://github.com/xiph/vorbis/pull/34 - -but could also happen today with on other errors in the called function. -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882236 -Forwarded: sox-devel@lists.sourceforge.net ---- - src/vorbis.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -Index: sox/src/vorbis.c -=================================================================== ---- sox.orig/src/vorbis.c -+++ sox/src/vorbis.c -@@ -270,8 +270,11 @@ static int write_vorbis_header(sox_forma - vc.comment_lengths[i] = strlen(text); - } - } -- vorbis_analysis_headerout( /* Build the packets */ -- &ve->vd, &vc, &header_main, &header_comments, &header_codebooks); -+ if (vorbis_analysis_headerout( /* Build the packets */ -+ &ve->vd, &vc, &header_main, &header_comments, &header_codebooks) < 0) { -+ ret = HEADER_ERROR; -+ goto cleanup; -+ } - - ogg_stream_packetin(&ve->os, &header_main); /* And stream them out */ - ogg_stream_packetin(&ve->os, &header_comments); -@@ -280,6 +283,7 @@ static int write_vorbis_header(sox_forma - while (ogg_stream_flush(&ve->os, &ve->og) && ret == HEADER_OK) - if (!oe_write_page(&ve->og, ft)) - ret = HEADER_ERROR; -+cleanup: - for (i = 0; i < vc.comments; ++i) - free(vc.user_comments[i]); - free(vc.user_comments); diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch deleted file mode 100644 index 6cd8c2bb15f6..000000000000 --- a/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 6cb44a44b9eda6b321ccdbf6483348d4a9798b00 Mon Sep 17 00:00:00 2001 -From: Mans Rullgard <mans@mansr.com> -Date: Sun, 5 Nov 2017 16:43:35 +0000 -Subject: [PATCH] hcom: fix crash on input with corrupt dictionary - (CVE-2017-11358) - ---- - src/hcom.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/hcom.c b/src/hcom.c -index c62b020c..1b0e09dd 100644 ---- a/src/hcom.c -+++ b/src/hcom.c -@@ -150,6 +150,11 @@ static int startread(sox_format_t * ft) - lsx_debug("%d %d", - p->dictionary[i].dict_leftson, - p->dictionary[i].dict_rightson); -+ if ((unsigned) p->dictionary[i].dict_leftson >= dictsize || -+ (unsigned) p->dictionary[i].dict_rightson >= dictsize) { -+ lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); -+ return SOX_EOF; -+ } - } - rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */ - if (rc) diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch deleted file mode 100644 index 180d7d1c867b..000000000000 --- a/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001 -From: Mans Rullgard <mans@mansr.com> -Date: Sun, 5 Nov 2017 17:02:11 +0000 -Subject: [PATCH] wav: fix crash writing header when channel count >64k - (CVE-2017-11359) - ---- - src/wav.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/wav.c b/src/wav.c -index 3eaebfa7..fad334cf 100644 ---- a/src/wav.c -+++ b/src/wav.c -@@ -1379,6 +1379,12 @@ static int wavwritehdr(sox_format_t * ft, int second_header) - long blocksWritten = 0; - sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */ - -+ if (ft->signal.channels > UINT16_MAX) { -+ lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)", -+ ft->signal.channels); -+ return SOX_EOF; -+ } -+ - dwSamplesPerSecond = ft->signal.rate; - wChannels = ft->signal.channels; - wBitsPerSample = ft->encoding.bits_per_sample; diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch deleted file mode 100644 index 473c383a663a..000000000000 --- a/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch +++ /dev/null @@ -1,25 +0,0 @@ -From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001 -From: Mans Rullgard <mans@mansr.com> -Date: Sun, 5 Nov 2017 16:21:23 +0000 -Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input - (CVE-2017-15370) - -Add the same check bad block size as was done for MS adpcm in commit -f39c574b ("More checks for invalid MS ADPCM blocks"). ---- - src/wav.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/wav.c b/src/wav.c -index 5202556c..3e80e692 100644 ---- a/src/wav.c -+++ b/src/wav.c -@@ -127,7 +127,7 @@ static unsigned short ImaAdpcmReadBlock(sox_format_t * ft) - /* work with partial blocks. Specs say it should be null */ - /* padded but I guess this is better than trailing quiet. */ - samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0); -- if (samplesThisBlock == 0) -+ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock) - { - lsx_warn("Premature EOF on .wav input file"); - return 0; diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch deleted file mode 100644 index cde253da4ecb..000000000000 --- a/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001 -From: Mans Rullgard <mans@mansr.com> -Date: Sun, 5 Nov 2017 15:57:48 +0000 -Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371) - ---- - src/flac.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -Index: sox/src/flac.c -=================================================================== ---- sox.orig/src/flac.c -+++ sox/src/flac.c -@@ -119,9 +119,10 @@ static void decoder_metadata_callback(FL - p->total_samples = metadata->data.stream_info.total_samples; - } - else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) { -+ const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment; - size_t i; - -- if (metadata->data.vorbis_comment.num_comments == 0) -+ if (vc->num_comments == 0) - return; - - if (ft->oob.comments != NULL) { -@@ -129,8 +130,9 @@ static void decoder_metadata_callback(FL - return; - } - -- for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i) -- sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry); -+ for (i = 0; i < vc->num_comments; ++i) -+ if (vc->comments[i].entry) -+ sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry); - } - } - diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch deleted file mode 100644 index 8671213a98f3..000000000000 --- a/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 3f7ed312614649e2695b54b398475d32be4f64f3 Mon Sep 17 00:00:00 2001 -From: Mans Rullgard <mans@mansr.com> -Date: Wed, 8 Nov 2017 00:29:14 +0000 -Subject: adpcm: fix stack overflow with >4 channels (CVE-2017-15372) - ---- - src/adpcm.c | 8 +++++++- - src/adpcm.h | 3 +++ - src/wav.c | 5 ++++- - 3 files changed, 14 insertions(+), 2 deletions(-) - -Index: sox/src/adpcm.c -=================================================================== ---- sox.orig/src/adpcm.c -+++ sox/src/adpcm.c -@@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] = - { 392,-232} - }; - -+extern void *lsx_ms_adpcm_alloc(unsigned chans) -+{ -+ return lsx_malloc(chans * sizeof(MsState_t)); -+} -+ - static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state, - sox_sample_t sample1, sox_sample_t sample2) - { -@@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(s - - /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ - const char *lsx_ms_adpcm_block_expand_i( -+ void *priv, - unsigned chans, /* total channels */ - int nCoef, - const short *coef, -@@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i( - const unsigned char *ip; - unsigned ch; - const char *errmsg = NULL; -- MsState_t state[4]; /* One decompressor state for each channel */ -+ MsState_t *state = priv; /* One decompressor state for each channel */ - - /* Read the four-byte header for each channel */ - ip = ibuff; -Index: sox/src/adpcm.h -=================================================================== ---- sox.orig/src/adpcm.h -+++ sox/src/adpcm.h -@@ -29,8 +29,11 @@ - /* default coef sets */ - extern const short lsx_ms_adpcm_i_coef[7][2]; - -+extern void *lsx_ms_adpcm_alloc(unsigned chans); -+ - /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ - extern const char *lsx_ms_adpcm_block_expand_i( -+ void *priv, - unsigned chans, /* total channels */ - int nCoef, - const short *coef, -Index: sox/src/wav.c -=================================================================== ---- sox.orig/src/wav.c -+++ sox/src/wav.c -@@ -82,6 +82,7 @@ typedef struct { - /* following used by *ADPCM wav files */ - unsigned short nCoefs; /* ADPCM: number of coef sets */ - short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */ -+ void *ms_adpcm_data; /* Private data of adpcm decoder */ - unsigned char *packet; /* Temporary buffer for packets */ - short *samples; /* interleaved samples buffer */ - short *samplePtr; /* Pointer to current sample */ -@@ -175,7 +176,7 @@ static unsigned short AdpcmReadBlock(so - } - } - -- errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); -+ errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); - - if (errmsg) - lsx_warn("%s", errmsg); -@@ -791,6 +792,7 @@ static int startread(sox_format_t * ft) - - /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */ - wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short)); -+ wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels); - { - int i, errct=0; - for (i=0; len>=2 && i < 2*wav->nCoefs; i++) { -@@ -1216,6 +1218,7 @@ static int stopread(sox_format_t * ft) - free(wav->packet); - free(wav->samples); - free(wav->lsx_ms_adpcm_i_coefs); -+ free(wav->ms_adpcm_data); - free(wav->comment); - wav->comment = NULL; - diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch deleted file mode 100644 index d43ef50d1012..000000000000 --- a/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch +++ /dev/null @@ -1,28 +0,0 @@ -Description: This fixes a use after free and double free if an empty comment -chunk follows a non-empty one. -Author: Mans Rullgard <mans@mansr.com> -Forwarded: not-needed ---- - src/aiff.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: sox/src/aiff.c -=================================================================== ---- sox.orig/src/aiff.c -+++ sox/src/aiff.c -@@ -62,7 +62,6 @@ int lsx_aiffstartread(sox_format_t * ft) - size_t ssndsize = 0; - char *annotation; - char *author; -- char *comment = NULL; - char *copyright; - char *nametext; - -@@ -270,6 +269,7 @@ int lsx_aiffstartread(sox_format_t * ft) - free(annotation); - } - else if (strncmp(buf, "COMT", (size_t)4) == 0) { -+ char *comment = NULL; - rc = commentChunk(&comment, "Comment:", ft); - if (rc) { - /* Fail already called in function */ diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch deleted file mode 100644 index fd04bcdff131..000000000000 --- a/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch +++ /dev/null @@ -1,30 +0,0 @@ -Description: A corrupt header specifying zero channels would send read_channels() -into an infinite loop. Prevent this by sanity checking the channel -count in open_read(). Also add an upper bound to prevent overflow -in multiplication. -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121 -Author: Mans Rullgard <mans@mansr.com> - Jaromír Mikeš <mira.mikes@seznam.cz> -Forwarded: not-needed - ---- - src/xa.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -Index: sox/src/xa.c -=================================================================== ---- sox.orig/src/xa.c -+++ sox/src/xa.c -@@ -143,6 +143,12 @@ static int startread(sox_format_t * ft) - lsx_report("User options overriding rate read in .xa header"); - } - -+ if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) { -+ lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d", -+ ft->signal.channels); -+ return SOX_EOF; -+ } -+ - /* Check for supported formats */ - if (ft->encoding.bits_per_sample != 16) { - lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.", diff --git a/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch deleted file mode 100644 index 4ebb31c0ae94..000000000000 --- a/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch +++ /dev/null @@ -1,35 +0,0 @@ -Description: wavpack: check errors when initializing -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881145 -Author: Eric Wong <normalperson@yhbt.net> - Jaromír Mikeš <mira.mikes@seznam.cz> -Forwarded: not-needed - - src/wavpack.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/wavpack.c b/src/wavpack.c -index 9e525cd4..b7e8dafa 100644 ---- a/src/wavpack.c -+++ b/src/wavpack.c -@@ -65,6 +65,10 @@ static int start_read(sox_format_t * ft) - char msg[80]; - - p->codec = WavpackOpenFileInputEx(&io_fns, ft, NULL, msg, OPEN_NORMALIZE, 0); -+ if (!p->codec) { -+ lsx_fail_errno(ft, SOX_EHDR, "%s", msg); -+ return SOX_EOF; -+ } - ft->encoding.bits_per_sample = WavpackGetBytesPerSample(p->codec) << 3; - ft->signal.channels = WavpackGetNumChannels(p->codec); - if (WavpackGetSampleRate(p->codec) && ft->signal.rate && ft->signal.rate != WavpackGetSampleRate(p->codec)) -@@ -108,6 +112,10 @@ static int start_write(sox_format_t * ft) - uint64_t size64; - - p->codec = WavpackOpenFileOutput(ft_write_b_buf, ft, NULL); -+ if (!p->codec) { -+ lsx_fail_errno(ft, SOX_ENOMEM, "WavPack error creating output instance"); -+ return SOX_EOF; -+ } - memset(&config, 0, sizeof(config)); - config.bytes_per_sample = ft->encoding.bits_per_sample >> 3; - config.bits_per_sample = ft->encoding.bits_per_sample; |