Hello community, here is the log from the commit of package audiofile for openSUSE:Factory checked in at 2017-06-12 15:26:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/audiofile (Old) and /work/SRC/openSUSE:Factory/.audiofile.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "audiofile" Mon Jun 12 15:26:55 2017 rev:37 rq:501854 version:0.3.6 Changes: -------- --- /work/SRC/openSUSE:Factory/audiofile/audiofile.changes 2016-02-16 09:26:48.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.audiofile.new/audiofile.changes 2017-06-12 15:26:57.574670650 +0200 @@ -1,0 +2,27 @@ +Thu Mar 9 10:37:05 UTC 2017 - alarr...@suse.com + +- Add 0001-Always-check-the-number-of-coefficients.patch to put in code + an assert that was removed when building the code for a release + which checks the number of coeficients in WAVE.cpp . +- Add 0002-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch + to check for a multiplication overflow in MSADPCM.cpp . +- Add 0003-Check-for-multiplication-overflow-in-sfconvert.patch to + check that a multiplication doesn't overflow when calculating a + buffer size and reduce it if necessary. +- Add 0004-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch + to clamp index values to fix an index overflow in IMA.cpp . +- Add 0005-Actually-fail-when-error-occurs-in-parseFormat.patch + so when there's an unsupported number of bits per sample or an invalid + number of samples per block, don't only print an error message using + the error handler, but actually stop parsing the file. +- Add 0006-Check-for-division-by-zero-in-BlockCodec-runPull.patch to + check for division by zero in BlockCodec::runPull +- These patches fix boo#1026978 (CVE-2017-6837, CVE-2017-6838, + CVE-2017-6839), boo#1026979 (CVE-2017-6827), + boo#1026980 (CVE-2017-6828), boo#1026981 (CVE-2017-6829), + boo#1026982 (CVE-2017-6830), boo#1026983 (CVE-2017-6831), + boo#1026984 (CVE-2017-6832), boo#1026985 (CVE-2017-6833), + boo#1026986 (CVE-2017-6834), boo#1026987 (CVE-2017-6836), + boo#1026988 (CVE-2017-6835). + +------------------------------------------------------------------- New: ---- 0001-Always-check-the-number-of-coefficients.patch 0002-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch 0003-Check-for-multiplication-overflow-in-sfconvert.patch 0004-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch 0005-Actually-fail-when-error-occurs-in-parseFormat.patch 0006-Check-for-division-by-zero-in-BlockCodec-runPull.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ audiofile.spec ++++++ --- /var/tmp/diff_new_pack.pB4sNX/_old 2017-06-12 15:26:58.226578657 +0200 +++ /var/tmp/diff_new_pack.pB4sNX/_new 2017-06-12 15:26:58.230578093 +0200 @@ -1,7 +1,7 @@ # # spec file for package audiofile # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -31,6 +31,18 @@ # PATCH-FIX-SECURITY audiofile-CVE-2015-7747.patch bsc949399 CVE-2015-7747 sbra...@suse.com -- Fix overflow when changing both number of channels and sample format https://github.com/mpruett/audiofile/pull/25/files https://github.com/mpruett/audiofile/pull/25.patch Patch: audiofile-CVE-2015-7747.patch Patch2: audiofile-gcc6.patch +# PATCH-FIX-UPSTREAM 0001-Always-check-the-number-of-coefficients.patch boo#1026978 alarr...@suse.com -- Check number of coefficients https://github.com/mpruett/audiofile/pull/42 +Patch3: 0001-Always-check-the-number-of-coefficients.patch +# PATCH-FIX-UPSTREAM 0002-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch boo#1026978 alarr...@suse.com -- Check for multiplication overflow in MSADPCM.cpp https://github.com/mpruett/audiofile/pull/42 +Patch4: 0002-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch +# PATCH-FIX-UPSTREAM 0003-Check-for-multiplication-overflow-in-sfconvert.patch boo#1026978 alarr...@suse.com -- Check for multiplication overflow in sfconvert https://github.com/mpruett/audiofile/pull/42 +Patch5: 0003-Check-for-multiplication-overflow-in-sfconvert.patch +# PATCH-FIX-UPSTREAM 0004-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch boo#1026981 alarr...@suse.com -- Clamp index values to fix index overflow https://github.com/mpruett/audiofile/pull/43 +Patch6: 0004-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch +# PATCH-FIX-UPSTREAM 0005-Actually-fail-when-error-occurs-in-parseFormat.patch boo#1026983 alarr...@suse.com -- Actually fail when error occurs in parseFormat https://github.com/mpruett/audiofile/pull/44 +Patch7: 0005-Actually-fail-when-error-occurs-in-parseFormat.patch +# PATCH-FIX-UPSTREAM 0006-Check-for-division-by-zero-in-BlockCodec-runPull.patch boo#1026983 alarr...@suse.com -- Check for division by zero in BlockCodec::runPull https://github.com/mpruett/audiofile/pull/44 +Patch8: 0006-Check-for-division-by-zero-in-BlockCodec-runPull.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc-c++ @@ -98,6 +110,12 @@ %setup -q %patch -p1 %patch2 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build autoreconf -fi ++++++ 0001-Always-check-the-number-of-coefficients.patch ++++++ >From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001 From: Antonio Larrosa <larr...@kde.org> Date: Mon, 6 Mar 2017 12:51:22 +0100 Subject: [PATCH 1/3] Always check the number of coefficients When building the library with NDEBUG, asserts are eliminated so it's better to always check that the number of coefficients is inside the array range. This fixes the 00191-audiofile-indexoob issue in #41 --- libaudiofile/WAVE.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp index 0e81cf7..61f9541 100644 --- a/libaudiofile/WAVE.cpp +++ b/libaudiofile/WAVE.cpp @@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) /* numCoefficients should be at least 7. */ assert(numCoefficients >= 7 && numCoefficients <= 255); + if (numCoefficients < 7 || numCoefficients > 255) + { + _af_error(AF_BAD_HEADER, + "Bad number of coefficients"); + return AF_FAIL; + } m_msadpcmNumCoefficients = numCoefficients; -- 2.12.0 ++++++ 0002-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch ++++++ >From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001 From: Antonio Larrosa <larr...@kde.org> Date: Mon, 6 Mar 2017 13:43:53 +0100 Subject: [PATCH 2/3] Check for multiplication overflow in MSADPCM decodeSample Check for multiplication overflow (using __builtin_mul_overflow if available) in MSADPCM.cpp decodeSample and return an empty decoded block if an error occurs. This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41 --- libaudiofile/modules/BlockCodec.cpp | 5 ++-- libaudiofile/modules/MSADPCM.cpp | 47 +++++++++++++++++++++++++++++++++---- 2 files changed, 46 insertions(+), 6 deletions(-) diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp index 45925e8..4731be1 100644 --- a/libaudiofile/modules/BlockCodec.cpp +++ b/libaudiofile/modules/BlockCodec.cpp @@ -52,8 +52,9 @@ void BlockCodec::runPull() // Decompress into m_outChunk. for (int i=0; i<blocksRead; i++) { - decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket, - static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount); + if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket, + static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0) + break; framesRead += m_framesPerPacket; } diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp index 8ea3c85..ef9c38c 100644 --- a/libaudiofile/modules/MSADPCM.cpp +++ b/libaudiofile/modules/MSADPCM.cpp @@ -101,24 +101,60 @@ static const int16_t adaptationTable[] = 768, 614, 512, 409, 307, 230, 230, 230 }; +int firstBitSet(int x) +{ + int position=0; + while (x!=0) + { + x>>=1; + ++position; + } + return position; +} + +#ifndef __has_builtin +#define __has_builtin(x) 0 +#endif + +bool multiplyCheckOverflow(int a, int b, int *result) +{ +#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) + return __builtin_mul_overflow(a, b, result); +#else + if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits + return true; + *result = a * b; + return false; +#endif +} + + // Compute a linear PCM value from the given differential coded value. static int16_t decodeSample(ms_adpcm_state &state, - uint8_t code, const int16_t *coefficient) + uint8_t code, const int16_t *coefficient, bool *ok=NULL) { int linearSample = (state.sample1 * coefficient[0] + state.sample2 * coefficient[1]) >> 8; + int delta; linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta; linearSample = clamp(linearSample, MIN_INT16, MAX_INT16); - int delta = (state.delta * adaptationTable[code]) >> 8; + if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta)) + { + if (ok) *ok=false; + _af_error(AF_BAD_COMPRESSION, "Error decoding sample"); + return 0; + } + delta >>= 8; if (delta < 16) delta = 16; state.delta = delta; state.sample2 = state.sample1; state.sample1 = linearSample; + if (ok) *ok=true; return static_cast<int16_t>(linearSample); } @@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded) { uint8_t code; int16_t newSample; + bool ok; code = *encoded >> 4; - newSample = decodeSample(*state[0], code, coefficient[0]); + newSample = decodeSample(*state[0], code, coefficient[0], &ok); + if (!ok) return 0; *decoded++ = newSample; code = *encoded & 0x0f; - newSample = decodeSample(*state[1], code, coefficient[1]); + newSample = decodeSample(*state[1], code, coefficient[1], &ok); + if (!ok) return 0; *decoded++ = newSample; encoded++; -- 2.12.0 ++++++ 0003-Check-for-multiplication-overflow-in-sfconvert.patch ++++++ >From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001 From: Antonio Larrosa <larr...@kde.org> Date: Mon, 6 Mar 2017 13:54:52 +0100 Subject: [PATCH 3/3] Check for multiplication overflow in sfconvert Checks that a multiplication doesn't overflow when calculating the buffer size, and if it overflows, reduce the buffer size instead of failing. This fixes the 00192-audiofile-signintoverflow-sfconvert case in #41 --- sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c index 80a1bc4..970a3e4 100644 --- a/sfcommands/sfconvert.c +++ b/sfcommands/sfconvert.c @@ -45,6 +45,33 @@ void printusage (void); void usageerror (void); bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid); +int firstBitSet(int x) +{ + int position=0; + while (x!=0) + { + x>>=1; + ++position; + } + return position; +} + +#ifndef __has_builtin +#define __has_builtin(x) 0 +#endif + +bool multiplyCheckOverflow(int a, int b, int *result) +{ +#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) + return __builtin_mul_overflow(a, b, result); +#else + if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits + return true; + *result = a * b; + return false; +#endif +} + int main (int argc, char **argv) { if (argc == 2) @@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid) { int frameSize = afGetVirtualFrameSize(infile, trackid, 1); - const int kBufferFrameCount = 65536; - void *buffer = malloc(kBufferFrameCount * frameSize); + int kBufferFrameCount = 65536; + int bufferSize; + while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) + kBufferFrameCount /= 2; + void *buffer = malloc(bufferSize); AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK); AFframecount totalFramesWritten = 0; -- 2.12.0 ++++++ 0004-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch ++++++ >From aaa992ff2c842edfce6e7ebdc82b27509de7f11d Mon Sep 17 00:00:00 2001 From: Antonio Larrosa <larr...@kde.org> Date: Mon, 6 Mar 2017 18:02:31 +0100 Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp This fixes #33 (https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/) --- libaudiofile/modules/IMA.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp index 7476d44..df4aad6 100644 --- a/libaudiofile/modules/IMA.cpp +++ b/libaudiofile/modules/IMA.cpp @@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded) if (encoded[1] & 0x80) m_adpcmState[c].previousValue -= 0x10000; - m_adpcmState[c].index = encoded[2]; + m_adpcmState[c].index = clamp(encoded[2], 0, 88); *decoded++ = m_adpcmState[c].previousValue; @@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded) predictor -= 0x10000; state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16); - state.index = encoded[1] & 0x7f; + state.index = clamp(encoded[1] & 0x7f, 0, 88); encoded += 2; for (int n=0; n<m_framesPerPacket; n+=2) -- 2.12.0 ++++++ 0005-Actually-fail-when-error-occurs-in-parseFormat.patch ++++++ >From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001 From: Antonio Larrosa <larr...@kde.org> Date: Mon, 6 Mar 2017 18:59:26 +0100 Subject: [PATCH 1/2] Actually fail when error occurs in parseFormat When there's an unsupported number of bits per sample or an invalid number of samples per block, don't only print an error message using the error handler, but actually stop parsing the file. This fixes #35 (also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/ ) --- libaudiofile/WAVE.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp index 0e81cf7..d762249 100644 --- a/libaudiofile/WAVE.cpp +++ b/libaudiofile/WAVE.cpp @@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) { _af_error(AF_BAD_NOT_IMPLEMENTED, "IMA ADPCM compression supports only 4 bits per sample"); + return AF_FAIL; } int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount; @@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) { _af_error(AF_BAD_CODEC_CONFIG, "Invalid samples per block for IMA ADPCM compression"); + return AF_FAIL; } track->f.sampleWidth = 16; -- 2.12.0 ++++++ 0006-Check-for-division-by-zero-in-BlockCodec-runPull.patch ++++++ >From e018528ab5d767c512e3b35df1c91e53b5e21fea Mon Sep 17 00:00:00 2001 From: Antonio Larrosa <larr...@kde.org> Date: Thu, 9 Mar 2017 10:21:18 +0100 Subject: [PATCH 2/2] Check for division by zero in BlockCodec::runPull --- libaudiofile/modules/BlockCodec.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp index 45925e8..963ff26 100644 --- a/libaudiofile/modules/BlockCodec.cpp +++ b/libaudiofile/modules/BlockCodec.cpp @@ -47,7 +47,7 @@ void BlockCodec::runPull() // Read the compressed data. ssize_t bytesRead = read(m_inChunk->buffer, m_bytesPerPacket * blockCount); - int blocksRead = bytesRead >= 0 ? bytesRead / m_bytesPerPacket : 0; + int blocksRead = (bytesRead >= 0 && m_bytesPerPacket > 0) ? bytesRead / m_bytesPerPacket : 0; // Decompress into m_outChunk. for (int i=0; i<blocksRead; i++) -- 2.12.0