Some further fixes for libsndfile.. - Improve handling of SMPL chunks in WAV files. - Fix use of uninitialized value in endswap_int64_t_array.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25366 Index: Makefile =================================================================== RCS file: /home/cvs/ports/audio/libsndfile/Makefile,v retrieving revision 1.34 diff -u -p -u -p -r1.34 Makefile --- Makefile 16 Jan 2021 12:53:12 -0000 1.34 +++ Makefile 16 Jan 2021 17:51:34 -0000 @@ -3,6 +3,7 @@ COMMENT= library to handle various audio file formats DISTNAME= libsndfile-1.0.30 +REVISION= 0 CATEGORIES= audio GH_ACCOUNT= libsndfile GH_PROJECT= libsndfile Index: patches/patch-programs_sndfile-info_c =================================================================== RCS file: patches/patch-programs_sndfile-info_c diff -N patches/patch-programs_sndfile-info_c --- patches/patch-programs_sndfile-info_c 16 Jan 2021 12:54:12 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,17 +0,0 @@ -$OpenBSD: patch-programs_sndfile-info_c,v 1.1 2021/01/16 12:54:12 sthen Exp $ - -Fix stack buffer overflow in instrument_dump. When loop_count more than 16, -it has a stack buffer overflow. - -Index: programs/sndfile-info.c ---- programs/sndfile-info.c.orig -+++ programs/sndfile-info.c -@@ -312,7 +312,7 @@ instrument_dump (const char *filename) - printf (" Key : %d - %d\n", (int) inst.key_lo, (int) inst.key_hi) ; - printf (" Loop points : %d\n", inst.loop_count) ; - -- for (k = 0 ; k < inst.loop_count ; k++) -+ for (k = 0 ; k < inst.loop_count && k < ARRAY_LEN (inst.loops) ; k++) - printf (" %-2d Mode : %s Start : %6d End : %6d Count : %6d\n", k, str_of_type (inst.loops [k].mode), inst.loops [k].start, inst.loops [k].end, inst.loops [k].count) ; - - putchar ('\n') ; Index: patches/patch-src_double64_c =================================================================== RCS file: patches/patch-src_double64_c diff -N patches/patch-src_double64_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_double64_c 23 Jan 2021 09:36:06 -0000 @@ -0,0 +1,16 @@ +$OpenBSD$ + +Fix use of uninitialized value in endswap_int64_t_array. + +Index: src/double64.c +--- src/double64.c.orig ++++ src/double64.c +@@ -631,7 +631,7 @@ host_read_d2f (SF_PRIVATE *psf, float *ptr, sf_count_t + readcount = psf_fread (ubuf.dbuf, sizeof (double), bufferlen, psf) ; + + if (psf->data_endswap == SF_TRUE) +- endswap_double_array (ubuf.dbuf, bufferlen) ; ++ endswap_double_array (ubuf.dbuf, readcount) ; + + d2f_array (ubuf.dbuf, readcount, ptr + total) ; + total += readcount ; Index: patches/patch-src_wav_c =================================================================== RCS file: /home/cvs/ports/audio/libsndfile/patches/patch-src_wav_c,v retrieving revision 1.1 diff -u -p -u -p -r1.1 patch-src_wav_c --- patches/patch-src_wav_c 16 Jan 2021 12:54:12 -0000 1.1 +++ patches/patch-src_wav_c 16 Jan 2021 17:59:35 -0000 @@ -3,6 +3,7 @@ $OpenBSD: patch-src_wav_c,v 1.1 2021/01/ - Fix memory leak in wav_read_smpl_chunk(). - Fix leak in wav_read_header. - Fix memory leak in wav_read_acid_chunk. +- Improve handling of SMPL chunks in WAV files. Index: src/wav.c --- src/wav.c.orig @@ -19,6 +20,15 @@ Index: src/wav.c if ((psf->cues = psf_cues_alloc (cue_count)) == NULL) return SFE_MALLOC_FAILED ; +@@ -1289,7 +1294,7 @@ wav_command (SF_PRIVATE *psf, int command, void * UNUS + static int + wav_read_smpl_chunk (SF_PRIVATE *psf, uint32_t chunklen) + { char buffer [512] ; +- uint32_t thisread, bytesread = 0, dword, sampler_data, loop_count ; ++ uint32_t thisread, bytesread = 0, dword, sampler_data, loop_count, actually_loop_count = 0 ; + uint32_t note, pitch, start, end, type = -1, count ; + int j, k ; + @@ -1335,6 +1340,11 @@ wav_read_smpl_chunk (SF_PRIVATE *psf, uint32_t chunkle */ bytesread += psf_binheader_readf (psf, "4", &sampler_data) ; @@ -31,7 +41,26 @@ Index: src/wav.c if ((psf->instrument = psf_instrument_alloc ()) == NULL) return SFE_MALLOC_FAILED ; -@@ -1486,6 +1496,11 @@ wav_read_acid_chunk (SF_PRIVATE *psf, uint32_t chunkle +@@ -1381,8 +1391,17 @@ wav_read_smpl_chunk (SF_PRIVATE *psf, uint32_t chunkle + break ; + } ; + } ; ++ actually_loop_count ++ ; ++ } ; + +- loop_count -- ; ++ if (actually_loop_count > ARRAY_LEN (psf->instrument->loops)) ++ { ++ psf_log_printf (psf, "*** Warning, actual Loop Points count exceeds %u, changing Loop Count from %u to %u\n", ARRAY_LEN (psf->instrument->loops), loop_count, ARRAY_LEN (psf->instrument->loops)) ; ++ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ; ++ } ++ else if (loop_count != actually_loop_count) ++ { psf_log_printf (psf, "*** Warning, actual Loop Points count != Loop Count, changing Loop Count from %u to %u\n", loop_count, actually_loop_count) ; ++ psf->instrument->loop_count = actually_loop_count ; + } ; + + if (chunklen - bytesread == 0) +@@ -1486,6 +1505,11 @@ wav_read_acid_chunk (SF_PRIVATE *psf, uint32_t chunkle psf_binheader_readf (psf, "j", chunklen - bytesread) ;