This cherry picks a few input-validation fixes for a recent CVE from sox git (and a bonus division-by-0 fix from earlier); they will have a new release 14.4.2 soon anyway, but I think we'll want this for stable anyway.
ok? Index: Makefile =================================================================== RCS file: /cvs/ports/audio/sox/Makefile,v retrieving revision 1.57 diff -u -p -r1.57 Makefile --- Makefile 14 Oct 2014 15:56:59 -0000 1.57 +++ Makefile 24 Dec 2014 12:37:52 -0000 @@ -3,6 +3,7 @@ COMMENT= Sound eXchange, the Swiss Army knife of audio manipulation DISTNAME= sox-14.4.1 +REVISION= 0 SHARED_LIBS += sox 3.0 # .2.1 CATEGORIES= audio Index: patches/patch-src_gain_c =================================================================== RCS file: patches/patch-src_gain_c diff -N patches/patch-src_gain_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_gain_c 24 Dec 2014 12:37:52 -0000 @@ -0,0 +1,18 @@ +$OpenBSD$ + +[1c3d52] prevent division by 0 when input signal is entirely non-negative, +non-positive, or both + +--- src/gain.c.orig Wed Dec 24 12:32:38 2014 ++++ src/gain.c Wed Dec 24 12:32:53 2014 +@@ -80,7 +80,9 @@ static int start(sox_effect_t * effp) + if (!p->do_equalise && !p->do_balance && !p->do_balance_no_clip) + effp->flows = 1; /* essentially a conditional SOX_EFF_MCHAN */ + } +- p->mult = p->max = p->min = 0; ++ p->mult = 0; ++ p->max = 1; ++ p->min = -1; + if (p->do_scan) { + p->tmp_file = lsx_tmpfile(); + if (p->tmp_file == NULL) { Index: patches/patch-src_sphere_c =================================================================== RCS file: patches/patch-src_sphere_c diff -N patches/patch-src_sphere_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_sphere_c 24 Dec 2014 12:37:52 -0000 @@ -0,0 +1,18 @@ +$OpenBSD$ + +[7d3f38] Check for minimum size sphere headers + +--- src/sphere.c.orig Wed Dec 24 12:31:33 2014 ++++ src/sphere.c Wed Dec 24 12:31:53 2014 +@@ -47,6 +47,11 @@ static int start_read(sox_format_t * ft) + + /* Determine header size, and allocate a buffer large enough to hold it. */ + sscanf(fldsval, "%lu", &header_size_ul); ++ if (header_size_ul < 16) { ++ lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header"); ++ return (SOX_EOF); ++ } ++ + buf = lsx_malloc(header_size = header_size_ul); + + /* Skip what we have read so far */ Index: patches/patch-src_wav_c =================================================================== RCS file: patches/patch-src_wav_c diff -N patches/patch-src_wav_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_wav_c 24 Dec 2014 12:37:52 -0000 @@ -0,0 +1,19 @@ +$OpenBSD$ + +[f39c57] More checks for invalid MS ADPCM blocks. + +If block doesn't exacty match blockAlign then do not allow +number of samples in invalid size block to ever be more than +what WAV header defined as samplesPerBlock. + +--- src/wav.c.orig Wed Dec 24 12:33:35 2014 ++++ src/wav.c Wed Dec 24 12:33:54 2014 +@@ -166,7 +166,7 @@ static unsigned short AdpcmReadBlock(sox_format_t * f + /* work with partial blocks. Specs say it should be null */ + /* padded but I guess this is better than trailing quiet. */ + samplesThisBlock = lsx_ms_adpcm_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t)0); +- if (samplesThisBlock == 0) ++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock) + { + lsx_warn("Premature EOF on .wav input file"); + return 0;