This cherry picks a few input-validation fixes for a recent CVE
from sox git (and a bonus division-by-0 fix from earlier); they will
have a new release 14.4.2 soon anyway, but I think we'll want this
for stable anyway.
ok?
Index: Makefile
===================================================================
RCS file: /cvs/ports/audio/sox/Makefile,v
retrieving revision 1.57
diff -u -p -r1.57 Makefile
--- Makefile 14 Oct 2014 15:56:59 -0000 1.57
+++ Makefile 24 Dec 2014 12:37:52 -0000
@@ -3,6 +3,7 @@
COMMENT= Sound eXchange, the Swiss Army knife of audio manipulation
DISTNAME= sox-14.4.1
+REVISION= 0
SHARED_LIBS += sox 3.0 # .2.1
CATEGORIES= audio
Index: patches/patch-src_gain_c
===================================================================
RCS file: patches/patch-src_gain_c
diff -N patches/patch-src_gain_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_gain_c 24 Dec 2014 12:37:52 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+[1c3d52] prevent division by 0 when input signal is entirely non-negative,
+non-positive, or both
+
+--- src/gain.c.orig Wed Dec 24 12:32:38 2014
++++ src/gain.c Wed Dec 24 12:32:53 2014
+@@ -80,7 +80,9 @@ static int start(sox_effect_t * effp)
+ if (!p->do_equalise && !p->do_balance && !p->do_balance_no_clip)
+ effp->flows = 1; /* essentially a conditional SOX_EFF_MCHAN */
+ }
+- p->mult = p->max = p->min = 0;
++ p->mult = 0;
++ p->max = 1;
++ p->min = -1;
+ if (p->do_scan) {
+ p->tmp_file = lsx_tmpfile();
+ if (p->tmp_file == NULL) {
Index: patches/patch-src_sphere_c
===================================================================
RCS file: patches/patch-src_sphere_c
diff -N patches/patch-src_sphere_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_sphere_c 24 Dec 2014 12:37:52 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+[7d3f38] Check for minimum size sphere headers
+
+--- src/sphere.c.orig Wed Dec 24 12:31:33 2014
++++ src/sphere.c Wed Dec 24 12:31:53 2014
+@@ -47,6 +47,11 @@ static int start_read(sox_format_t * ft)
+
+ /* Determine header size, and allocate a buffer large enough to hold it. */
+ sscanf(fldsval, "%lu", &header_size_ul);
++ if (header_size_ul < 16) {
++ lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
++ return (SOX_EOF);
++ }
++
+ buf = lsx_malloc(header_size = header_size_ul);
+
+ /* Skip what we have read so far */
Index: patches/patch-src_wav_c
===================================================================
RCS file: patches/patch-src_wav_c
diff -N patches/patch-src_wav_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_wav_c 24 Dec 2014 12:37:52 -0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+[f39c57] More checks for invalid MS ADPCM blocks.
+
+If block doesn't exacty match blockAlign then do not allow
+number of samples in invalid size block to ever be more than
+what WAV header defined as samplesPerBlock.
+
+--- src/wav.c.orig Wed Dec 24 12:33:35 2014
++++ src/wav.c Wed Dec 24 12:33:54 2014
+@@ -166,7 +166,7 @@ static unsigned short AdpcmReadBlock(sox_format_t * f
+ /* work with partial blocks. Specs say it should be null */
+ /* padded but I guess this is better than trailing quiet. */
+ samplesThisBlock = lsx_ms_adpcm_samples_in((size_t)0,
(size_t)ft->signal.channels, bytesRead, (size_t)0);
+- if (samplesThisBlock == 0)
++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock)
+ {
+ lsx_warn("Premature EOF on .wav input file");
+ return 0;
