[OE-core] [poky][sumo][PATCH 2/4] libsndfile1: Security fix CVE-2018-19432

[Sana Kazi]

From: Changqing Li <changqing...@windriver.com>

(From OE-Core rev: 6f010c9b7777aae5ce2108122d0c6d3b1d630a21)

Signed-off-by: Changqing Li <changqing...@windriver.com>
Signed-off-by: Ross Burton <ross.bur...@intel.com>
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
Signed-off-by: Sana Kazi <sana.k...@kpit.com>
---
 .../libsndfile1/CVE-2018-19432.patch          | 115 ++++++++++++++++++
 .../libsndfile/libsndfile1_1.0.28.bb          |   2 +
 2 files changed, 117 insertions(+)
 create mode 100644 
meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch

diff --git 
a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch 
b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
new file mode 100644
index 0000000000..8ded2c0f85
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
@@ -0,0 +1,115 @@
+From 6f3266277bed16525f0ac2f0f03ff4626f1923e5 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <er...@mega-nerd.com>
+Date: Thu, 8 Mar 2018 18:00:21 +1100
+Subject: [PATCH] Fix max channel count bug
+
+The code was allowing files to be written with a channel count of exactly
+`SF_MAX_CHANNELS` but was failing to read some file formats with the same
+channel count.
+
+Upstream-Status: Backport [https://github.com/erikd/libsndfile/
+commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5]
+
+CVE: CVE-2018-19432
+
+Signed-off-by: Changqing Li <changqing...@windriver.com>
+
+---
+ src/aiff.c |    6 +++---
+ src/rf64.c |    4 ++--
+ src/w64.c  |    4 ++--
+ src/wav.c  |    4 ++--
+ 4 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/aiff.c b/src/aiff.c
+index fbd43cb..6386bce 100644
+--- a/src/aiff.c
++++ b/src/aiff.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2016 Erik de Castro Lopo <er...@mega-nerd.com>
++** Copyright (C) 1999-2018 Erik de Castro Lopo <er...@mega-nerd.com>
+ ** Copyright (C) 2005 David Viens <dav...@plogue.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -950,7 +950,7 @@ aiff_read_header (SF_PRIVATE *psf, COMM_
+       if (psf->sf.channels < 1)
+               return SFE_CHANNEL_COUNT_ZERO ;
+
+-      if (psf->sf.channels >= SF_MAX_CHANNELS)
++      if (psf->sf.channels > SF_MAX_CHANNELS)
+               return SFE_CHANNEL_COUNT ;
+
+       if (! (found_chunk & HAVE_FORM))
+@@ -1030,7 +1030,7 @@ aiff_read_comm_chunk (SF_PRIVATE *psf, C
+       psf_log_printf (psf, "  Sample Rate : %d\n", samplerate) ;
+       psf_log_printf (psf, "  Frames      : %u%s\n", 
comm_fmt->numSampleFrames, (comm_fmt->numSampleFrames == 0 && psf->filelength > 
104) ? " (Should not be 0)" : "") ;
+
+-      if (comm_fmt->numChannels < 1 || comm_fmt->numChannels >= 
SF_MAX_CHANNELS)
++      if (comm_fmt->numChannels < 1 || comm_fmt->numChannels > 
SF_MAX_CHANNELS)
+       {       psf_log_printf (psf, "  Channels    : %d (should be >= 1 and < 
%d)\n", comm_fmt->numChannels, SF_MAX_CHANNELS) ;
+               return SFE_CHANNEL_COUNT_BAD ;
+               } ;
+diff --git a/src/rf64.c b/src/rf64.c
+index d57f0f3..876cd45 100644
+--- a/src/rf64.c
++++ b/src/rf64.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 2008-2017 Erik de Castro Lopo <er...@mega-nerd.com>
++** Copyright (C) 2008-2018 Erik de Castro Lopo <er...@mega-nerd.com>
+ ** Copyright (C) 2009      Uli Franke <c...@nebadje.org>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -382,7 +382,7 @@ rf64_read_header (SF_PRIVATE *psf, int *
+       if (psf->sf.channels < 1)
+               return SFE_CHANNEL_COUNT_ZERO ;
+
+-      if (psf->sf.channels >= SF_MAX_CHANNELS)
++      if (psf->sf.channels > SF_MAX_CHANNELS)
+               return SFE_CHANNEL_COUNT ;
+
+       /* WAVs can be little or big endian */
+diff --git a/src/w64.c b/src/w64.c
+index 939b716..a37d2c5 100644
+--- a/src/w64.c
++++ b/src/w64.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2016 Erik de Castro Lopo <er...@mega-nerd.com>
++** Copyright (C) 1999-2018 Erik de Castro Lopo <er...@mega-nerd.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+ ** it under the terms of the GNU Lesser General Public License as published by
+@@ -383,7 +383,7 @@ w64_read_header    (SF_PRIVATE *psf, int *b
+       if (psf->sf.channels < 1)
+               return SFE_CHANNEL_COUNT_ZERO ;
+
+-      if (psf->sf.channels >= SF_MAX_CHANNELS)
++      if (psf->sf.channels > SF_MAX_CHANNELS)
+               return SFE_CHANNEL_COUNT ;
+
+       psf->endian = SF_ENDIAN_LITTLE ;                /* All W64 files are 
little endian. */
+diff --git a/src/wav.c b/src/wav.c
+index 7bd97bc..dc97545 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2016 Erik de Castro Lopo <er...@mega-nerd.com>
++** Copyright (C) 1999-2018 Erik de Castro Lopo <er...@mega-nerd.com>
+ ** Copyright (C) 2004-2005 David Viens <dav...@plogue.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -627,7 +627,7 @@ wav_read_header    (SF_PRIVATE *psf, int *b
+       if (psf->sf.channels < 1)
+               return SFE_CHANNEL_COUNT_ZERO ;
+
+-      if (psf->sf.channels >= SF_MAX_CHANNELS)
++      if (psf->sf.channels > SF_MAX_CHANNELS)
+               return SFE_CHANNEL_COUNT ;
+
+       if (format != WAVE_FORMAT_PCM && (parsestage & HAVE_fact) == 0)
+--
+1.7.9.5
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb 
b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index b28f675286..9700f4a6e7 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -13,6 +13,8 @@ SRC_URI = 
"http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
            file://CVE-2017-14245-14246.patch \
            file://CVE-2017-14634.patch \
            file://CVE-2018-13139.patch \
+           file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
+           file://CVE-2018-19432.patch \
           "

 SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
--
2.17.1

This message contains information that may be privileged or confidential and is 
the property of the KPIT Technologies Ltd. It is intended only for the person 
to whom it is addressed. If you are not the intended recipient, you are not 
authorized to read, print, retain copy, disseminate, distribute, or use this 
message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message. KPIT 
Technologies Ltd. does not accept any liability for virus infected mails.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146463): 
https://lists.openembedded.org/g/openembedded-core/message/146463
Mute This Topic: https://lists.openembedded.org/mt/79495798/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-