Compare commits
No commits in common. "a8b414157effae6efa8e5ee8afb4e005f8ff1905" and "4de3a7422ee027bba0ee27cb84f08f0b48a98901" have entirely different histories.
a8b414157e
...
4de3a7422e
@ -1,38 +0,0 @@
|
||||
From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001
|
||||
From: bobsayshilol <bobsayshilol@live.co.uk>
|
||||
Date: Thu, 18 Feb 2021 21:52:09 +0000
|
||||
Subject: [PATCH] ms_adpcm: Fix and extend size checks
|
||||
|
||||
'blockalign' is the size of a block, and each block contains 7 samples
|
||||
per channel as part of the preamble, so check against 'samplesperblock'
|
||||
rather than 'blockalign'. Also add an additional check that the block
|
||||
is big enough to hold the samples it claims to hold.
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
|
||||
---
|
||||
src/ms_adpcm.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
|
||||
diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
|
||||
index 5e8f1a316..a21cb9941 100644
|
||||
--- a/src/ms_adpcm.c
|
||||
+++ b/src/ms_adpcm.c
|
||||
@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
|
||||
if (psf->file.mode == SFM_WRITE)
|
||||
samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
|
||||
|
||||
- if (blockalign < 7 * psf->sf.channels)
|
||||
- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
|
||||
+ /* There's 7 samples per channel in the preamble of each block */
|
||||
+ if (samplesperblock < 7 * psf->sf.channels)
|
||||
+ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
|
||||
+ return SFE_INTERNAL ;
|
||||
+ } ;
|
||||
+
|
||||
+ if (2 * blockalign < samplesperblock * psf->sf.channels)
|
||||
+ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
|
||||
return SFE_INTERNAL ;
|
||||
} ;
|
||||
|
||||
|
||||
@ -1,25 +0,0 @@
|
||||
From ced91d7b971be6173b604154c39279ce90ad87cc Mon Sep 17 00:00:00 2001
|
||||
From: yuan <ssspeed00@gmail.com>
|
||||
Date: Tue, 20 Apr 2021 16:16:32 +0800
|
||||
Subject: [PATCH] flac: Fix improper buffer reusing (#732)
|
||||
|
||||
---
|
||||
src/flac.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/flac.c b/src/flac.c
|
||||
index 64d0172e6..e33204505 100644
|
||||
--- a/src/flac.c
|
||||
+++ b/src/flac.c
|
||||
@@ -948,7 +948,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len)
|
||||
/* Decode some more. */
|
||||
while (pflac->pos < pflac->len)
|
||||
{ if (FLAC__stream_decoder_process_single (pflac->fsd) == 0)
|
||||
+ { psf_log_printf (psf, "FLAC__stream_decoder_process_single returned false\n") ;
|
||||
+ /* Current frame is busted, so NULL the pointer. */
|
||||
+ pflac->frame = NULL ;
|
||||
break ;
|
||||
+ } ;
|
||||
state = FLAC__stream_decoder_get_state (pflac->fsd) ;
|
||||
if (state >= FLAC__STREAM_DECODER_END_OF_STREAM)
|
||||
{ psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
|
||||
@ -1,42 +0,0 @@
|
||||
From da1fcb0199f6a5c883fd158a20896a0e9c085e02 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Stewart <alex.stewart@ni.com>
|
||||
Date: Wed, 22 Nov 2023 17:15:12 +0800
|
||||
Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
|
||||
The clang sanitizer warns of a possible signed integer overflow when
|
||||
calculating the `dataend` value in `mat4_read_header()`.
|
||||
|
||||
```
|
||||
src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
|
||||
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
|
||||
src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
|
||||
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
|
||||
```
|
||||
|
||||
Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
|
||||
`dataend` before performing the calculation, to avoid the issue.
|
||||
|
||||
CVE: CVE-2022-33065
|
||||
Fixes: https://github.com/libsndfile/libsndfile/issues/789
|
||||
Fixes: https://github.com/libsndfile/libsndfile/issues/833
|
||||
|
||||
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
|
||||
---
|
||||
src/mat4.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mat4.c b/src/mat4.c
|
||||
index 3c73680..e2f98b7 100644
|
||||
--- a/src/mat4.c
|
||||
+++ b/src/mat4.c
|
||||
@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
|
||||
psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
|
||||
}
|
||||
else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
|
||||
- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
|
||||
+ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
|
||||
|
||||
psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,54 +0,0 @@
|
||||
From ef1dbb2df1c0e741486646de40bd638a9c4cd808 Mon Sep 17 00:00:00 2001
|
||||
From: Erik de Castro Lopo <erikd@mega-nerd.com>
|
||||
Date: Fri, 14 Apr 2017 15:19:16 +1000
|
||||
Subject: [PATCH 1/1] src/flac.c: Fix a buffer read overflow
|
||||
|
||||
A file (generated by a fuzzer) which increased the number of channels
|
||||
from one frame to the next could cause a read beyond the end of the
|
||||
buffer provided by libFLAC. Only option is to abort the read.
|
||||
|
||||
Closes: https://github.com/erikd/libsndfile/issues/231
|
||||
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
|
||||
---
|
||||
src/flac.c | 11 +++++++++--
|
||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/flac.c b/src/flac.c
|
||||
index 5a4f8c2..e4f9aaa 100644
|
||||
--- a/src/flac.c
|
||||
+++ b/src/flac.c
|
||||
@@ -169,6 +169,14 @@ flac_buffer_copy (SF_PRIVATE *psf)
|
||||
const int32_t* const *buffer = pflac->wbuffer ;
|
||||
unsigned i = 0, j, offset, channels, len ;
|
||||
|
||||
+ if (psf->sf.channels != (int) frame->header.channels)
|
||||
+ { psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n"
|
||||
+ "Nothing to do but to error out.\n" ,
|
||||
+ psf->sf.channels, frame->header.channels) ;
|
||||
+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
|
||||
+ return 0 ;
|
||||
+ } ;
|
||||
+
|
||||
/*
|
||||
** frame->header.blocksize is variable and we're using a constant blocksize
|
||||
** of FLAC__MAX_BLOCK_SIZE.
|
||||
@@ -202,7 +210,6 @@ flac_buffer_copy (SF_PRIVATE *psf)
|
||||
return 0 ;
|
||||
} ;
|
||||
|
||||
-
|
||||
len = SF_MIN (pflac->len, frame->header.blocksize) ;
|
||||
|
||||
if (pflac->remain % channels != 0)
|
||||
@@ -436,7 +443,7 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_
|
||||
{ case FLAC__METADATA_TYPE_STREAMINFO :
|
||||
if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
|
||||
{ psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
|
||||
- "Nothing to be but to error out.\n" ,
|
||||
+ "Nothing to do but to error out.\n" ,
|
||||
psf->sf.channels, metadata->data.stream_info.channels) ;
|
||||
psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
|
||||
return ;
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: libsndfile
|
||||
Version: 1.0.28
|
||||
Release: 22
|
||||
Release: 17
|
||||
Summary: Library for reading and writing sound files
|
||||
License: LGPLv2+ and GPLv2+ and BSD
|
||||
URL: http://www.mega-nerd.com/libsndfile/
|
||||
@ -20,10 +20,6 @@ Patch6002: libsndfile-1.0.28-CVE-2018-19758.patch
|
||||
Patch6003: libsndfile-1.0.28-CVE-2019-3832.patch
|
||||
Patch6004: libsndfile-1.0.28-CVE-2017-17456-CVE-2017-17457-CVE-2018-19661-CVE-2018-19662.patch
|
||||
Patch6005: libsndfile-1.0.28-CVE-2017-14634.patch
|
||||
Patch6006: libsndfile-1.0.28-CVE-2017-8362.patch
|
||||
Patch6007: backport-CVE-2021-3246.patch
|
||||
Patch6008: backport-CVE-2021-4156.patch
|
||||
Patch6009: backport-CVE-2022-33065.patch
|
||||
|
||||
%description
|
||||
Libsndfile is a C library for reading and writing files containing
|
||||
@ -130,26 +126,6 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
|
||||
%{_mandir}/man1/sndfile-salvage.1*
|
||||
|
||||
%changelog
|
||||
* Mon Nov 4 2024 yinzeqiang <yinzeqiang@chinaredflag.cn> - 1.0.28-22
|
||||
- Modify the wrong CVE number in Changelog
|
||||
|
||||
* Thu Dec 21 2023 xuyuchao <xu.yuchao@xfusion.com> - 1.0.28-21
|
||||
- Type:CVE
|
||||
- CVE:CVE-2022-33065
|
||||
- DESC:fix CVE-2022-33065
|
||||
|
||||
* Mon May 16 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 1.0.28-20
|
||||
- fix CVE-2021-4156
|
||||
|
||||
* Thu Sep 23 2021 zhouwenpei <zhouwenpei1@huawei.com> - 1.0.28-19
|
||||
- fix CVE-2021-3246
|
||||
|
||||
* Mon Feb 03 2020 chenmaodong<chenmaodong@huawei.com> - 1.0.28-18
|
||||
- Type:cves
|
||||
- ID:CVE-2017-8362
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2017-8362
|
||||
|
||||
* Fri Jan 10 2020 chenmaodong<chenmaodong@huawei.com> - 1.0.28-17
|
||||
- Type:enhancement
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user