Compare commits
10 Commits
5c4e9ff29e
...
1047097dd3
| Author | SHA1 | Date | |
|---|---|---|---|
|
1047097dd3 | ||
|
|
6a4b440a01 | ||
|
|
e631f6af19 | ||
|
|
5247c9d084 | ||
|
|
d081ad98e5 | ||
|
|
49d0740e81 | ||
|
|
25a4321d64 | ||
|
|
585769f08a | ||
|
|
86bc315ab5 | ||
|
|
c58392e6af |
24
0001-fix-MemorySanitizer-use-of-uninitialized-value.patch
Normal file
24
0001-fix-MemorySanitizer-use-of-uninitialized-value.patch
Normal file
@ -0,0 +1,24 @@
|
||||
From 73915cab4bb5af47c07c9aa5b1436c8f339b6af3 Mon Sep 17 00:00:00 2001
|
||||
From: maminjie <maminjie1@huawei.com>
|
||||
Date: Thu, 3 Dec 2020 01:30:52 +0000
|
||||
Subject: [PATCH] fix MemorySanitizer: use-of-uninitialized-value
|
||||
|
||||
---
|
||||
src/opusfile.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/opusfile.c b/src/opusfile.c
|
||||
index 8b000a2..889cb31 100644
|
||||
--- a/src/opusfile.c
|
||||
+++ b/src/opusfile.c
|
||||
@@ -479,6 +479,7 @@ static int op_fetch_headers_impl(OggOpusFile *_of,OpusHead *_head,
|
||||
int *_cserialnos,ogg_page *_og){
|
||||
ogg_packet op;
|
||||
int ret;
|
||||
+ memset(&op,0,sizeof(ogg_packet));
|
||||
if(_serialnos!=NULL)*_nserialnos=0;
|
||||
/*Extract the serialnos of all BOS pages plus the first set of Opus headers
|
||||
we see in the link.*/
|
||||
--
|
||||
2.23.0
|
||||
|
||||
40
CVE-2022-47021.patch
Normal file
40
CVE-2022-47021.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 0a4cd796df5b030cb866f3f4a5e41a4b92caddf5 Mon Sep 17 00:00:00 2001
|
||||
From: Ralph Giles <giles@thaumas.net>
|
||||
Date: Tue, 6 Sep 2022 19:04:31 -0700
|
||||
Subject: [PATCH] Propagate allocation failure from ogg_sync_buffer.
|
||||
|
||||
Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns
|
||||
a null pointer. This allows more graceful recovery by the caller
|
||||
in the unlikely event of a fallible ogg_malloc call.
|
||||
|
||||
We do check the return value elsewhere in the code, so the new
|
||||
checks make the code more consistent.
|
||||
|
||||
Thanks to https://github.com/xiph/opusfile/issues/36 for reporting.
|
||||
|
||||
Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org>
|
||||
Signed-off-by: Mark Harris <mark.hsj@gmail.com>
|
||||
---
|
||||
src/opusfile.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/opusfile.c b/src/opusfile.c
|
||||
index ca219b2..3c3c81e 100644
|
||||
--- a/src/opusfile.c
|
||||
+++ b/src/opusfile.c
|
||||
@@ -148,6 +148,7 @@ static int op_get_data(OggOpusFile *_of,int _nbytes){
|
||||
int nbytes;
|
||||
OP_ASSERT(_nbytes>0);
|
||||
buffer=(unsigned char *)ogg_sync_buffer(&_of->oy,_nbytes);
|
||||
+ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT;
|
||||
nbytes=(int)(*_of->callbacks.read)(_of->stream,buffer,_nbytes);
|
||||
OP_ASSERT(nbytes<=_nbytes);
|
||||
if(OP_LIKELY(nbytes>0))ogg_sync_wrote(&_of->oy,nbytes);
|
||||
@@ -1527,6 +1528,7 @@ static int op_open1(OggOpusFile *_of,
|
||||
if(_initial_bytes>0){
|
||||
char *buffer;
|
||||
buffer=ogg_sync_buffer(&_of->oy,(long)_initial_bytes);
|
||||
+ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT;
|
||||
memcpy(buffer,_initial_data,_initial_bytes*sizeof(*buffer));
|
||||
ogg_sync_wrote(&_of->oy,(long)_initial_bytes);
|
||||
}
|
||||
32
Fix-intermediate-overflow-in-op_pcm_total.patch
Normal file
32
Fix-intermediate-overflow-in-op_pcm_total.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 82adfb611d2c8c7f070297210c2b9854490887e5 Mon Sep 17 00:00:00 2001
|
||||
From: "Timothy B. Terriberry" <tterribe@xiph.org>
|
||||
Date: Tue, 15 Dec 2020 16:23:16 -0800
|
||||
Subject: [PATCH] Fix intermediate overflow in op_pcm_total().
|
||||
|
||||
Although link enumeration ensures the return value is in range, the
|
||||
order of operations allows the intermediate value pcm_total+diff
|
||||
to overflow the range of a 64-bit int.
|
||||
Add parentheses to ensure this does not happen.
|
||||
Thanks to Felcia Lim for the report.
|
||||
|
||||
Fixes #2330
|
||||
---
|
||||
src/opusfile.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/opusfile.c b/src/opusfile.c
|
||||
index 5bf9f91..144e02c 100644
|
||||
--- a/src/opusfile.c
|
||||
+++ b/src/opusfile.c
|
||||
@@ -1753,7 +1753,7 @@ ogg_int64_t op_pcm_total(const OggOpusFile *_of,int _li){
|
||||
}
|
||||
OP_ALWAYS_TRUE(!op_granpos_diff(&diff,
|
||||
links[_li].pcm_end,links[_li].pcm_start));
|
||||
- return pcm_total+diff-links[_li].head.pre_skip;
|
||||
+ return pcm_total+(diff-links[_li].head.pre_skip);
|
||||
}
|
||||
|
||||
const OpusHead *op_head(const OggOpusFile *_of,int _li){
|
||||
--
|
||||
2.27.0
|
||||
|
||||
50
Fix-short-circuit-test-when-seeking-in-short-files.patch
Normal file
50
Fix-short-circuit-test-when-seeking-in-short-files.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From 4174c26e0aaab19d01afdea0a46f7f95fdc6b3e6 Mon Sep 17 00:00:00 2001
|
||||
From: "Timothy B. Terriberry" <tterribe@xiph.org>
|
||||
Date: Tue, 13 Oct 2020 12:30:41 -0700
|
||||
Subject: [PATCH] Fix short-circuit test when seeking in short files
|
||||
|
||||
When a file is very, very short (i.e., only one packet) and uses
|
||||
end-trimming, the apparent granule position preceding the first
|
||||
sample in the first packet can underflow.
|
||||
We were computing this value by subtracting the packet duration
|
||||
from the computed per-packet granule position and expecting this
|
||||
computation to always succeed.
|
||||
Because it could fail in the presence of end-trimming on the first
|
||||
packet (ironically, exactly the situation where the short-circuit
|
||||
is helpful), it would leave the value uninitialized, and then use
|
||||
it in a comparison, which is undefined behavior.
|
||||
The correct solution is to check for failure and force the previous
|
||||
page's granule position to 0 in this case.
|
||||
---
|
||||
src/opusfile.c | 15 +++++++++++++--
|
||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/opusfile.c b/src/opusfile.c
|
||||
index 0d09e97..5bf9f91 100644
|
||||
--- a/src/opusfile.c
|
||||
+++ b/src/opusfile.c
|
||||
@@ -2358,8 +2358,19 @@ static int op_pcm_seek_page(OggOpusFile *_of,
|
||||
For very small files (with all of the data in a single page,
|
||||
generally 1 second or less), we can loop them continuously
|
||||
without seeking at all.*/
|
||||
- OP_ALWAYS_TRUE(!op_granpos_add(&prev_page_gp,_of->op[0].granulepos,
|
||||
- -op_get_packet_duration(_of->op[0].packet,_of->op[0].bytes)));
|
||||
+ if(op_granpos_add(&prev_page_gp,_of->op[0].granulepos,
|
||||
+ -op_get_packet_duration(_of->op[0].packet,_of->op[0].bytes))<0) {
|
||||
+ /*We validate/sanitize the per-packet timestamps, so the only way
|
||||
+ we should fail to calculate a granule position for the
|
||||
+ previous page is if the first page with completed packets in
|
||||
+ the stream is also the last, and end-trimming causes the
|
||||
+ apparent granule position preceding the first sample in the
|
||||
+ first packet to underflow.
|
||||
+ The starting PCM offset is then 0 by spec mandate (see also:
|
||||
+ op_find_initial_pcm_offset()).*/
|
||||
+ OP_ASSERT(_of->op[0].e_o_s);
|
||||
+ prev_page_gp=0;
|
||||
+ }
|
||||
if(op_granpos_cmp(prev_page_gp,_target_gp)<=0){
|
||||
/*Don't call op_decode_clear(), because it will dump our
|
||||
packets.*/
|
||||
--
|
||||
2.30.0
|
||||
|
||||
25
fix-left-shift.patch
Normal file
25
fix-left-shift.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From fb72f9f311d396be2fb5c3ac48c05abce2d42f83 Mon Sep 17 00:00:00 2001
|
||||
From: caodongxia <315816521@qq.com>
|
||||
Date: Tue, 14 Dec 2021 20:37:56 +0800
|
||||
Subject: [PATCH] fix left shift
|
||||
|
||||
---
|
||||
src/opusfile.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/opusfile.c b/src/opusfile.c
|
||||
index 6deaeb0..3fdc0ac 100644
|
||||
--- a/src/opusfile.c
|
||||
+++ b/src/opusfile.c
|
||||
@@ -1021,7 +1021,7 @@ static opus_int64 op_rescale64(opus_int64 _x,opus_int64 _from,opus_int64 _to){
|
||||
_x-=_from-_x;
|
||||
frac|=1;
|
||||
}
|
||||
- else _x<<=1;
|
||||
+ else _x = (opus_int64)((opus_uint64)(_x) << 1);
|
||||
}
|
||||
ret=0;
|
||||
for(i=0;i<63;i++){
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,10 +1,15 @@
|
||||
Name: opusfile
|
||||
Version: 0.11
|
||||
Release: 2
|
||||
Release: 7
|
||||
Summary: A high-level API provides seeking, decode, and playback of Opus streams
|
||||
License: BSD
|
||||
URL: http://www.opus-codec.org/
|
||||
Source0: http://downloads.xiph.org/releases/opus/%{name}-%{version}.tar.gz
|
||||
Patch0000: 0001-fix-MemorySanitizer-use-of-uninitialized-value.patch
|
||||
Patch0001: Fix-short-circuit-test-when-seeking-in-short-files.patch
|
||||
Patch0002: fix-left-shift.patch
|
||||
Patch0003: Fix-intermediate-overflow-in-op_pcm_total.patch
|
||||
Patch0004: CVE-2022-47021.patch
|
||||
|
||||
BuildRequires: libogg-devel openssl-devel opus-devel
|
||||
|
||||
@ -49,6 +54,21 @@ Development package for opusfile package.
|
||||
%{_libdir}/{libopusfile.so,libopusurl.so}
|
||||
|
||||
%changelog
|
||||
* Sun Jan 29 2023 yaoxin <yaoxin30@h-partners.com> - 0.11-7
|
||||
- Fix CVE-2022-47021
|
||||
|
||||
* Wed Dec 22 2021 xu_ping <xuping33@huawei.com> - 0.11-6
|
||||
- Fix intermediate overflow in op_pcm_total
|
||||
|
||||
* Tue Dec 14 2021 caodongxia <caodongxia@huawei.com> - 0.11-5
|
||||
- Fix left shift
|
||||
|
||||
* Tue Dec 14 2021 chenchen <chen_aka_jan@163.com> - 0.11-4
|
||||
- Fix short-circuit test when seeking in short files
|
||||
|
||||
* Thu Dec 03 2020 maminjie <maminjie1@huawei.com> - 0.11-3
|
||||
- fix MemorySanitizer: use-of-uninitialized-value
|
||||
|
||||
* Sat Nov 30 2019 daiqianwen <daiqianwen@huawei.com> - 0.11-2
|
||||
- Package init
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user