diff --git a/SOURCES/libsndfile-1.0.28-cve-2024-50612prereq.patch b/SOURCES/libsndfile-1.0.28-cve-2024-50612prereq.patch new file mode 100644 index 0000000..60a9085 --- /dev/null +++ b/SOURCES/libsndfile-1.0.28-cve-2024-50612prereq.patch @@ -0,0 +1,67 @@ +diff -up libsndfile-1.0.28/src/ogg.c.cve-2024-50612prereq libsndfile-1.0.28/src/ogg.c +--- libsndfile-1.0.28/src/ogg.c.cve-2024-50612prereq 2017-04-01 09:18:02.000000000 +0200 ++++ libsndfile-1.0.28/src/ogg.c 2024-11-26 15:06:33.595446443 +0100 +@@ -45,6 +45,16 @@ static int ogg_stream_classify (SF_PRIVA + static int ogg_page_classify (SF_PRIVATE * psf, const ogg_page * og) ; + + int ++ogg_write_page (SF_PRIVATE *psf, ogg_page *page) ++{ int bytes ; ++ ++ bytes = psf_fwrite (page->header, 1, page->header_len, psf) ; ++ bytes += psf_fwrite (page->body, 1, page->body_len, psf) ; ++ ++ return bytes == page->header_len + page->body_len ; ++} /* ogg_write_page */ ++ ++int + ogg_open (SF_PRIVATE *psf) + { OGG_PRIVATE* odata = calloc (1, sizeof (OGG_PRIVATE)) ; + sf_count_t pos = psf_ftell (psf) ; +diff -up libsndfile-1.0.28/src/ogg.h.cve-2024-50612prereq libsndfile-1.0.28/src/ogg.h +--- libsndfile-1.0.28/src/ogg.h.cve-2024-50612prereq 2024-11-26 15:06:45.023560621 +0100 ++++ libsndfile-1.0.28/src/ogg.h 2024-11-26 15:06:57.731687587 +0100 +@@ -48,5 +48,10 @@ typedef struct + (buf [base] & 0xff)) + + ++/* ++** Write the whole Ogg page out. Convenience function as the ogg_page struct ++** splits header and body data into separate buffers. ++*/ ++int ogg_write_page (SF_PRIVATE *, ogg_page *) ; + + #endif /* SF_SRC_OGG_H */ +diff -up libsndfile-1.0.28/src/ogg_vorbis.c.cve-2024-50612prereq libsndfile-1.0.28/src/ogg_vorbis.c +--- libsndfile-1.0.28/src/ogg_vorbis.c.cve-2024-50612prereq 2017-04-01 09:18:02.000000000 +0200 ++++ libsndfile-1.0.28/src/ogg_vorbis.c 2024-11-26 15:06:33.595446443 +0100 +@@ -423,8 +423,7 @@ vorbis_write_header (SF_PRIVATE *psf, in + * audio data will start on a new page, as per spec + */ + while ((result = ogg_stream_flush (&odata->ostream, &odata->opage)) != 0) +- { psf_fwrite (odata->opage.header, 1, odata->opage.header_len, psf) ; +- psf_fwrite (odata->opage.body, 1, odata->opage.body_len, psf) ; ++ { ogg_write_page (psf, &odata->opage) ; + } ; + } + +@@ -463,8 +462,7 @@ vorbis_close (SF_PRIVATE *psf) + while (!odata->eos) + { int result = ogg_stream_pageout (&odata->ostream, &odata->opage) ; + if (result == 0) break ; +- psf_fwrite (odata->opage.header, 1, odata->opage.header_len, psf) ; +- psf_fwrite (odata->opage.body, 1, odata->opage.body_len, psf) ; ++ ogg_write_page (psf, &odata->opage) ; + + /* this could be set above, but for illustrative purposes, I do + it here (to show that vorbis does know where the stream ends) */ +@@ -778,8 +776,7 @@ vorbis_write_samples (SF_PRIVATE *psf, O + { int result = ogg_stream_pageout (&odata->ostream, &odata->opage) ; + if (result == 0) + break ; +- psf_fwrite (odata->opage.header, 1, odata->opage.header_len, psf) ; +- psf_fwrite (odata->opage.body, 1, odata->opage.body_len, psf) ; ++ ogg_write_page (psf, &odata->opage) ; + + /* This could be set above, but for illustrative purposes, I do + ** it here (to show that vorbis does know where the stream ends) */ diff --git a/SOURCES/libsndfile-1.0.31-pullrequest979.patch b/SOURCES/libsndfile-1.0.31-pullrequest979.patch new file mode 100644 index 0000000..5171e54 --- /dev/null +++ b/SOURCES/libsndfile-1.0.31-pullrequest979.patch @@ -0,0 +1,362 @@ +diff -up libsndfile-1.0.28/src/aiff.c.pullrequest979 libsndfile-1.0.28/src/aiff.c +--- libsndfile-1.0.28/src/aiff.c.pullrequest979 2023-11-01 23:49:50.232622966 +0100 ++++ libsndfile-1.0.28/src/aiff.c 2023-11-01 23:49:50.246623108 +0100 +@@ -1822,7 +1822,7 @@ static int + aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize) + { const char * type_str ; + basc_CHUNK bc ; +- int count ; ++ sf_count_t count ; + + count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ; + count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ; +diff -up libsndfile-1.0.28/src/au.c.pullrequest979 libsndfile-1.0.28/src/au.c +--- libsndfile-1.0.28/src/au.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200 ++++ libsndfile-1.0.28/src/au.c 2023-11-01 23:49:50.246623108 +0100 +@@ -291,6 +291,7 @@ static int + au_read_header (SF_PRIVATE *psf) + { AU_FMT au_fmt ; + int marker, dword ; ++ sf_count_t data_end ; + + memset (&au_fmt, 0, sizeof (au_fmt)) ; + psf_binheader_readf (psf, "pm", 0, &marker) ; +@@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf) + return SFE_AU_EMBED_BAD_LEN ; + } ; + ++ data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ; + if (psf->fileoffset > 0) +- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ; ++ { psf->filelength = data_end ; + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; + } +- else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength) ++ else if (au_fmt.datasize == -1 || data_end == psf->filelength) + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; +- else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength) +- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ; ++ else if (data_end < psf->filelength) ++ { psf->filelength = data_end ; + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; + } + else +diff -up libsndfile-1.0.28/src/avr.c.pullrequest979 libsndfile-1.0.28/src/avr.c +--- libsndfile-1.0.28/src/avr.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200 ++++ libsndfile-1.0.28/src/avr.c 2023-11-01 23:49:50.246623108 +0100 +@@ -164,7 +164,7 @@ avr_read_header (SF_PRIVATE *psf) + psf->endian = SF_ENDIAN_BIG ; + + psf->dataoffset = AVR_HDR_SIZE ; +- psf->datalength = hdr.frames * (hdr.rez / 8) ; ++ psf->datalength = (sf_count_t) hdr.frames * (hdr.rez / 8) ; + + if (psf->fileoffset > 0) + psf->filelength = AVR_HDR_SIZE + psf->datalength ; +diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/common.c +--- libsndfile-1.0.28/src/common.c.pullrequest979 2023-11-01 23:49:50.237623017 +0100 ++++ libsndfile-1.0.28/src/common.c 2023-11-01 23:50:00.446727012 +0100 +@@ -18,6 +18,7 @@ + + #include + ++#include + #include + #include + #if HAVE_UNISTD_H +@@ -975,6 +976,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + double *doubleptr ; + char c ; + int byte_count = 0, count = 0 ; ++ int read_bytes = 0 ; + + if (! format) + return psf_ftell (psf) ; +@@ -983,6 +985,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + + while ((c = *format++)) + { ++ read_bytes = 0 ; + if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16)) + { + va_end (argptr) ; +@@ -1002,7 +1005,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, ucptr, sizeof (int)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (int)) ; + *intptr = GET_MARKER (ucptr) ; + break ; + +@@ -1010,7 +1013,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ; ++ read_bytes = header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ; + { int k ; + intdata = 0 ; + for (k = 0 ; k < 16 ; k++) +@@ -1022,14 +1025,14 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case '1' : + charptr = va_arg (argptr, char*) ; + *charptr = 0 ; +- byte_count += header_read (psf, charptr, sizeof (char)) ; ++ read_bytes = header_read (psf, charptr, sizeof (char)) ; + break ; + + case '2' : /* 2 byte value with the current endian-ness */ + shortptr = va_arg (argptr, unsigned short*) ; + *shortptr = 0 ; + ucptr = (unsigned char*) shortptr ; +- byte_count += header_read (psf, ucptr, sizeof (short)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (short)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *shortptr = GET_BE_SHORT (ucptr) ; + else +@@ -1039,7 +1042,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case '3' : /* 3 byte value with the current endian-ness */ + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; +- byte_count += header_read (psf, sixteen_bytes, 3) ; ++ read_bytes = header_read (psf, sixteen_bytes, 3) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *intptr = GET_BE_3BYTE (sixteen_bytes) ; + else +@@ -1050,7 +1053,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, ucptr, sizeof (int)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (int)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *intptr = psf_get_be32 (ucptr, 0) ; + else +@@ -1060,7 +1063,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case '8' : /* 8 byte value with the current endian-ness */ + countptr = va_arg (argptr, sf_count_t *) ; + *countptr = 0 ; +- byte_count += header_read (psf, sixteen_bytes, 8) ; ++ read_bytes = header_read (psf, sixteen_bytes, 8) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + countdata = psf_get_be64 (sixteen_bytes, 0) ; + else +@@ -1071,7 +1074,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case 'f' : /* Float conversion */ + floatptr = va_arg (argptr, float *) ; + *floatptr = 0.0 ; +- byte_count += header_read (psf, floatptr, sizeof (float)) ; ++ read_bytes = header_read (psf, floatptr, sizeof (float)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *floatptr = float32_be_read ((unsigned char*) floatptr) ; + else +@@ -1081,7 +1084,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case 'd' : /* double conversion */ + doubleptr = va_arg (argptr, double *) ; + *doubleptr = 0.0 ; +- byte_count += header_read (psf, doubleptr, sizeof (double)) ; ++ read_bytes = header_read (psf, doubleptr, sizeof (double)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *doubleptr = double64_be_read ((unsigned char*) doubleptr) ; + else +@@ -1105,7 +1108,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + charptr = va_arg (argptr, char*) ; + count = va_arg (argptr, size_t) ; + memset (charptr, 0, count) ; +- byte_count += header_read (psf, charptr, count) ; ++ read_bytes = header_read (psf, charptr, count) ; + break ; + + case 'G' : +@@ -1119,7 +1122,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + return count ; + } ; + +- byte_count += header_gets (psf, charptr, count) ; ++ read_bytes = header_gets (psf, charptr, count) ; + break ; + + case 'z' : +@@ -1143,7 +1146,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case 'j' : /* Seek to position from current position. */ + count = va_arg (argptr, size_t) ; + header_seek (psf, count, SEEK_CUR) ; +- byte_count += count ; ++ read_bytes = count ; + break ; + + default : +@@ -1151,8 +1154,17 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + psf->error = SFE_INTERNAL ; + break ; + } ; ++ ++ if (read_bytes > 0 && byte_count > (INT_MAX - read_bytes)) ++ { psf_log_printf (psf, "Header size exceeds INT_MAX. Aborting.", c) ; ++ psf->error = SFE_INTERNAL ; ++ break ; ++ } else ++ { byte_count += read_bytes ; + } ; + ++ } ; /*end while*/ ++ + va_end (argptr) ; + + return byte_count ; +diff -up libsndfile-1.0.28/src/common.h.pullrequest979 libsndfile-1.0.28/src/common.h +--- libsndfile-1.0.28/src/common.h.pullrequest979 2023-11-01 23:49:50.230622945 +0100 ++++ libsndfile-1.0.28/src/common.h 2023-11-01 23:49:50.246623108 +0100 +@@ -467,7 +467,7 @@ typedef struct sf_private_tag + sf_count_t datalength ; /* Length in bytes of the audio data. */ + sf_count_t dataend ; /* Offset to file tailer. */ + +- int blockwidth ; /* Size in bytes of one set of interleaved samples. */ ++ sf_count_t blockwidth ; /* Size in bytes of one set of interleaved samples. */ + int bytewidth ; /* Size in bytes of one sample (one channel). */ + + void *dither ; +diff -up libsndfile-1.0.28/src/ima_adpcm.c.pullrequest979 libsndfile-1.0.28/src/ima_adpcm.c +--- libsndfile-1.0.28/src/ima_adpcm.c.pullrequest979 2016-09-10 10:08:27.000000000 +0200 ++++ libsndfile-1.0.28/src/ima_adpcm.c 2023-11-01 23:49:50.247623119 +0100 +@@ -233,7 +233,7 @@ ima_reader_init (SF_PRIVATE *psf, int bl + case SF_FORMAT_AIFF : + psf_log_printf (psf, "still need to check block count\n") ; + pima->decode_block = aiff_ima_decode_block ; +- psf->sf.frames = pima->samplesperblock * pima->blocks / pima->channels ; ++ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks / pima->channels ; + break ; + + default : +diff -up libsndfile-1.0.28/src/ircam.c.pullrequest979 libsndfile-1.0.28/src/ircam.c +--- libsndfile-1.0.28/src/ircam.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200 ++++ libsndfile-1.0.28/src/ircam.c 2023-11-01 23:49:50.247623119 +0100 +@@ -171,35 +171,35 @@ ircam_read_header (SF_PRIVATE *psf) + switch (encoding) + { case IRCAM_PCM_16 : + psf->bytewidth = 2 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_16 ; + break ; + + case IRCAM_PCM_32 : + psf->bytewidth = 4 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_32 ; + break ; + + case IRCAM_FLOAT : + psf->bytewidth = 4 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_FLOAT ; + break ; + + case IRCAM_ALAW : + psf->bytewidth = 1 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ALAW ; + break ; + + case IRCAM_ULAW : + psf->bytewidth = 1 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ; + break ; +diff -up libsndfile-1.0.28/src/mat4.c.pullrequest979 libsndfile-1.0.28/src/mat4.c +--- libsndfile-1.0.28/src/mat4.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200 ++++ libsndfile-1.0.28/src/mat4.c 2023-11-01 23:49:50.247623119 +0100 +@@ -104,7 +104,7 @@ mat4_open (SF_PRIVATE *psf) + + psf->container_close = mat4_close ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + switch (subformat) + { case SF_FORMAT_PCM_16 : +@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf) + psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ; + } + else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth) +- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ; ++ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ; + + psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ; + +diff -up libsndfile-1.0.28/src/mat5.c.pullrequest979 libsndfile-1.0.28/src/mat5.c +--- libsndfile-1.0.28/src/mat5.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200 ++++ libsndfile-1.0.28/src/mat5.c 2023-11-01 23:49:50.247623119 +0100 +@@ -114,7 +114,7 @@ mat5_open (SF_PRIVATE *psf) + + psf->container_close = mat5_close ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + switch (subformat) + { case SF_FORMAT_PCM_U8 : +diff -up libsndfile-1.0.28/src/pcm.c.pullrequest979 libsndfile-1.0.28/src/pcm.c +--- libsndfile-1.0.28/src/pcm.c.pullrequest979 2017-04-02 08:33:16.000000000 +0200 ++++ libsndfile-1.0.28/src/pcm.c 2023-11-01 23:49:50.247623119 +0100 +@@ -125,7 +125,7 @@ pcm_init (SF_PRIVATE *psf) + return SFE_INTERNAL ; + } ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + if ((SF_CODEC (psf->sf.format)) == SF_FORMAT_PCM_S8) + chars = SF_CHARS_SIGNED ; +diff -up libsndfile-1.0.28/src/rf64.c.pullrequest979 libsndfile-1.0.28/src/rf64.c +--- libsndfile-1.0.28/src/rf64.c.pullrequest979 2023-11-01 23:49:50.229622935 +0100 ++++ libsndfile-1.0.28/src/rf64.c 2023-11-01 23:49:50.248623129 +0100 +@@ -242,7 +242,7 @@ rf64_read_header (SF_PRIVATE *psf, int * + } ; + } ; + +- if (psf->filelength != riff_size + 8) ++ if (psf->filelength - 8 != riff_size) + psf_log_printf (psf, " Riff size : %D (should be %D)\n", riff_size, psf->filelength - 8) ; + else + psf_log_printf (psf, " Riff size : %D\n", riff_size) ; +diff -up libsndfile-1.0.28/src/sds.c.pullrequest979 libsndfile-1.0.28/src/sds.c +--- libsndfile-1.0.28/src/sds.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200 ++++ libsndfile-1.0.28/src/sds.c 2023-11-01 23:49:50.248623129 +0100 +@@ -454,7 +454,7 @@ sds_2byte_read (SF_PRIVATE *psf, SDS_PRI + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 2) +- { sample = arith_shift_left (ucptr [k], 25) + arith_shift_left (ucptr [k + 1], 18) ; ++ { sample = arith_shift_left (ucptr [k], 25) | arith_shift_left (ucptr [k + 1], 18) ; + psds->read_samples [k / 2] = (int) (sample - 0x80000000) ; + } ; + +@@ -498,7 +498,7 @@ sds_3byte_read (SF_PRIVATE *psf, SDS_PRI + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 3) +- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) ; ++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) ; + psds->read_samples [k / 3] = (int) (sample - 0x80000000) ; + } ; + +@@ -542,7 +542,7 @@ sds_4byte_read (SF_PRIVATE *psf, SDS_PRI + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 4) +- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) + (ucptr [k + 3] << 4) ; ++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) | (ucptr [k + 3] << 4) ; + psds->read_samples [k / 4] = (int) (sample - 0x80000000) ; + } ; + diff --git a/SOURCES/libsndfile-1.2.2-cve-2024-50612.patch b/SOURCES/libsndfile-1.2.2-cve-2024-50612.patch new file mode 100644 index 0000000..bfec2b6 --- /dev/null +++ b/SOURCES/libsndfile-1.2.2-cve-2024-50612.patch @@ -0,0 +1,324 @@ +diff -up libsndfile-1.0.28/src/ogg.c.cve-2024-50612 libsndfile-1.0.28/src/ogg.c +--- libsndfile-1.0.28/src/ogg.c.cve-2024-50612 2024-11-25 23:52:41.158759323 +0100 ++++ libsndfile-1.0.28/src/ogg.c 2024-11-25 23:53:45.520411291 +0100 +@@ -46,12 +46,16 @@ static int ogg_page_classify (SF_PRIVATE + + int + ogg_write_page (SF_PRIVATE *psf, ogg_page *page) +-{ int bytes ; ++{ int n ; + +- bytes = psf_fwrite (page->header, 1, page->header_len, psf) ; +- bytes += psf_fwrite (page->body, 1, page->body_len, psf) ; ++ n = psf_fwrite (page->header, 1, page->header_len, psf) ; ++ if (n == page->header_len) ++ n += psf_fwrite (page->body, 1, page->body_len, psf) ; + +- return bytes == page->header_len + page->body_len ; ++ if (n != page->body_len + page->header_len) ++ return -1 ; ++ ++ return n ; + } /* ogg_write_page */ + + int +diff -up libsndfile-1.0.28/src/ogg_vorbis.c.cve-2024-50612 libsndfile-1.0.28/src/ogg_vorbis.c +--- libsndfile-1.0.28/src/ogg_vorbis.c.cve-2024-50612 2024-11-25 23:52:41.156759303 +0100 ++++ libsndfile-1.0.28/src/ogg_vorbis.c 2024-11-26 00:01:45.724339005 +0100 +@@ -76,25 +76,6 @@ + + #include "ogg.h" + +-typedef int convert_func (SF_PRIVATE *psf, int, void *, int, int, float **) ; +- +-static int vorbis_read_header (SF_PRIVATE *psf, int log_data) ; +-static int vorbis_write_header (SF_PRIVATE *psf, int calc_length) ; +-static int vorbis_close (SF_PRIVATE *psf) ; +-static int vorbis_command (SF_PRIVATE *psf, int command, void *data, int datasize) ; +-static int vorbis_byterate (SF_PRIVATE *psf) ; +-static sf_count_t vorbis_seek (SF_PRIVATE *psf, int mode, sf_count_t offset) ; +-static sf_count_t vorbis_read_s (SF_PRIVATE *psf, short *ptr, sf_count_t len) ; +-static sf_count_t vorbis_read_i (SF_PRIVATE *psf, int *ptr, sf_count_t len) ; +-static sf_count_t vorbis_read_f (SF_PRIVATE *psf, float *ptr, sf_count_t len) ; +-static sf_count_t vorbis_read_d (SF_PRIVATE *psf, double *ptr, sf_count_t len) ; +-static sf_count_t vorbis_write_s (SF_PRIVATE *psf, const short *ptr, sf_count_t len) ; +-static sf_count_t vorbis_write_i (SF_PRIVATE *psf, const int *ptr, sf_count_t len) ; +-static sf_count_t vorbis_write_f (SF_PRIVATE *psf, const float *ptr, sf_count_t len) ; +-static sf_count_t vorbis_write_d (SF_PRIVATE *psf, const double *ptr, sf_count_t len) ; +-static sf_count_t vorbis_read_sample (SF_PRIVATE *psf, void *ptr, sf_count_t lens, convert_func *transfn) ; +-static sf_count_t vorbis_length (SF_PRIVATE *psf) ; +- + typedef struct + { int id ; + const char *name ; +@@ -129,6 +110,42 @@ typedef struct + double quality ; + } VORBIS_PRIVATE ; + ++typedef int convert_func (SF_PRIVATE *psf, int, void *, int, int, float **) ; ++ ++static int vorbis_read_header (SF_PRIVATE *psf, int log_data) ; ++static int vorbis_write_header (SF_PRIVATE *psf, int calc_length) ; ++static int vorbis_close (SF_PRIVATE *psf) ; ++static int vorbis_command (SF_PRIVATE *psf, int command, void *data, int datasize) ; ++static int vorbis_byterate (SF_PRIVATE *psf) ; ++static sf_count_t vorbis_seek (SF_PRIVATE *psf, int mode, sf_count_t offset) ; ++static sf_count_t vorbis_read_s (SF_PRIVATE *psf, short *ptr, sf_count_t len) ; ++static sf_count_t vorbis_read_i (SF_PRIVATE *psf, int *ptr, sf_count_t len) ; ++static sf_count_t vorbis_read_f (SF_PRIVATE *psf, float *ptr, sf_count_t len) ; ++static sf_count_t vorbis_read_d (SF_PRIVATE *psf, double *ptr, sf_count_t len) ; ++static sf_count_t vorbis_write_s (SF_PRIVATE *psf, const short *ptr, sf_count_t len) ; ++static sf_count_t vorbis_write_i (SF_PRIVATE *psf, const int *ptr, sf_count_t len) ; ++static sf_count_t vorbis_write_f (SF_PRIVATE *psf, const float *ptr, sf_count_t len) ; ++static sf_count_t vorbis_write_d (SF_PRIVATE *psf, const double *ptr, sf_count_t len) ; ++static sf_count_t vorbis_read_sample (SF_PRIVATE *psf, void *ptr, sf_count_t lens, convert_func *transfn) ; ++static sf_count_t vorbis_length (SF_PRIVATE *psf) ; ++static int vorbis_write_samples (SF_PRIVATE *psf, OGG_PRIVATE *odata, VORBIS_PRIVATE *vdata, int in_frames) ; ++static void vorbis_log_error (SF_PRIVATE *psf, int error) ; ++ ++ ++static void ++vorbis_log_error(SF_PRIVATE *psf, int error) { ++ switch (error) ++ { case 0: return; ++ case OV_EIMPL: psf->error = SFE_UNIMPLEMENTED ; break ; ++ case OV_ENOTVORBIS: psf->error = SFE_MALFORMED_FILE ; break ; ++ case OV_EBADHEADER: psf->error = SFE_MALFORMED_FILE ; break ; ++ case OV_EVERSION: psf->error = SFE_UNSUPPORTED_ENCODING ; break ; ++ case OV_EFAULT: ++ case OV_EINVAL: ++ default: psf->error = SFE_INTERNAL ; ++ } ; ++} ; ++ + static int + vorbis_read_header (SF_PRIVATE *psf, int log_data) + { +@@ -412,7 +429,6 @@ vorbis_write_header (SF_PRIVATE *psf, in + { ogg_packet header ; + ogg_packet header_comm ; + ogg_packet header_code ; +- int result ; + + vorbis_analysis_headerout (&vdata->vdsp, &vdata->vcomment, &header, &header_comm, &header_code) ; + ogg_stream_packetin (&odata->ostream, &header) ; /* automatically placed in its own page */ +@@ -422,9 +438,9 @@ vorbis_write_header (SF_PRIVATE *psf, in + /* This ensures the actual + * audio data will start on a new page, as per spec + */ +- while ((result = ogg_stream_flush (&odata->ostream, &odata->opage)) != 0) +- { ogg_write_page (psf, &odata->opage) ; +- } ; ++ while (ogg_stream_flush (&odata->ostream, &odata->opage)) ++ if (ogg_write_page (psf, &odata->opage) < 0) ++ return -1 ; + } + + return 0 ; +@@ -434,6 +450,7 @@ static int + vorbis_close (SF_PRIVATE *psf) + { OGG_PRIVATE* odata = psf->container_data ; + VORBIS_PRIVATE *vdata = psf->codec_data ; ++ int ret = 0 ; + + if (odata == NULL || vdata == NULL) + return 0 ; +@@ -444,34 +461,14 @@ vorbis_close (SF_PRIVATE *psf) + if (psf->file.mode == SFM_WRITE) + { + if (psf->write_current <= 0) +- vorbis_write_header (psf, 0) ; +- +- vorbis_analysis_wrote (&vdata->vdsp, 0) ; +- while (vorbis_analysis_blockout (&vdata->vdsp, &vdata->vblock) == 1) +- { ++ ret = vorbis_write_header (psf, 0) ; + +- /* analysis, assume we want to use bitrate management */ +- vorbis_analysis (&vdata->vblock, NULL) ; +- vorbis_bitrate_addblock (&vdata->vblock) ; +- +- while (vorbis_bitrate_flushpacket (&vdata->vdsp, &odata->opacket)) +- { /* weld the packet into the bitstream */ +- ogg_stream_packetin (&odata->ostream, &odata->opacket) ; +- +- /* write out pages (if any) */ +- while (!odata->eos) +- { int result = ogg_stream_pageout (&odata->ostream, &odata->opage) ; +- if (result == 0) break ; +- ogg_write_page (psf, &odata->opage) ; +- +- /* this could be set above, but for illustrative purposes, I do +- it here (to show that vorbis does know where the stream ends) */ +- +- if (ogg_page_eos (&odata->opage)) odata->eos = 1 ; +- } +- } +- } +- } ++ if (ret == 0) ++ { /* A write of zero samples tells Vorbis the stream is done and to ++ flush. */ ++ ret = vorbis_write_samples (psf, odata, vdata, 0) ; ++ } ; ++ } ; + + /* ogg_page and ogg_packet structs always point to storage in + libvorbis. They are never freed or manipulated directly */ +@@ -481,7 +478,7 @@ vorbis_close (SF_PRIVATE *psf) + vorbis_comment_clear (&vdata->vcomment) ; + vorbis_info_clear (&vdata->vinfo) ; + +- return 0 ; ++ return ret ; + } /* vorbis_close */ + + int +@@ -750,33 +747,40 @@ vorbis_read_d (SF_PRIVATE *psf, double * + /*============================================================================== + */ + +-static void ++static int + vorbis_write_samples (SF_PRIVATE *psf, OGG_PRIVATE *odata, VORBIS_PRIVATE *vdata, int in_frames) +-{ +- vorbis_analysis_wrote (&vdata->vdsp, in_frames) ; ++{ int ret ; ++ ++ if ((ret = vorbis_analysis_wrote (&vdata->vdsp, in_frames)) != 0) ++ return ret ; + + /* + ** Vorbis does some data preanalysis, then divvies up blocks for + ** more involved (potentially parallel) processing. Get a single + ** block for encoding now. + */ +- while (vorbis_analysis_blockout (&vdata->vdsp, &vdata->vblock) == 1) ++ while ((ret = vorbis_analysis_blockout (&vdata->vdsp, &vdata->vblock)) == 1) + { + /* analysis, assume we want to use bitrate management */ +- vorbis_analysis (&vdata->vblock, NULL) ; +- vorbis_bitrate_addblock (&vdata->vblock) ; ++ if ((ret = vorbis_analysis (&vdata->vblock, NULL)) != 0) ++ return ret ; ++ if ((ret = vorbis_bitrate_addblock (&vdata->vblock)) != 0) ++ return ret ; + +- while (vorbis_bitrate_flushpacket (&vdata->vdsp, &odata->opacket)) ++ while ((ret = vorbis_bitrate_flushpacket (&vdata->vdsp, &odata->opacket)) == 1) + { + /* weld the packet into the bitstream */ +- ogg_stream_packetin (&odata->ostream, &odata->opacket) ; ++ if ((ret = ogg_stream_packetin (&odata->ostream, &odata->opacket)) != 0) ++ return ret ; + + /* write out pages (if any) */ + while (!odata->eos) +- { int result = ogg_stream_pageout (&odata->ostream, &odata->opage) ; +- if (result == 0) ++ { ret = ogg_stream_pageout (&odata->ostream, &odata->opage) ; ++ if (ret == 0) + break ; +- ogg_write_page (psf, &odata->opage) ; ++ ++ if (ogg_write_page (psf, &odata->opage) < 0) ++ return -1 ; + + /* This could be set above, but for illustrative purposes, I do + ** it here (to show that vorbis does know where the stream ends) */ +@@ -784,16 +788,22 @@ vorbis_write_samples (SF_PRIVATE *psf, O + odata->eos = 1 ; + } ; + } ; ++ if (ret != 0) ++ return ret ; + } ; ++ if (ret != 0) ++ return ret ; + + vdata->loc += in_frames ; ++ ++ return 0 ; + } /* vorbis_write_data */ + + + static sf_count_t + vorbis_write_s (SF_PRIVATE *psf, const short *ptr, sf_count_t lens) + { +- int i, m, j = 0 ; ++ int i, m, j = 0, ret ; + OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ; + VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ; + int in_frames = lens / psf->sf.channels ; +@@ -802,14 +812,17 @@ vorbis_write_s (SF_PRIVATE *psf, const s + for (m = 0 ; m < psf->sf.channels ; m++) + buffer [m][i] = (float) (ptr [j++]) / 32767.0f ; + +- vorbis_write_samples (psf, odata, vdata, in_frames) ; ++ if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames))) ++ { vorbis_log_error (psf, ret) ; ++ return 0 ; ++ } ; + + return lens ; + } /* vorbis_write_s */ + + static sf_count_t + vorbis_write_i (SF_PRIVATE *psf, const int *ptr, sf_count_t lens) +-{ int i, m, j = 0 ; ++{ int i, m, j = 0, ret ; + OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ; + VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ; + int in_frames = lens / psf->sf.channels ; +@@ -818,14 +831,17 @@ vorbis_write_i (SF_PRIVATE *psf, const i + for (m = 0 ; m < psf->sf.channels ; m++) + buffer [m][i] = (float) (ptr [j++]) / 2147483647.0f ; + +- vorbis_write_samples (psf, odata, vdata, in_frames) ; ++ if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames))) ++ { vorbis_log_error (psf, ret) ; ++ return 0 ; ++ } ; + + return lens ; + } /* vorbis_write_i */ + + static sf_count_t + vorbis_write_f (SF_PRIVATE *psf, const float *ptr, sf_count_t lens) +-{ int i, m, j = 0 ; ++{ int i, m, j = 0, ret ; + OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ; + VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ; + int in_frames = lens / psf->sf.channels ; +@@ -834,14 +850,17 @@ vorbis_write_f (SF_PRIVATE *psf, const f + for (m = 0 ; m < psf->sf.channels ; m++) + buffer [m][i] = ptr [j++] ; + +- vorbis_write_samples (psf, odata, vdata, in_frames) ; ++ if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames)) != 0) ++ { vorbis_log_error (psf, ret) ; ++ return 0 ; ++ } ; + + return lens ; + } /* vorbis_write_f */ + + static sf_count_t + vorbis_write_d (SF_PRIVATE *psf, const double *ptr, sf_count_t lens) +-{ int i, m, j = 0 ; ++{ int i, m, j = 0, ret ; + OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ; + VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ; + int in_frames = lens / psf->sf.channels ; +@@ -850,7 +869,10 @@ vorbis_write_d (SF_PRIVATE *psf, const d + for (m = 0 ; m < psf->sf.channels ; m++) + buffer [m][i] = (float) ptr [j++] ; + +- vorbis_write_samples (psf, odata, vdata, in_frames) ; ++ if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames)) != 0) ++ { vorbis_log_error (psf, ret) ; ++ return 0 ; ++ } ; + + return lens ; + } /* vorbis_write_d */ diff --git a/SPECS/libsndfile.spec b/SPECS/libsndfile.spec index 7393b53..ec15180 100644 --- a/SPECS/libsndfile.spec +++ b/SPECS/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.28 -Release: 13%{?dist} +Release: 16%{?dist} License: LGPLv2+ and GPLv2+ and BSD Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -21,6 +21,11 @@ Patch9: libsndfile-1.0.28-cve_2018_19662.patch # from upstream, for <= 1.0.31, rhbz#1985028 Patch10: libsndfile-1.0.31-deb669ee.patch Patch11: libsndfile-1.0.31-ced91d7b.patch +# from upstream, fix #RHEL-3750, for <= 1.2.2 +Patch12: libsndfile-1.0.31-pullrequest979.patch +# from upstream, for <= 1.2.2, #RHEL-65095 +Patch13: libsndfile-1.0.28-cve-2024-50612prereq.patch +Patch14: libsndfile-1.2.2-cve-2024-50612.patch BuildRequires: alsa-lib-devel BuildRequires: flac-devel BuildRequires: libogg-devel @@ -65,18 +70,21 @@ This package contains command line utilities for libsndfile. %prep %setup -q -%patch0 -p1 -b .systemgsm -%patch1 -p1 -b .zerodivfix -%patch2 -p1 -b .revert -%patch3 -p1 -b .flacbufovfl -%patch4 -p1 -b .cve2017_6892 -%patch5 -p1 -b .cve2017_12562 -%patch6 -p1 -b .fixfree -%patch7 -p1 -b .vafix -%patch8 -p1 -b .CVE_2018_13139 -%patch9 -p1 -b .cve_2018_19662 -%patch10 -p1 -b .deb669ee -%patch11 -p1 -b .ced91d7b +%patch -P 0 -p1 -b .systemgsm +%patch -P 1 -p1 -b .zerodivfix +%patch -P 2 -p1 -b .revert +%patch -P 3 -p1 -b .flacbufovfl +%patch -P 4 -p1 -b .cve2017_6892 +%patch -P 5 -p1 -b .cve2017_12562 +%patch -P 6 -p1 -b .fixfree +%patch -P 7 -p1 -b .vafix +%patch -P 8 -p1 -b .CVE_2018_13139 +%patch -P 9 -p1 -b .cve_2018_19662 +%patch -P 10 -p1 -b .deb669ee +%patch -P 11 -p1 -b .ced91d7b +%patch -P 12 -p1 -b .pullrequest979 +%patch -P 13 -p1 -b .cve-2024-50612prereq +%patch -P 14 -p1 -b .cve-2024-50612 rm -r src/GSM610 %build @@ -172,6 +180,15 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Tue Nov 26 2024 Michal Hlavinka - 1.0.28-16 +- fix prerequisit patch (#RHEL-65093) + +* Wed Nov 20 2024 Michal Hlavinka - 1.0.28-15 +- fix crash in ogg vorbis (#RHEL-65093) (CVE-2024-50612) + +* Wed Nov 01 2023 Michal Hlavinka - 1.0.28-14 +- fix integer overflows causing CVE-2022-33065 (#RHEL-3750) + * Fri Oct 14 2022 Michal Hlavinka - 1.0.28-13 - rebuild (#2118285)