diff --git a/SOURCES/libsndfile-1.0.28-CVE_2018_13139.patch b/SOURCES/libsndfile-1.0.28-CVE_2018_13139.patch new file mode 100644 index 0000000..f758432 --- /dev/null +++ b/SOURCES/libsndfile-1.0.28-CVE_2018_13139.patch @@ -0,0 +1,31 @@ +From df18323c622b54221ee7ace74b177cdcccc152d7 Mon Sep 17 00:00:00 2001 +From: "Brett T. Warden" +Date: Tue, 28 Aug 2018 12:01:17 -0700 +Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave + +Allocated buffer has space for only 16 channels. Verify that input file +meets this limit. + +Fixes #397 +--- + programs/sndfile-deinterleave.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c +index 53660310..225b4d54 100644 +--- a/programs/sndfile-deinterleave.c ++++ b/programs/sndfile-deinterleave.c +@@ -89,6 +89,13 @@ main (int argc, char **argv) + exit (1) ; + } ; + ++ if (sfinfo.channels > MAX_CHANNELS) ++ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n", ++ argv [1], sfinfo.channels, MAX_CHANNELS) ; ++ exit (1) ; ++ } ; ++ ++ + state.channels = sfinfo.channels ; + sfinfo.channels = 1 ; + diff --git a/SOURCES/libsndfile-1.0.28-cve_2018_19662.patch b/SOURCES/libsndfile-1.0.28-cve_2018_19662.patch new file mode 100644 index 0000000..d311c11 --- /dev/null +++ b/SOURCES/libsndfile-1.0.28-cve_2018_19662.patch @@ -0,0 +1,91 @@ +From 585cc28a93be27d6938f276af0011401b9f7c0ca Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Mon, 24 Dec 2018 06:43:48 +0100 +Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432) + +i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN +properly, leading to buffer underflow. INT_MIN is a special value +since - INT_MIN cannot be represented as int. + +In this case round - INT_MIN to INT_MAX and proceed as usual. + +f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN +properly, leading to null pointer dereference. + +In this case, arbitrarily set the buffer value to 0. + +This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and +fixes #344 (CVE-2017-17456 and CVE-2017-17457). +--- + src/alaw.c | 9 +++++++-- + src/ulaw.c | 9 +++++++-- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/src/alaw.c b/src/alaw.c +index 063fd1a2..4220224c 100644 +--- a/src/alaw.c ++++ b/src/alaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include ++#include + + #include "sndfile.h" + #include "common.h" +@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2alaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; + else + buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; +@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; +diff --git a/src/ulaw.c b/src/ulaw.c +index e50b4cb5..b6070ade 100644 +--- a/src/ulaw.c ++++ b/src/ulaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include ++#include + + #include "sndfile.h" + #include "common.h" +@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2ulaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; + else + buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; +@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; diff --git a/SPECS/libsndfile.spec b/SPECS/libsndfile.spec index 368e9f3..e6bd5f6 100644 --- a/SPECS/libsndfile.spec +++ b/SPECS/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.28 -Release: 8%{?dist} +Release: 10%{?dist} License: LGPLv2+ and GPLv2+ and BSD Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -16,6 +16,8 @@ Patch4: libsndfile-1.0.29-cve2017_6892.patch Patch5: libsndfile-1.0.28-cve2017_12562.patch Patch6: libsndfile-1.0.28-fixfree.patch Patch7: libsndfile-1.0.28-vafix.patch +Patch8: libsndfile-1.0.28-CVE_2018_13139.patch +Patch9: libsndfile-1.0.28-cve_2018_19662.patch BuildRequires: alsa-lib-devel BuildRequires: flac-devel BuildRequires: libogg-devel @@ -68,6 +70,8 @@ This package contains command line utilities for libsndfile. %patch5 -p1 -b .cve2017_12562 %patch6 -p1 -b .fixfree %patch7 -p1 -b .vafix +%patch8 -p1 -b .CVE_2018_13139 +%patch9 -p1 -b .cve_2018_19662 rm -r src/GSM610 %build @@ -163,6 +167,13 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Wed Nov 20 2019 Michal Hlavinka - 1.0.28-10 +- fix CVE-2018-19661 and CVE-2018-19662 - buffer over-read in the function + i2alaw_array in alaw (#1673085) + +* Wed Oct 30 2019 Michal Hlavinka - 1.0.28-9 +- fix CVE-2018-13139 - stack-based buffer overflow in sndfile-deinterleave utility (#1598482) + * Mon Oct 15 2018 Michal Hlavinka - 1.0.28-8 - fix coverity scan found issues (#1602592)