diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..17f621d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libvorbis-1.3.6.tar.xz diff --git a/.libvorbis.metadata b/.libvorbis.metadata new file mode 100644 index 0000000..d321f11 --- /dev/null +++ b/.libvorbis.metadata @@ -0,0 +1 @@ +237e3d1c66452734fd9b32f494f44238b4f0185e SOURCES/libvorbis-1.3.6.tar.xz diff --git a/SOURCES/libvorbis-1.3.6-git.patch b/SOURCES/libvorbis-1.3.6-git.patch new file mode 100644 index 0000000..e7714d2 --- /dev/null +++ b/SOURCES/libvorbis-1.3.6-git.patch @@ -0,0 +1,215 @@ +diff --git a/Brewfile b/Brewfile +new file mode 100644 +index 0000000..af81e5b +--- /dev/null ++++ b/Brewfile +@@ -0,0 +1,3 @@ ++brew 'doxygen' ++brew 'libogg' ++brew 'xz' +diff --git a/Makefile.am b/Makefile.am +index c35131a..3feaf72 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -26,7 +26,7 @@ EXTRA_DIST = \ + vorbisenc-uninstalled.pc.in \ + vorbisfile-uninstalled.pc.in \ + symbian \ +- macosx win32 ++ macosx win32 CMakeLists.txt + + + DISTCHECK_CONFIGURE_FLAGS = --enable-docs +diff --git a/contrib/oss-fuzz/build.sh b/contrib/oss-fuzz/build.sh +new file mode 100755 +index 0000000..29e7f38 +--- /dev/null ++++ b/contrib/oss-fuzz/build.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash -eu ++ ++pushd $SRC ++mv people.xiph.org/*.ogg decode_corpus/ ++zip -r "$OUT/decode_fuzzer_seed_corpus.zip" decode_corpus/ ++popd ++ ++pushd $SRC/ogg ++./autogen.sh ++./configure --prefix="$WORK" --enable-static --disable-shared --disable-crc ++make clean ++make -j$(nproc) ++make install ++popd ++ ++ ++./autogen.sh ++./configure --prefix="$WORK" --enable-static --disable-shared ++make clean ++make -j$(nproc) ++make install ++ ++$CXX $CXXFLAGS $SRC/vorbis/contrib/oss-fuzz/decode_fuzzer.cc -o $OUT/decode_fuzzer -L"$WORK/lib" -I"$WORK/include" -lFuzzingEngine -lvorbisfile -lvorbis -logg +diff --git a/contrib/oss-fuzz/decode_fuzzer.cc b/contrib/oss-fuzz/decode_fuzzer.cc +new file mode 100644 +index 0000000..b8840c1 +--- /dev/null ++++ b/contrib/oss-fuzz/decode_fuzzer.cc +@@ -0,0 +1,48 @@ ++#include ++#include ++#include ++#include ++ ++struct vorbis_data { ++ const uint8_t *current; ++ const uint8_t *data; ++ size_t size; ++}; ++ ++size_t read_func(void *ptr, size_t size1, size_t size2, void *datasource) { ++ vorbis_data* vd = (vorbis_data *)(datasource); ++ size_t len = size1 * size2; ++ if (vd->current + len > vd->data + vd->size) { ++ len = vd->data + vd->size - vd->current; ++ } ++ memcpy(ptr, vd->current, len); ++ vd->current += len; ++ return len; ++} ++ ++ ++extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ++ ov_callbacks memory_callbacks = {0}; ++ memory_callbacks.read_func = read_func; ++ vorbis_data data_st; ++ data_st.size = Size; ++ data_st.current = Data; ++ data_st.data = Data; ++ OggVorbis_File vf; ++ int result = ov_open_callbacks(&data_st, &vf, NULL, 0, memory_callbacks); ++ if (result < 0) { ++ return 0; ++ } ++ int current_section = 0; ++ int eof = 0; ++ char buf[4096]; ++ int read_result; ++ while (!eof) { ++ read_result = ov_read(&vf, buf, sizeof(buf), 0, 2, 1, ¤t_section); ++ if (read_result != OV_HOLE && read_result <= 0) { ++ eof = 1; ++ } ++ } ++ ov_clear(&vf); ++ return 0; ++} +diff --git a/lib/Makefile.am b/lib/Makefile.am +index cd5afdf..e22895e 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -35,7 +35,7 @@ psytune_SOURCES = psytune.c + psytune_LDFLAGS = -static + psytune_LDADD = libvorbis.la + +-EXTRA_DIST = lookups.pl ++EXTRA_DIST = lookups.pl CMakeLists.txt + + # build and run the self tests on 'make check' + +diff --git a/lib/info.c b/lib/info.c +index 3fbb7c7..23efa25 100644 +--- a/lib/info.c ++++ b/lib/info.c +@@ -203,6 +203,7 @@ void vorbis_info_clear(vorbis_info *vi){ + + static int _vorbis_unpack_info(vorbis_info *vi,oggpack_buffer *opb){ + codec_setup_info *ci=vi->codec_setup; ++ int bs; + if(!ci)return(OV_EFAULT); + + vi->version=oggpack_read(opb,32); +@@ -215,8 +216,12 @@ static int _vorbis_unpack_info(vorbis_info *vi,oggpack_buffer *opb){ + vi->bitrate_nominal=(ogg_int32_t)oggpack_read(opb,32); + vi->bitrate_lower=(ogg_int32_t)oggpack_read(opb,32); + +- ci->blocksizes[0]=1<blocksizes[1]=1<blocksizes[0]=1<blocksizes[1]=1<rate<1)goto err_out; + if(vi->channels<1)goto err_out; +diff --git a/lib/os.h b/lib/os.h +index 416a401..e098926 100644 +--- a/lib/os.h ++++ b/lib/os.h +@@ -120,7 +120,7 @@ static inline int vorbis_ftoi(double f){ /* yes, double! Otherwise, + /* MSVC inline assembly. 32 bit only; inline ASM isn't implemented in the + * 64 bit compiler and doesn't work on arm. */ + #if defined(_MSC_VER) && !defined(_WIN64) && \ +- !defined(_WIN32_WCE) && !defined(_M_ARM) ++ !defined(_WIN32_WCE) && !defined(_M_ARM) && !defined(_M_ARM64) + # define VORBIS_FPU_CONTROL + + typedef ogg_int16_t vorbis_fpu_control; +diff --git a/lib/psy.c b/lib/psy.c +index 422c6f1..1310123 100644 +--- a/lib/psy.c ++++ b/lib/psy.c +@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b, + for (i = 0, x = 0.f;; i++, x += 1.f) { + + lo = b[i] >> 16; +- if( lo>=0 ) break; + hi = b[i] & 0xffff; ++ if( lo>=0 ) break; ++ if( hi>=n ) break; + + tN = N[hi] + N[-lo]; + tX = X[hi] - X[-lo]; +diff --git a/lib/sharedbook.c b/lib/sharedbook.c +index 4545d4f..8d73daa 100644 +--- a/lib/sharedbook.c ++++ b/lib/sharedbook.c +@@ -62,7 +62,15 @@ float _float32_unpack(long val){ + int sign=val&0x80000000; + long exp =(val&0x7fe00000L)>>VQ_FMAN; + if(sign)mant= -mant; +- return(ldexp(mant,exp-(VQ_FMAN-1)-VQ_FEXP_BIAS)); ++ exp=exp-(VQ_FMAN-1)-VQ_FEXP_BIAS; ++ /* clamp excessive exponent values */ ++ if (exp>63){ ++ exp=63; ++ } ++ if (exp<-63){ ++ exp-63; ++ } ++ return(ldexp(mant,exp)); + } + + /* given a list of word lengths, generate a list of codewords. Works +diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c +index 4a4607c..64a51b5 100644 +--- a/lib/vorbisenc.c ++++ b/lib/vorbisenc.c +@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){ + highlevel_encode_setup *hi=&ci->hi; + + if(ci==NULL)return(OV_EINVAL); ++ if(vi->channels<1||vi->channels>255)return(OV_EINVAL); + if(!hi->impulse_block_p)i0=1; + + /* too low/high an ATH floater is nonsensical, but doesn't break anything */ +@@ -1210,7 +1211,7 @@ int vorbis_encode_ctl(vorbis_info *vi,int number,void *arg){ + hi->req, + hi->managed, + &new_base); +- if(!hi->setup)return OV_EIMPL; ++ if(!new_template)return OV_EIMPL; + hi->setup=new_template; + hi->base_setting=new_base; + vorbis_encode_setup_setting(vi,vi->channels,vi->rate); diff --git a/SPECS/libvorbis.spec b/SPECS/libvorbis.spec new file mode 100644 index 0000000..f87a64f --- /dev/null +++ b/SPECS/libvorbis.spec @@ -0,0 +1,305 @@ +%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} + +Summary: The Vorbis General Audio Compression Codec +Name: libvorbis +Version: 1.3.6 +Release: 2%{?dist} +Epoch: 1 +Group: System Environment/Libraries +License: BSD +URL: https://www.xiph.org/ +Source: https://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz +BuildRequires: pkgconfig(ogg) >= 1.0 + +# sync with git as of +# +# commit 46e70fa6573e206c2555cd99a53204ffd6bf58fd +# Author: Minmin Gong +# Date: Wed Jul 4 21:37:54 2018 -0700 +# +# Fix the compiling errors on msvc ARM64 configuration. +# +# Fixes: +# CVE-2017-14160 +# CVE-2018-10392 +# CVE-2018-10393 +Patch0: libvorbis-1.3.6-git.patch + +%description +Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free, +general-purpose compressed audio format for audio and music at fixed +and variable bitrates. + +The libvorbis package contains runtime libraries for use in programs +that support Ogg Vorbis. + +%package devel +Summary: Development tools for Vorbis applications +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} + +%description devel +The libvorbis-devel package contains the header files and documentation +needed to develop applications with Ogg Vorbis. + +%package devel-docs +Summary: Documentation for developing Vorbis applications +Group: Development/Libraries +Requires: %{name}-devel = %{epoch}:%{version}-%{release} +BuildArch: noarch + +%description devel-docs +Documentation for developing applications with libvorbis. + +%prep + +%setup -q +%patch0 -p1 +sed -i "s|-O20|$RPM_OPT_FLAGS|" configure +sed -i "s/-ffast-math//" configure +sed -i "s/-mcpu=750//" configure + +%build +%configure --disable-static +%make_build + +%install +%make_install docdir=%{_pkgdocdir} +# remove unpackaged files from the buildroot +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la + +%check +make check + +%files +%doc AUTHORS +%license COPYING +%{_libdir}/libvorbis.so.* +%{_libdir}/libvorbisfile.so.* +%{_libdir}/libvorbisenc.so.* + +%files devel +%{_includedir}/vorbis +%{_libdir}/libvorbis.so +%{_libdir}/libvorbisfile.so +%{_libdir}/libvorbisenc.so +%{_libdir}/pkgconfig/*.pc +%{_datadir}/aclocal/vorbis.m4 + +%files devel-docs +%{_pkgdocdir}/* +%exclude %{_pkgdocdir}/doxygen-build.stamp + +%ldconfig_scriptlets + +%changelog +* Wed May 29 2019 Adam Jackson - 1.3.6-2 +- Sync with git for CVE-2017-14160, CVE-2018-10392, CVE-2018-10393 + +* Fri Mar 16 2018 Adam Jackson - 1.3.6-1 +- libvorbis 1.3.6 + +* Wed Feb 07 2018 Fedora Release Engineering - 1:1.3.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 1:1.3.5-5 +- Switch to %%ldconfig_scriptlets + +* Thu Aug 03 2017 Fedora Release Engineering - 1:1.3.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1:1.3.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 1:1.3.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Dec 14 2016 David King - 1.3.5-1 +- Update to 1.3.5 (#1197923) +- Use license macro for COPYING +- Tighten subpackage dependencies +- Use make_install and make_build macros +- Use pkgconfig for BuildRequires +- Remove unnecessary Requires from devel subpackage +- Remove obsolete Obsoletes + +* Thu Feb 04 2016 Fedora Release Engineering - 1:1.3.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Yaakov Selkowitz - 1:1.3.4-5 +- Fix build for https://fedoraproject.org/wiki/Changes/Harden_All_Packages + +* Wed Jun 17 2015 Fedora Release Engineering - 1:1.3.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 1:1.3.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1:1.3.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Jan 22 2014 Peter Robinson 1.3.4-1 +- libvorbis 1.3.4 + +* Wed Jan 15 2014 Adam Jackson 1.3.3-7 +- Nuke -mcpu=750 from cflags for PPC, that plus -mcpu=power7 confuses gcc. + +* Thu Aug 8 2013 Ville Skyttä - 1:1.3.3-6 +- Install docs to %%{_pkgdocdir} where available (#993967). + +* Sat Aug 03 2013 Fedora Release Engineering - 1:1.3.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 1:1.3.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Jul 21 2012 Ville Skyttä - 1:1.3.3-3 +- Run test suite during build. +- Fix doc file permissions and duplicate doc dir ownership. +- rpmlint warning fixes. + +* Thu Jul 19 2012 Fedora Release Engineering - 1:1.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Feb 13 2012 Adam Jackson 1.3.3-1 +- libvorbis 1.3.3 (#787635) + +* Wed Jan 04 2012 Jindrich Novy 1.3.2-2 +- ship documentation only in -doc subpackage and only license + in -devel (#540634) - thanks to Edward Sheldrake +- -devel-doc subpackage requires -devel + +* Wed Feb 09 2011 Adam Jackson 1.3.2-1 +- libvorbis 1.3.2 + +* Tue Feb 08 2011 Fedora Release Engineering - 1:1.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jul 08 2010 Adam Jackson 1.3.1-2 +- Include COPYING in base package too. + +* Mon Mar 29 2010 Adam Jackson 1.3.1-1 +- libvorbis 1.3.1. Fixes surround. + +* Tue Feb 09 2010 Adam Jackson 1.2.3-5 +- libvorbis-1.2.3-add-needed.patch: Fix FTBFS from --no-add-needed + +* Mon Nov 23 2009 Adam Jackson 1.2.3-4 +- Fix doc subpackage build (#540634) + +* Mon Nov 2 2009 Jindrich Novy 1.2.3-3 +- backport patches to fix CVE-2009-3379 (#531765) from upstream + +* Sat Jul 25 2009 Fedora Release Engineering - 1:1.2.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jul 13 2009 Adam Jackson 1.2.3-1 +- libvorbis 1.2.3 + +* Wed Jul 08 2009 Adam Jackson 1.2.2-2 +- libvorbis-1.2.2-svn16228.patch: Backport a fix from pre-1.2.3 to hopefully + fix small sound file playback. (#505610) + +* Thu Jul 02 2009 Adam Jackson 1.2.2-1 +- libvorbis 1.2.2 + +* Wed Jun 03 2009 Adam Jackson 1.2.2-0.1.rc1 +- libvorbis 1.2.2rc1 + +* Wed Feb 25 2009 Fedora Release Engineering - 1:1.2.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Feb 12 2009 Caolán McNamara -1:1.2.0-6 +- rebuild to get provides pkgconfig(vorbisenc) + +* Sun Sep 7 2008 Hans de Goede -1:1.2.0-5 +- Fix patch fuzz build failure + +* Wed May 14 2008 Jindrich Novy - 1:1.2.0-4 +- fix CVE-2008-1420, CVE-2008-1419, CVE-2008-1423 (#446344) + +* Tue Feb 19 2008 Fedora Release Engineering - 1:1.2.0-3 +- Autorebuild for GCC 4.3 + +* Sun Oct 21 2007 Hans de Goede - 1:1.2.0-2 +- Don't include Makefile's in %%doc, avoiding a multilib conflict (bz 342481) + +* Mon Oct 15 2007 Behdad Esfahbod - 1:1.2.0-1 +- Update to 1.2.0 +- Resolves: #250115 + +* Thu Aug 23 2007 Adam Jackson - 1:1.1.2-4 +- Rebuild for build ID + +* Mon Jun 25 2007 Matthias Clasen - 1:1.1.2-3 +- Fix typos in %%description (#245471) + +* Thu Feb 8 2007 Matthias Clasen - 1:1.1.2-2 +- Package review cleanups +- Don't ship static libraries + +* Wed Jul 12 2006 Jesse Keating - 1:1.1.2-1.2.1 +- rebuild + +* Fri Feb 10 2006 Jesse Keating - 1:1.1.2-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1:1.1.2-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Wed Jan 18 2006 John (J5) Palmieri 1:1.1.2-1 +- Update to 1.1.2 + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Wed Mar 02 2005 John (J5) Palmieri 1:1.1.1-1 +- Update to 1.1.1 + +* Wed Mar 02 2005 John (J5) Palmieri 1:1.1.0-2 +- rebuild with gcc 4.0 + +* Wed Sep 29 2004 Colin Walters 1:1.1.0-1 +- Update to 1.1.0 +- Remove upstreamed patch libvorbis-underquoted.patch + +* Wed Sep 29 2004 Warren Togami 1:1.0.1-5 +- link to .pdf spec rather than ship redundant copy +- spec cleanups + +* Thu Jul 15 2004 Tim Waugh 1:1.0.1-4 +- Fixed warnings in shipped m4 file. + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Dec 11 2003 Bill Nottingham 1:1.0.1-1 +- update to 1.0.1 + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Mon Feb 24 2003 Elliot Lee +- rebuilt + +* Fri Feb 21 2003 Elliot lee 1:1.0-6 +- Fix #81026 by updating libvorbis-1.0-m4.patch + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Wed Dec 11 2002 Bill Nottingham 1:1.0-4 +- add epochs to dependencies, to avoid 1.0rc3 >= 1.0 miscomparisons + (#79374) +- fix vorbis.m4 + +* Fri Nov 29 2002 Tim Powers 1:1.0-2 +- remove unpackaged files from the buildroot +- tell configure where ogg libs are +- lib64'ize