diff --git a/SOURCES/wavpack-0006-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch b/SOURCES/wavpack-0006-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch new file mode 100644 index 0000000..dc4206a --- /dev/null +++ b/SOURCES/wavpack-0006-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch @@ -0,0 +1,12 @@ +diff --git a/cli/wave64.c b/cli/wave64.c +index 7beffe6..59548b1 100644 +--- a/cli/wave64.c ++++ b/cli/wave64.c +@@ -56,6 +56,7 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + int format_chunk = 0; + uint32_t bcount; + ++ CLEAR (WaveHeader); + infilesize = DoGetFileSize (infile); + memcpy (&filehdr, fourcc, 4); + diff --git a/SOURCES/wavpack-0007-issue-53-error-out-on-zero-sample-rate.patch b/SOURCES/wavpack-0007-issue-53-error-out-on-zero-sample-rate.patch new file mode 100644 index 0000000..0907b09 --- /dev/null +++ b/SOURCES/wavpack-0007-issue-53-error-out-on-zero-sample-rate.patch @@ -0,0 +1,16 @@ +diff --git a/src/pack_utils.c b/src/pack_utils.c +index 2253f0d..2a83497 100644 +--- a/src/pack_utils.c ++++ b/src/pack_utils.c +@@ -195,6 +195,11 @@ int WavpackSetConfiguration64 (WavpackContext *wpc, WavpackConfig *config, int64 + int num_chans = config->num_channels; + int i; + ++ if (!config->sample_rate) { ++ strcpy (wpc->error_message, "sample rate cannot be zero!"); ++ return FALSE; ++ } ++ + wpc->stream_version = (config->flags & CONFIG_COMPATIBLE_WRITE) ? CUR_STREAM_VERS : MAX_STREAM_VERS; + + if ((config->qmode & QMODE_DSD_AUDIO) && config->bytes_per_sample == 1 && config->bits_per_sample == 8) { diff --git a/SOURCES/wavpack-0008-issue-65-67-fortify-dsdiff-file-parsing.patch b/SOURCES/wavpack-0008-issue-65-67-fortify-dsdiff-file-parsing.patch new file mode 100644 index 0000000..672b28d --- /dev/null +++ b/SOURCES/wavpack-0008-issue-65-67-fortify-dsdiff-file-parsing.patch @@ -0,0 +1,39 @@ +diff --git a/cli/dsdiff.c b/cli/dsdiff.c +index 410dc1c..a592fdc 100644 +--- a/cli/dsdiff.c ++++ b/cli/dsdiff.c +@@ -170,8 +170,8 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + + if (!strncmp (prop_chunk, "SND ", 4)) { + char *cptr = prop_chunk + 4, *eptr = prop_chunk + dff_chunk_header.ckDataSize; +- uint16_t numChannels, chansSpecified, chanMask = 0; +- uint32_t sampleRate; ++ uint16_t numChannels = 0, chansSpecified, chanMask = 0; ++ uint32_t sampleRate = 0; + + while (eptr - cptr >= sizeof (dff_chunk_header)) { + memcpy (&dff_chunk_header, cptr, sizeof (dff_chunk_header)); +@@ -194,6 +194,12 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + + chansSpecified = (int)(dff_chunk_header.ckDataSize - sizeof (numChannels)) / 4; + ++ if (numChannels < chansSpecified || numChannels < 1 || numChannels > 256) { ++ error_line ("%s is not a valid .DFF file!", infilename); ++ free (prop_chunk); ++ return WAVPACK_SOFT_ERROR; ++ } ++ + while (chansSpecified--) { + if (!strncmp (cptr, "SLFT", 4) || !strncmp (cptr, "MLFT", 4)) + chanMask |= 0x1; +@@ -263,6 +269,10 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + free (prop_chunk); + } + else if (!strncmp (dff_chunk_header.ckID, "DSD ", 4)) { ++ if (!config->num_channels || !config->sample_rate) { ++ error_line ("%s is not a valid .DFF file!", infilename); ++ return WAVPACK_SOFT_ERROR; ++ } + total_samples = dff_chunk_header.ckDataSize / config->num_channels; + break; + } diff --git a/SOURCES/wavpack-0009-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch b/SOURCES/wavpack-0009-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch new file mode 100644 index 0000000..57bcaf9 --- /dev/null +++ b/SOURCES/wavpack-0009-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch @@ -0,0 +1,30 @@ +diff --git a/cli/caff.c b/cli/caff.c +index 2a5e2d9..a35da74 100644 +--- a/cli/caff.c ++++ b/cli/caff.c +@@ -152,7 +152,7 @@ static struct { + + int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackContext *wpc, WavpackConfig *config) + { +- uint32_t chan_chunk = 0, channel_layout = 0, bcount; ++ uint32_t chan_chunk = 0, desc_chunk = 0, channel_layout = 0, bcount; + unsigned char *channel_identities = NULL; + unsigned char *channel_reorder = NULL; + int64_t total_samples = 0, infilesize; +@@ -218,6 +218,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack + } + + WavpackBigEndianToNative (&caf_audio_format, CAFAudioFormatFormat); ++ desc_chunk = 1; + + if (debug_logging_mode) { + char formatstr [5]; +@@ -458,7 +459,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack + else if (!strncmp (caf_chunk_header.mChunkType, "data", 4)) { // on the data chunk, get size and exit loop + uint32_t mEditCount; + +- if (!DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) || ++ if (!desc_chunk || !DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) || + bcount != sizeof (mEditCount)) { + error_line ("%s is not a valid .CAF file!", infilename); + return WAVPACK_SOFT_ERROR; diff --git a/SOURCES/wavpack-0010-issue-54-fix-potential-out-of-bounds-heap-read.patch b/SOURCES/wavpack-0010-issue-54-fix-potential-out-of-bounds-heap-read.patch new file mode 100644 index 0000000..39a6d5c --- /dev/null +++ b/SOURCES/wavpack-0010-issue-54-fix-potential-out-of-bounds-heap-read.patch @@ -0,0 +1,20 @@ +diff --git a/src/open_utils.c b/src/open_utils.c +index 80051fc..4fe0d67 100644 +--- a/src/open_utils.c ++++ b/src/open_utils.c +@@ -1258,13 +1258,13 @@ int WavpackVerifySingleBlock (unsigned char *buffer, int verify_checksum) + #endif + + if (meta_bc == 4) { +- if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff) || *dp++ != ((csum >> 16) & 0xff) || *dp++ != ((csum >> 24) & 0xff)) ++ if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff) || dp[2] != ((csum >> 16) & 0xff) || dp[3] != ((csum >> 24) & 0xff)) + return FALSE; + } + else { + csum ^= csum >> 16; + +- if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff)) ++ if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff)) + return FALSE; + } + diff --git a/SPECS/wavpack.spec b/SPECS/wavpack.spec index 07ebeb0..5c26fbc 100644 --- a/SPECS/wavpack.spec +++ b/SPECS/wavpack.spec @@ -1,7 +1,7 @@ Name: wavpack Summary: A completely open audiocodec Version: 5.1.0 -Release: 9%{?dist} +Release: 15%{?dist} License: BSD Group: Applications/Multimedia Url: http://www.wavpack.com/ @@ -11,6 +11,11 @@ Patch2: wavpack-0002-issue-28-do-not-overwrite-heap-on-corrupt-DSDIFF-fil.patch Patch3: wavpack-0003-issue-28-fix-buffer-overflows-and-bad-allocs-on-corr.patch Patch4: wavpack-0004-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch Patch5: wavpack-0005-issue-30-issue-31-issue-32-no-multiple-format-chunks.patch +Patch6: wavpack-0006-issue-68-clear-WaveHeader-at-start-to-prevent-uninit.patch +Patch7: wavpack-0007-issue-53-error-out-on-zero-sample-rate.patch +Patch8: wavpack-0008-issue-65-67-fortify-dsdiff-file-parsing.patch +Patch9: wavpack-0009-issue-66-make-sure-CAF-files-have-a-desc-chunk.patch +Patch10: wavpack-0010-issue-54-fix-potential-out-of-bounds-heap-read.patch # For autoreconf BuildRequires: autoconf BuildRequires: automake @@ -65,6 +70,30 @@ rm -f %{buildroot}/%{_libdir}/*.la %doc ChangeLog README %changelog +* Fri Oct 04 2019 Tomas Korbar - 5.1.0-15 +- fix Out-of-bounds read in WavpackVerifySingleBlock function (#1663151) +- CVE-2018-19841 + +* Thu Oct 03 2019 Tomas Korbar - 5.1.0-14 +- fix uninitialized variable in ParseCaffHeaderConfig (#1741251) +- CVE-2019-1010317 + +* Thu Oct 03 2019 Tomas Korbar - 5.1.0-13 +- fortify parsing of .dff files (#1707428, #1733627) +- CVE-2019-1010315 +- CVE-2019-11498 + +* Thu Oct 03 2019 Tomas Korbar - 5.1.0-12 +- fix possible infinite loop in WavpackPackInit function (#1663154) +- CVE-2018-19840 + +* Tue Oct 01 2019 Tomas Korbar - 5.1.0-11 +- Fix issues with gating + +* Mon Sep 30 2019 Tomas Korbar - 5.1.0-10 +- fix uninitialized variable in ParseWave64HeaderConfig (#1741200) +- CVE-2019-1010319 + * Thu Sep 20 2018 Miroslav Lichvar - 5.1.0-9 - Disable assembly optimizations to avoid gaps in annobin coverage (#1630638)