[meta-oe,15/15] audiofile: patch CVE-2017-6839

Message ID	20241227105615.3303193-16-peter.marko@siemens.com
State	Under Review
Headers	show Return-Path: <peter.marko@siemens.com> ip: 185.136.65.228, mailfrom: fm-256628-2024122710582561ccbf9a9e69eda2ed-rqul6_@rts-flowmailer.siemens.com) From: Peter Marko <peter.marko@siemens.com> To: openembedded-devel@lists.openembedded.org Cc: Peter Marko <peter.marko@siemens.com> Subject: [meta-oe][PATCH 15/15] audiofile: patch CVE-2017-6839 Date: Fri, 27 Dec 2024 11:56:15 +0100 Message-Id: <20241227105615.3303193-16-peter.marko@siemens.com> In-Reply-To: <20241227105615.3303193-1-peter.marko@siemens.com> References: <20241227105615.3303193-1-peter.marko@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-256628:519-21489:flowmailer
Series	4th series for meta-openembedded master \| expand [meta-oe,00/15] 4th series for meta-openembedded master [meta-oe,01/15] uw-imap: patch CVE-2018-19518 [meta-networking,02/15] spice: set CVE-2016-2150 status to fixed [meta-oe,03/15] id3lib: mark CVE-2007-4460 as fixed [meta-oe,04/15] procmail: patch CVE-2014-3618 [meta-oe,05/15] procmail: patch CVE-2017-16844. [meta-oe,06/15] imagemagick: refactor so devtool upgrade works [meta-oe,07/15] imagemagick: upgrade 7.1.1-26 -> 7.1.1-43 [meta-oe,08/15] imagemagick: mark CVE-2023-5341 as fixed [meta-oe,09/15] libwmf; switched to unofficial fork [meta-oe,10/15] limwmf: upgrade 0.2.8.4 -> 0.2.13 [meta-oe,11/15] audiofile: fix multiple CVEs [meta-oe,12/15] audiofile: patch CVE-2017-6829 [meta-oe,13/15] audiofile: fix multiple CVEs [meta-oe,14/15] audiofile: patch CVE-2017-6831 [meta-oe,15/15] audiofile: patch CVE-2017-6839

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb index 08709a35e3..50df31c7b9 100644 --- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb +++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb @@ -17,6 +17,7 @@ SRC_URI = " \ file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \ file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \ file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \ + file://0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch \ " SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782" diff --git a/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch new file mode 100644 index 0000000000..857ed78c59 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch @@ -0,0 +1,126 @@ +From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001 +From: Antonio Larrosa <larrosa@kde.org> +Date: Mon, 6 Mar 2017 13:43:53 +0100 +Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample + +Check for multiplication overflow (using __builtin_mul_overflow +if available) in MSADPCM.cpp decodeSample and return an empty +decoded block if an error occurs. + +This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41 + +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> + +CVE: CVE-2017-6839 +Upstream-Status: Inactive-Upstream [lastrelease: 2013] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + libaudiofile/modules/BlockCodec.cpp | 5 ++-- + libaudiofile/modules/MSADPCM.cpp | 47 +++++++++++++++++++++++++++++++++---- + 2 files changed, 46 insertions(+), 6 deletions(-) + +diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp +index 45925e8..4731be1 100644 +--- a/libaudiofile/modules/BlockCodec.cpp ++++ b/libaudiofile/modules/BlockCodec.cpp +@@ -52,8 +52,9 @@ void BlockCodec::runPull() + // Decompress into m_outChunk. + for (int i=0; i<blocksRead; i++) + { +- decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket, +- static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount); ++ if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket, ++ static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0) ++ break; + + framesRead += m_framesPerPacket; + } +diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp +index 8ea3c85..ef9c38c 100644 +--- a/libaudiofile/modules/MSADPCM.cpp ++++ b/libaudiofile/modules/MSADPCM.cpp +@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] = + 768, 614, 512, 409, 307, 230, 230, 230 + }; + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ ++ + // Compute a linear PCM value from the given differential coded value. + static int16_t decodeSample(ms_adpcm_state &state, +- uint8_t code, const int16_t *coefficient) ++ uint8_t code, const int16_t *coefficient, bool *ok=NULL) + { + int linearSample = (state.sample1 * coefficient[0] + + state.sample2 * coefficient[1]) >> 8; ++ int delta; + + linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta; + + linearSample = clamp(linearSample, MIN_INT16, MAX_INT16); + +- int delta = (state.delta * adaptationTable[code]) >> 8; ++ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta)) ++ { ++ if (ok) *ok=false; ++ _af_error(AF_BAD_COMPRESSION, "Error decoding sample"); ++ return 0; ++ } ++ delta >>= 8; + if (delta < 16) + delta = 16; + + state.delta = delta; + state.sample2 = state.sample1; + state.sample1 = linearSample; ++ if (ok) *ok=true; + + return static_cast<int16_t>(linearSample); + } +@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded) + { + uint8_t code; + int16_t newSample; ++ bool ok; + + code = *encoded >> 4; +- newSample = decodeSample(*state[0], code, coefficient[0]); ++ newSample = decodeSample(*state[0], code, coefficient[0], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + code = *encoded & 0x0f; +- newSample = decodeSample(*state[1], code, coefficient[1]); ++ newSample = decodeSample(*state[1], code, coefficient[1], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + encoded++; +-- +2.11.0 +

[meta-oe,15/15] audiofile: patch CVE-2017-6839

Commit Message

Patch