[meta-multimedia,scarthgap,11/11] sox: patch CVE-2019-8354

Message ID	20260126130506.82699-11-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-multimedia][scarthgap][PATCH 11/11] sox: patch CVE-2019-8354 Date: Mon, 26 Jan 2026 14:05:05 +0100 Message-ID: <20260126130506.82699-11-skandigraun@gmail.com> In-Reply-To: <20260126130506.82699-1-skandigraun@gmail.com> References: <20260126130506.82699-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[meta-multimedia,scarthgap,01/11] sox: patch CVE-2017-11332 \| expand [meta-multimedia,scarthgap,01/11] sox: patch CVE-2017-11332 [meta-multimedia,scarthgap,02/11] sox: patch CVE-2017-11358 [meta-multimedia,scarthgap,03/11] sox: patch CVE-2017-11359 [meta-multimedia,scarthgap,04/11] sox: patch CVE-2017-15370 [meta-multimedia,scarthgap,05/11] sox: patch CVE-2017-15371 [meta-multimedia,scarthgap,06/11] sox: patch CVE-2017-15372 [meta-multimedia,scarthgap,07/11] sox: patch CVE-2017-15642 [meta-multimedia,scarthgap,08/11] sox: patch CVE-2017-18189 [meta-multimedia,scarthgap,09/11] sox: mark CVE-2019-1010004 as patched [meta-multimedia,scarthgap,10/11] sox: patch CVE-2019-13590 [meta-multimedia,scarthgap,11/11] sox: patch CVE-2019-8354

Message ID

20260126130506.82699-11-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-multimedia][scarthgap][PATCH 11/11] sox: patch CVE-2019-8354
Date: Mon, 26 Jan 2026 14:05:05 +0100
Message-ID: <20260126130506.82699-11-skandigraun@gmail.com>
In-Reply-To: <20260126130506.82699-1-skandigraun@gmail.com>
References: <20260126130506.82699-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

[meta-multimedia,scarthgap,01/11] sox: patch CVE-2017-11332 | expand

Commit Message

Gyorgy Sarvari Jan. 26, 2026, 1:05 p.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2019-8354

Pick the patch that was identified by Debian[1] as the solution.

[1]: https://security-tracker.debian.org/tracker/CVE-2019-8354

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../sox/sox/CVE-2019-8354.patch               | 29 +++++++++++++++++++
 .../recipes-multimedia/sox/sox_14.4.2.bb      |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2019-8354.patch

diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2019-8354.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2019-8354.patch
new file mode 100644
index 0000000000..c45917c1c9
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2019-8354.patch
@@ -0,0 +1,29 @@ 
+From 5066f093b08b4033f59ea6d99001f059e919239b Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 14:57:34 +0100
+Subject: [PATCH] fix possible buffer size overflow in lsx_make_lpf()
+ (CVE-2019-8354)
+
+The multiplication in the size argument malloc() might overflow,
+resulting in a small buffer being allocated.  Use calloc() instead.
+
+CVE: CVE-2019-8354
+Upstream-Status: Backport [https://github.com/mansr/sox/commit/f70911261a84333b077c29908e1242f69d7439eb]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/effects_i_dsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/effects_i_dsp.c b/src/effects_i_dsp.c
+index a979b50..e32dfa0 100644
+--- a/src/effects_i_dsp.c
++++ b/src/effects_i_dsp.c
+@@ -357,7 +357,7 @@ double * lsx_make_lpf(int num_taps, double Fc, double beta, double rho,
+     double scale, sox_bool dc_norm)
+ {
+   int i, m = num_taps - 1;
+-  double * h = malloc(num_taps * sizeof(*h)), sum = 0;
++  double * h = calloc(num_taps, sizeof(*h)), sum = 0;
+   double mult = scale / lsx_bessel_I_0(beta), mult1 = 1 / (.5 * m + rho);
+   assert(Fc >= 0 && Fc <= 1);
+   lsx_debug("make_lpf(n=%i Fc=%.7g β=%g ρ=%g dc-norm=%i scale=%g)", num_taps, Fc, beta, rho, dc_norm, scale);
diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
index 5b47382334..24acd882fc 100644
--- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
+++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
@@ -39,6 +39,7 @@  SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \
            file://CVE-2017-15642.patch \
            file://CVE-2017-18189.patch \
            file://CVE-2019-13590.patch \
+           file://CVE-2019-8354.patch \
            "
 SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33"
 SRC_URI[sha256sum] = "b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c"

[meta-multimedia,scarthgap,11/11] sox: patch CVE-2019-8354

Commit Message

Patch