[meta-multimedia,scarthgap,06/11] sox: patch CVE-2017-15372

Message ID	20260126130506.82699-6-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-multimedia][scarthgap][PATCH 06/11] sox: patch CVE-2017-15372 Date: Mon, 26 Jan 2026 14:05:00 +0100 Message-ID: <20260126130506.82699-6-skandigraun@gmail.com> In-Reply-To: <20260126130506.82699-1-skandigraun@gmail.com> References: <20260126130506.82699-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-multimedia,scarthgap,01/11] sox: patch CVE-2017-11332 \| expand [meta-multimedia,scarthgap,01/11] sox: patch CVE-2017-11332 [meta-multimedia,scarthgap,02/11] sox: patch CVE-2017-11358 [meta-multimedia,scarthgap,03/11] sox: patch CVE-2017-11359 [meta-multimedia,scarthgap,04/11] sox: patch CVE-2017-15370 [meta-multimedia,scarthgap,05/11] sox: patch CVE-2017-15371 [meta-multimedia,scarthgap,06/11] sox: patch CVE-2017-15372 [meta-multimedia,scarthgap,07/11] sox: patch CVE-2017-15642 [meta-multimedia,scarthgap,08/11] sox: patch CVE-2017-18189 [meta-multimedia,scarthgap,09/11] sox: mark CVE-2019-1010004 as patched [meta-multimedia,scarthgap,10/11] sox: patch CVE-2019-13590 [meta-multimedia,scarthgap,11/11] sox: patch CVE-2019-8354

Message ID

20260126130506.82699-6-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-multimedia][scarthgap][PATCH 06/11] sox: patch CVE-2017-15372
Date: Mon, 26 Jan 2026 14:05:00 +0100
Message-ID: <20260126130506.82699-6-skandigraun@gmail.com>
In-Reply-To: <20260126130506.82699-1-skandigraun@gmail.com>
References: <20260126130506.82699-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-multimedia,scarthgap,01/11] sox: patch CVE-2017-11332 | expand

Commit Message

Gyorgy Sarvari Jan. 26, 2026, 1:05 p.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15372

Pick the patch that was indeitified by Debian[1] as the solution.

[1]: https://security-tracker.debian.org/tracker/CVE-2017-15372

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../sox/sox/CVE-2017-15372.patch              | 100 ++++++++++++++++++
 .../recipes-multimedia/sox/sox_14.4.2.bb      |   1 +
 2 files changed, 101 insertions(+)
 create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-15372.patch

diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-15372.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-15372.patch
new file mode 100644
index 0000000000..168fded39f
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-15372.patch
@@ -0,0 +1,100 @@ 
+From 13086aa971f5a0a5a644323456a90a9fa96e03c3 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 8 Nov 2017 00:27:46 +0000
+Subject: [PATCH] adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
+
+CVE: CVE-2017-15372
+Upstream-Status: Backport [https://github.com/mansr/sox/commit/001c337552912d286ba68086ac378f6fdc1e8b50]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/adpcm.c | 8 +++++++-
+ src/adpcm.h | 3 +++
+ src/wav.c   | 5 ++++-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/adpcm.c b/src/adpcm.c
+index 2e13867..f64b7d5 100644
+--- a/src/adpcm.c
++++ b/src/adpcm.c
+@@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] = {
+                         { 392,-232}
+ };
+ 
++extern void *lsx_ms_adpcm_alloc(unsigned chans)
++{
++        return lsx_malloc(chans * sizeof(MsState_t));
++}
++
+ static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state,
+                                sox_sample_t sample1, sox_sample_t sample2)
+ {
+@@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state,
+ 
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
+ const char *lsx_ms_adpcm_block_expand_i(
++        void *priv,
+         unsigned chans,          /* total channels             */
+         int nCoef,
+         const short *coef,
+@@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i(
+   const unsigned char *ip;
+   unsigned ch;
+   const char *errmsg = NULL;
+-  MsState_t state[4];  /* One decompressor state for each channel */
++  MsState_t *state = priv;  /* One decompressor state for each channel */
+ 
+   /* Read the four-byte header for each channel */
+   ip = ibuff;
+diff --git a/src/adpcm.h b/src/adpcm.h
+index af4d6f0..db5cc61 100644
+--- a/src/adpcm.h
++++ b/src/adpcm.h
+@@ -29,8 +29,11 @@
+ /* default coef sets */
+ extern const short lsx_ms_adpcm_i_coef[7][2];
+ 
++extern void *lsx_ms_adpcm_alloc(unsigned chans);
++
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
+ extern const char *lsx_ms_adpcm_block_expand_i(
++	void *priv,
+ 	unsigned chans,          /* total channels             */
+ 	int nCoef,
+ 	const short *coef,
+diff --git a/src/wav.c b/src/wav.c
+index fad334c..066be6d 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -82,6 +82,7 @@ typedef struct {
+     /* following used by *ADPCM wav files */
+     unsigned short nCoefs;          /* ADPCM: number of coef sets */
+     short         *lsx_ms_adpcm_i_coefs;          /* ADPCM: coef sets           */
++    void          *ms_adpcm_data;   /* Private data of adpcm decoder */
+     unsigned char *packet;          /* Temporary buffer for packets */
+     short         *samples;         /* interleaved samples buffer */
+     short         *samplePtr;       /* Pointer to current sample  */
+@@ -175,7 +176,7 @@ static unsigned short  AdpcmReadBlock(sox_format_t * ft)
+         }
+     }
+ 
+-    errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
++    errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
+ 
+     if (errmsg)
+         lsx_warn("%s", errmsg);
+@@ -791,6 +792,7 @@ static int startread(sox_format_t * ft)
+ 
+         /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */
+         wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short));
++        wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels);
+         {
+             int i, errct=0;
+             for (i=0; len>=2 && i < 2*wav->nCoefs; i++) {
+@@ -1216,6 +1218,7 @@ static int stopread(sox_format_t * ft)
+     free(wav->packet);
+     free(wav->samples);
+     free(wav->lsx_ms_adpcm_i_coefs);
++    free(wav->ms_adpcm_data);
+     free(wav->comment);
+     wav->comment = NULL;
+ 
diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
index 4c5452427e..96d0543520 100644
--- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
+++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
@@ -35,6 +35,7 @@  SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \
            file://CVE-2017-11359.patch \
            file://CVE-2017-15370.patch \
            file://CVE-2017-15371.patch \
+           file://CVE-2017-15372.patch \
            "
 SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33"
 SRC_URI[sha256sum] = "b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c"

[meta-multimedia,scarthgap,06/11] sox: patch CVE-2017-15372

Commit Message

Patch