From patchwork Sun Oct  5 13:58:29 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 71644
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 93FF7CCA470
	for <webhook@archiver.kernel.org>; Sun,  5 Oct 2025 13:58:40 +0000 (UTC)
Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com
 [209.85.218.49])
 by mx.groups.io with SMTP id smtpd.web10.10963.1759672717067447121
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 05 Oct 2025 06:58:37 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=mkFdSa94;
 spf=pass (domain: gmail.com, ip: 209.85.218.49,
 mailfrom: skandigraun@gmail.com)
Received: by mail-ej1-f49.google.com with SMTP id
 a640c23a62f3a-b3ee18913c0so622279566b.3
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 05 Oct 2025 06:58:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1759672715; x=1760277515;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=dWLu+S/DZTCqT9ml2YWJnobsWuW0OeT93nD9juwMA1Y=;
        b=mkFdSa94AL3sbUT4UWdHE6bzMjUtJZYOVyBMKDX4IjvkkOaqRM1SK+oQcCZ0gt42C4
         VbdX+cg211f2x73MAmvcUUqvZgeGUWiqXvkZg5gyFeAUcDOEhvo7otDN5+En00eGF1DM
         vvuRQwq6oMus0eHycmoDW+TtMTkL1otAyI/mf7Oa2RMZrC0ka4XxIuCrpnsjqNon1M1w
         Ll84IC7TeppV0azVqlSiN/xcOErMu6fV8zNeYAKPWj3lisf5jWVO3kAXDCsA9RkcpmXd
         TyY2o1Fmn2IRo2Q/srDbWbbQpRRgsm++KrPmvcWdiZNkz9uXPxAAZbVgfME9SJPdceUa
         Y6bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1759672715; x=1760277515;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=dWLu+S/DZTCqT9ml2YWJnobsWuW0OeT93nD9juwMA1Y=;
        b=pLKo2xXUKJ6Vk8XkgqV2yTQOXz4GX4ImWBBeMWyHz+Prn+owMUdn/tFx7PIkMuKHMl
         EVJLBHzMR8VYIuWQ0wkXwvVtjYmLxksRJfLd0sDbElaSPa1sPpATv7MUG52IZ0tyASvT
         rQqAaTeCX8OILJ1z4PT6xiBsND0i4yJEdL9oaTApDvRypmnNIUavM7Xb7kJc1mcNX4Z3
         7dOHDVupNblXvI33VvY0E8CXpMCOinUs6P7MZFKpsmjLCBX5DfMgloWKqjQVxVRK/Cwi
         U4HgW9tiSO8cEICDeV2tp1X98tFnMto1nZxSoyzRExoOwdjMM34D5xGZbKds0ycId84A
         Jnow==
X-Gm-Message-State: AOJu0Yyj208QjQoOyVDsECjh1yfqPL6j4tCjxtuzLcIxWgFImiUr9FR6
	rX/dev52kIsrpHlBa9RBcZAP+fi76ySaJoROQZ30VyioWUe3HKfHNaDqaxBC7w==
X-Gm-Gg: ASbGncul9j/CZh/TK6+XcgwMI9e/ObWj0uNfR2PkAkYdPCOI8RPxajSfTL0Ecrd4mHm
	cVtnYBeSUdZPnGhigH/F5Yso3R41pyUAw9x2QFIHCZZlFLla5cLk9Au5l3ZY+40RhV4R4XzXLNs
	Iju1DLTLssdp89BAR+zaPscyAZ6g03LkF+d7QJ4TuCNA4VfPf7bDEsEJiAEwNkgoU3/t3U1+z3i
	VHxYcHXirjtJwZMY6WEtQaPQluVBRdM52xpLMNEcaujv9+GRFDC4gYC58oTNxGxZWIB8TWMY0bx
	LaIyt/qD1OHeOE5VuHhpko+dBANkxO6x3cPnHa7oskQ7SifoQP1T691eLH3PvqpkqPiiGDZ40iX
	01sQ9a//xWByQNOrGMc0wWK+P0VtI/DPaEFlJ8+pVV149wCs10YjTBF8=
X-Google-Smtp-Source: 
 AGHT+IH5ceTY13ZwKcGDlwFtwt14IGWSmKHYIevB8XZumsRHR7q3xTEPwla5fbJ4PpfxLM4XMVmV5Q==
X-Received: by 2002:a17:907:6e9e:b0:b3c:f0f2:842f with SMTP id
 a640c23a62f3a-b49c3936513mr1155741366b.49.1759672715111;
        Sun, 05 Oct 2025 06:58:35 -0700 (PDT)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-b4869c4f314sm909200166b.69.2025.10.05.06.58.34
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Oct 2025 06:58:34 -0700 (PDT)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 1/5] audiofile: fix multiple CVEs
Date: Sun,  5 Oct 2025 15:58:29 +0200
Message-ID: <20251005135833.879336-1-skandigraun@gmail.com>
X-Mailer: git-send-email 2.51.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 05 Oct 2025 13:58:40 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120251

From: Peter Marko <peter.marko@siemens.com>

CVE-2017-6827 / CVE-2017-6828 / CVE-2017-6832 / CVE-2017-6833 / CVE-2017-6835 / CVE-2017-6837

Use patch from buildroot:
https://github.com/buildroot/buildroot/commit/cc00bde57fc20d11f8fa4e8ec5f193c091714c55

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 634cbcb91c3ab7154e0cda707663a1e4aa500f4a)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../audiofile/audiofile_0.3.6.bb              |  1 +
 ...ays-check-the-number-of-coefficients.patch | 45 +++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index a09f84381e..7654c073f4 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -13,6 +13,7 @@ SRC_URI = " \
     file://0001-fix-negative-shift-constants.patch \
     file://0002-fix-build-on-gcc6.patch \
     file://0003-fix-CVE-2015-7747.patch \
+    file://0004-Always-check-the-number-of-coefficients.patch \
 "
 SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch b/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch
new file mode 100644
index 0000000000..282f4c01b9
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch
@@ -0,0 +1,45 @@
+From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 12:51:22 +0100
+Subject: [PATCH] Always check the number of coefficients
+
+When building the library with NDEBUG, asserts are eliminated
+so it's better to always check that the number of coefficients
+is inside the array range.
+
+This fixes the 00191-audiofile-indexoob issue in #41
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+
+CVE: CVE-2017-6827
+CVE: CVE-2017-6828
+CVE: CVE-2017-6832
+CVE: CVE-2017-6833
+CVE: CVE-2017-6835
+CVE: CVE-2017-6837
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/WAVE.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..61f9541 100644
+--- a/libaudiofile/WAVE.cpp
++++ b/libaudiofile/WAVE.cpp
+@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ 
+ 			/* numCoefficients should be at least 7. */
+ 			assert(numCoefficients >= 7 && numCoefficients <= 255);
++			if (numCoefficients < 7 || numCoefficients > 255)
++			{
++				_af_error(AF_BAD_HEADER,
++						"Bad number of coefficients");
++				return AF_FAIL;
++			}
+ 
+ 			m_msadpcmNumCoefficients = numCoefficients;
+ 
+-- 
+2.11.0
+

From patchwork Sun Oct  5 13:58:30 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 71647
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9061ACAC5B8
	for <webhook@archiver.kernel.org>; Sun,  5 Oct 2025 13:58:40 +0000 (UTC)
Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com
 [209.85.218.54])
 by mx.groups.io with SMTP id smtpd.web11.11018.1759672717551691881
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 05 Oct 2025 06:58:37 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=Kh2Rm2I5;
 spf=pass (domain: gmail.com, ip: 209.85.218.54,
 mailfrom: skandigraun@gmail.com)
Received: by mail-ej1-f54.google.com with SMTP id
 a640c23a62f3a-b3da3b34950so417074766b.3
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 05 Oct 2025 06:58:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1759672716; x=1760277516;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=WyitT6psPA30khZ/5NKp5iq8ceiojO5PGBAfDTK+arw=;
        b=Kh2Rm2I5APw/1numxQWkQQrBdFVNffcafr+IRT0gkcuh0CUvztsGI6XiiPDeA/Bnok
         wPDcYbmwlewDBKvvDVfRYByvjW+5HYa2msxM2QVAHXQVV6dOishPthpa1aE01YD7LZg/
         Y/ptM8bykDoNbsj4e/f912G84kIlGdZluhmtNNkIC3AUnY8RakylqYjqxuL3lTY/aMjI
         KBIrs19haAiK0mlxlaangjyzT8rtouXjMr/1KNKLB0LZ+TPBErO6SksjZHx9jBGkg1SC
         teoSwlNbnuWG5/5c5j4WkhyW1pRmsoryy8oDsJ8jZVx9d0hVCsF1UdIaiEqIpOAL9h+d
         oyvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1759672716; x=1760277516;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WyitT6psPA30khZ/5NKp5iq8ceiojO5PGBAfDTK+arw=;
        b=X0wkQZcZPhZLcPvGmwmQEzhzxoJWlZIHcepjNfWxypW7UCVxXf2UVhlMgGV0nqAZ7k
         0mWFoEId2lXHiFeJcTL027Iq5oR3WqWpQ8//FiePGxAAbyGzmHImfsCU/+ZaD8odBzh3
         QDBjjoFdnsdAfm53KFXl/ccRTJztnQ6Bo2ESJ9GXgllpIVFp9wGrP1b52SuRs4ZxZPsH
         JBejr6FnGAHTmXVb7/DPlbd1NI/5TPkzHUB3UB5fwGc3Oc6+QSQMGxMf1j5hH2EhuR11
         kLGbzXZIOuh4v2HQD7NUK57UaBwd/d9vrUH0aW36oj0fuu7+C2R9sPKbZcoBU0EKY5VJ
         vctw==
X-Gm-Message-State: AOJu0YwyRgeFHS5omQ1LL4/3AfgNQE7hFhZNPhtLQ8SoPn9Exp27/036
	6QMPqU1oe1AsZ5rBaYjKXJ+zY8XJi77/VHik0x4lkeMziESHRBisQJ9cHAiN2g==
X-Gm-Gg: ASbGncvQS+TcEuIbobFomHmqDU68IJIjACSVx2dI+gMs2OITKZBm7Qqj4YG9Nk6RZ/B
	OB/+xX2SPwBTmxtiJdbMpR+ATKJNKN7l1yiYUuAPXUne1s2Bgl48DDuHi7WZBCqorDAYtFLwusE
	Vx4HVqXYl5TMqYVirsCAQDa+YGbyaZUmFMxV3USLOaoEtcZOg0NKll4j0ypiAmSIyWMWrKUi8s8
	MY588IvA+5Cz8N0TRb0qS96fg1p8y9Rf5FS4Ic/ATF+JEtSrbKgSBrTLecFgcdeA5DPmEJQ+n75
	ORcqNdYfLUfmg8iFe+1m5NLWKvPqBaF3oJw/zVH7X5ZjIHcP2w+2Q5W7t/p7q7UU9jmrGyMtdUV
	BjO//4lR/5mp8DNc7E05Wj2OW+NSfGL+Gbp8EoROgR36te+l5KyILRQI=
X-Google-Smtp-Source: 
 AGHT+IH1ywQ1pWEvdzjLqot+Lp2UEsXM2M3dMuQE9+7RelziPZ/RbTMWhbFDA59GCxfy6dsNQP5XMA==
X-Received: by 2002:a17:906:eb0e:b0:b4b:4692:6927 with SMTP id
 a640c23a62f3a-b4b46926941mr535291666b.23.1759672715794;
        Sun, 05 Oct 2025 06:58:35 -0700 (PDT)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-b4869c4f314sm909200166b.69.2025.10.05.06.58.35
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Oct 2025 06:58:35 -0700 (PDT)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 2/5] audiofile: patch CVE-2017-6829
Date: Sun,  5 Oct 2025 15:58:30 +0200
Message-ID: <20251005135833.879336-2-skandigraun@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251005135833.879336-1-skandigraun@gmail.com>
References: <20251005135833.879336-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 05 Oct 2025 13:58:40 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120252

From: Peter Marko <peter.marko@siemens.com>

Use patch from buildroot:
https://github.com/buildroot/buildroot/commit/434890df2a7c131b40fec1c49e6239972ab299d2

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f29fbaa4650201a059c65572947ed8faa991fcd8)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../audiofile/audiofile_0.3.6.bb              |  1 +
 ...ues-to-fix-index-overflow-in-IMA.cpp.patch | 43 +++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index 7654c073f4..a48bed2a3b 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -14,6 +14,7 @@ SRC_URI = " \
     file://0002-fix-build-on-gcc6.patch \
     file://0003-fix-CVE-2015-7747.patch \
     file://0004-Always-check-the-number-of-coefficients.patch \
+    file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
 "
 SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch b/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
new file mode 100644
index 0000000000..00bb7e597e
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
@@ -0,0 +1,43 @@
+From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:02:31 +0100
+Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp
+
+This fixes #33
+(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981
+and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/)
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+
+CVE: CVE-2017-6829
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/modules/IMA.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp
+index 7476d44..df4aad6 100644
+--- a/libaudiofile/modules/IMA.cpp
++++ b/libaudiofile/modules/IMA.cpp
+@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded)
+ 		if (encoded[1] & 0x80)
+ 			m_adpcmState[c].previousValue -= 0x10000;
+ 
+-		m_adpcmState[c].index = encoded[2];
++		m_adpcmState[c].index = clamp(encoded[2], 0, 88);
+ 
+ 		*decoded++ = m_adpcmState[c].previousValue;
+ 
+@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded)
+ 			predictor -= 0x10000;
+ 
+ 		state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
+-		state.index = encoded[1] & 0x7f;
++		state.index = clamp(encoded[1] & 0x7f, 0, 88);
+ 		encoded += 2;
+ 
+ 		for (int n=0; n<m_framesPerPacket; n+=2)
+-- 
+2.11.0
+

From patchwork Sun Oct  5 13:58:31 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 71646
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A4C3ECCD185
	for <webhook@archiver.kernel.org>; Sun,  5 Oct 2025 13:58:40 +0000 (UTC)
Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com
 [209.85.208.45])
 by mx.groups.io with SMTP id smtpd.web11.11019.1759672718509051839
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 05 Oct 2025 06:58:38 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=CMkU+Hs4;
 spf=pass (domain: gmail.com, ip: 209.85.208.45,
 mailfrom: skandigraun@gmail.com)
Received: by mail-ed1-f45.google.com with SMTP id
 4fb4d7f45d1cf-62fca01f0d9so7989289a12.3
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 05 Oct 2025 06:58:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1759672717; x=1760277517;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=dtfQ5bJeyUzT+g9g8IPPcnTYbiw69PzlzJDbyFGSRCU=;
        b=CMkU+Hs4xSg8xwjtzR1rqcbp5/hTlQhVs2WJuhuwxiyLOZ2hraiRVEQhg/mkE2uvM0
         2R3zVk19hfDrOgdvuH5P+ApHxM/J+Xf5Lh3jmLp/Yc3BXLTC0EMkYgtzIY3Pj0W2oK3j
         5kCcMvVlHnodndEmMtVuqRFGk7MKNxv8SsJpUiweIACjIQPBgASyRfnkuDmcMAxVE3xd
         C1hj6xZ48C5/+fjKoj7IwpmDYpuxuPgTJT2KRDkt1FxvY4tBepRsGNUVYbym2iMD0GcT
         Z/CVSUovrJ3uVT7yfjG67+rpXu86F9UA0coAtIS2203Lici5KbXaILBqJDdyFgNmwSL9
         LD8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1759672717; x=1760277517;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dtfQ5bJeyUzT+g9g8IPPcnTYbiw69PzlzJDbyFGSRCU=;
        b=ldQVh4tN70rZZf14lFtayNO9aA/nnVSPn4f1F1IPmwd0NrWiTHuXlP49P30nJUXYNW
         39UL/DWHZaFcbWJ3igbhkI/FlQjKKNmCFysHJwxYM6AL22ulxHy/7KRKMfYXjoHLT0do
         V8Ygnr0T6Imq9k6zfYg1PLyVa98JJkIMYI93N/fc/YNMCAhWv2Z0KwLcgi2ZEx7rMAQo
         L7Wly2EDI8vzW6mlK623eCjgJYBrZO46rgwrR39Dt3sRoZYWMhUb05bhr+mZlSyryjaO
         GjtMlkabLh6KMq/myNOTLYnJgTFFlLU6eCotTptPV5T9a/I61jd1Aixfop3Gd85ivZef
         Au1A==
X-Gm-Message-State: AOJu0YwHIoQJRmVv/0KLDSXcQ9WoV74uBW1SgUx393Q/ww34eMy/DFRh
	iiE8649rrsIU6MO9IIgjiOQZPZFol4z+b/wdHQJfNzjJ4Ekyum8gNP4v+oSMcg==
X-Gm-Gg: ASbGncvu8NRnkB3X3p93K0Bsqbf/s/9aPPmA8za4nzKf2egtWRocaPLoktaVjrEwT/A
	uNaiPPb3apJmPRBtGuXq2/xF5ovFgfZkRUdlz0DiPqY12sH4a5XWaMzhxWAWAC65vo6DyRdeZTS
	DCLWJ9gvDc95Tlus40AH1ThmV16vF5DynuV5SfMYwJLagV88THz/YcuosqSB4jrwwqukX0XXTO/
	qFOQwYlwO6ayMaOJ8G3s8agWupgsH2KU3aZsxbs28DmN6ECHnpb+1BiSS9uw+cBEVUASnsW9S1Y
	LBu7PKuHqkJYqj5M0TyGBWY09bUpQubnbB4qCoMixu98YFarcbAY+kZiT87B5fwTzaJUO7tku5i
	myguB29w5yzbJcxVXCufWttUweLPnave55A96fXEAOVA5RtwnoFgraEE=
X-Google-Smtp-Source: 
 AGHT+IG7LhdL+ZFCpOTWU6tVGuodsI2LyVgwEuJ4CNvOnmfgHTw3aWyVofs3JfwRc9SVE0sHukcLow==
X-Received: by 2002:a17:907:2683:b0:afe:b92b:28e9 with SMTP id
 a640c23a62f3a-b49c4cde1c8mr1213586966b.49.1759672716455;
        Sun, 05 Oct 2025 06:58:36 -0700 (PDT)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-b4869c4f314sm909200166b.69.2025.10.05.06.58.35
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Oct 2025 06:58:36 -0700 (PDT)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 3/5] audiofile: fix multiple CVEs
Date: Sun,  5 Oct 2025 15:58:31 +0200
Message-ID: <20251005135833.879336-3-skandigraun@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251005135833.879336-1-skandigraun@gmail.com>
References: <20251005135833.879336-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 05 Oct 2025 13:58:40 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120253

From: Peter Marko <peter.marko@siemens.com>

CVE-2017-6830 / CVE-2017-6834 / CVE-2017-6836 / CVE-2017-6838

Use patch from buildroot:
https://github.com/buildroot/buildroot/commit/4a1a8277bba490d227f413e218138e39f1fe1203

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 75f2bd2b3b145d8282db9926d8212c6d81bde99e)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../audiofile/audiofile_0.3.6.bb              |  1 +
 ...multiplication-overflow-in-sfconvert.patch | 79 +++++++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index a48bed2a3b..8aebe88f26 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
     file://0003-fix-CVE-2015-7747.patch \
     file://0004-Always-check-the-number-of-coefficients.patch \
     file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
+    file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
 "
 SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
new file mode 100644
index 0000000000..ec21b09f30
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
@@ -0,0 +1,79 @@
+From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:54:52 +0100
+Subject: [PATCH] Check for multiplication overflow in sfconvert
+
+Checks that a multiplication doesn't overflow when
+calculating the buffer size, and if it overflows,
+reduce the buffer size instead of failing.
+
+This fixes the 00192-audiofile-signintoverflow-sfconvert case
+in #41
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+
+CVE: CVE-2017-6830
+CVE: CVE-2017-6834
+CVE: CVE-2017-6836
+CVE: CVE-2017-6838
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 80a1bc4..970a3e4 100644
+--- a/sfcommands/sfconvert.c
++++ b/sfcommands/sfconvert.c
+@@ -45,6 +45,33 @@ void printusage (void);
+ void usageerror (void);
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
+ 
++int firstBitSet(int x)
++{
++        int position=0;
++        while (x!=0)
++        {
++                x>>=1;
++                ++position;
++        }
++        return position;
++}
++
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++int multiplyCheckOverflow(int a, int b, int *result)
++{
++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
++	return __builtin_mul_overflow(a, b, result);
++#else
++	if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
++		return true;
++	*result = a * b;
++	return false;
++#endif
++}
++
+ int main (int argc, char **argv)
+ {
+ 	if (argc == 2)
+@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+ 	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+ 
+-	const int kBufferFrameCount = 65536;
+-	void *buffer = malloc(kBufferFrameCount * frameSize);
++	int kBufferFrameCount = 65536;
++	int bufferSize;
++	while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
++		kBufferFrameCount /= 2;
++	void *buffer = malloc(bufferSize);
+ 
+ 	AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
+ 	AFframecount totalFramesWritten = 0;
+-- 
+2.11.0
+

From patchwork Sun Oct  5 13:58:32 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 71648
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A4BACCCD184
	for <webhook@archiver.kernel.org>; Sun,  5 Oct 2025 13:58:40 +0000 (UTC)
Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com
 [209.85.218.46])
 by mx.groups.io with SMTP id smtpd.web11.11020.1759672718968888680
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 05 Oct 2025 06:58:39 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=Cxjebk8D;
 spf=pass (domain: gmail.com, ip: 209.85.218.46,
 mailfrom: skandigraun@gmail.com)
Received: by mail-ej1-f46.google.com with SMTP id
 a640c23a62f3a-b3d50882cc2so756472266b.2
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 05 Oct 2025 06:58:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1759672717; x=1760277517;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=F2D9fQSno8bBNzEQvtflJGA03xsaYNLvFA9fjKJa+zQ=;
        b=Cxjebk8DK8I5suFvdoH2hFvQANc35Eu5H63lAyXbO2atd32i8cm+zcvQe2BVknaPWr
         J4lAkn2AcZxFylu9L6L0h0OpNXkd4m6IReyYyMuByEPPXNlWCKgWY1h9ybc29xwF3oks
         eQSAm6yBEj1pHrYqPsZe3xOXez1PgAUWC//5u3NT287qNm+gCb/9gd7qRV8tXeXMRULA
         VnJNr2XIJdwkL2cjtke8XsSJe77VzO+BNr8lVuaPK0fUEcreGSc2OkT5/s/BqgsdjWS5
         V83aGnZQhSQIKUMdNgr2NTvC3DDcm4Tsr6RYRc9XV96SzEcUVV9PkkySd804Z6ymq50V
         k65g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1759672717; x=1760277517;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=F2D9fQSno8bBNzEQvtflJGA03xsaYNLvFA9fjKJa+zQ=;
        b=PQ5vqHDuQmxyjUbp+vM55HbIW5Q53pFQJQUq2/+k7lH4jvToh2c6m3rzPkmDbfeTCr
         k27GxdBfuhMOPz/7RCxZB2+O0PqYE/YZeqhO9MkTw66vxtsRLbbIzEhw6LwSVE9bEsSE
         qpkq4YijgFgdLHv2PPW9T/EYx0PTHVSqqSPY6EzO7t1PJvncxdLFpcF+rFx9a6gl9VLh
         DowaH2xlq/10b+sIX/ehGwAXvuT4AOtKPv1UCn3bChDPJOVs7UHv9MXGcMnw9AfJEMDQ
         desGTZ6jXmZ99Aab6/k6lfyLgsyPhcCFycLJ8ficpHUsFpooCnkfTdsM2TQ0AcNcr5Lm
         APwA==
X-Gm-Message-State: AOJu0YzzCzxACg9IsAPr+7ZixFsfvFz+DqUkYLPVPsevqUN5d9owNVEF
	+sWQzYpI6pwGmaUsON61z4Sjay4NcLzhOp8bHqX0axptvUlrVRg2Yhm7hIASBw==
X-Gm-Gg: ASbGncvE13j03ilgEOuuS4FTCp1Dv2vSUs+HLQwzmIVDa+uGGR/UDBT+SBmP+Zq+4g0
	h1xJ0qXFO/Vx/ZEAdVelnpCXoU6MGo/x1xXNvZecGHwNX1JWo1znjGLpKbD7n8av7EqDNke5CvC
	iCPWAy7fiaOg0+I7PQuWl8pk9i/EQZGwoHnL5iG27hVtWo5iCWwEPkXrDaqbH1dEbybi9xlZVBr
	w06UB8rxQyh4I9e+tAmd4Og5O85xkxTIAc3y1DMPMrVuSmVq/8HeENfRzZmNM3xP6aJSXLU2dAw
	KktUt2Fbgi57CmQmcq3yiD50lmwqEi+Rvpa+BVwBtmmmXpKoKCE3EHTQ2ECePzqnwmxWSF8YB6h
	HJxdK/tC75sJafR6zxSFzPqJOsc3WFAxDPt26NdedKEIblfBOdTmjciitGSmPFa/dZg==
X-Google-Smtp-Source: 
 AGHT+IGPZjQtry/Ip0YjHqAopUMrcKzuQ7/PNZBGzhquLU1ipv80tRIpf4GV+faZr9w7UFpWiyCMDQ==
X-Received: by 2002:a17:907:868f:b0:b46:52f2:5493 with SMTP id
 a640c23a62f3a-b49c4be73c4mr1169948466b.44.1759672717187;
        Sun, 05 Oct 2025 06:58:37 -0700 (PDT)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-b4869c4f314sm909200166b.69.2025.10.05.06.58.36
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Oct 2025 06:58:36 -0700 (PDT)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 4/5] audiofile: patch CVE-2017-6831
Date: Sun,  5 Oct 2025 15:58:32 +0200
Message-ID: <20251005135833.879336-4-skandigraun@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251005135833.879336-1-skandigraun@gmail.com>
References: <20251005135833.879336-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 05 Oct 2025 13:58:40 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120254

From: Peter Marko <peter.marko@siemens.com>

Use patch from buildroot:
https://github.com/buildroot/buildroot/commit/bd5f84d301c4e74ca200a9336eca88468ec0e1f3

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9d668989b1447fb19aff55c1a47acdf8d4e8c5e2)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../audiofile/audiofile_0.3.6.bb              |  1 +
 ...ail-when-error-occurs-in-parseFormat.patch | 46 +++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index 8aebe88f26..3d0ce3bfbc 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
     file://0004-Always-check-the-number-of-coefficients.patch \
     file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
     file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
+    file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \
 "
 SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
new file mode 100644
index 0000000000..38294ca200
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
@@ -0,0 +1,46 @@
+From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:59:26 +0100
+Subject: [PATCH] Actually fail when error occurs in parseFormat
+
+When there's an unsupported number of bits per sample or an invalid
+number of samples per block, don't only print an error message using
+the error handler, but actually stop parsing the file.
+
+This fixes #35 (also reported at
+https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
+https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
+)
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+
+CVE: CVE-2017-6831
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/WAVE.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..d762249 100644
+--- a/libaudiofile/WAVE.cpp
++++ b/libaudiofile/WAVE.cpp
+@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ 			{
+ 				_af_error(AF_BAD_NOT_IMPLEMENTED,
+ 					"IMA ADPCM compression supports only 4 bits per sample");
++				return AF_FAIL;
+ 			}
+ 
+ 			int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
+@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ 			{
+ 				_af_error(AF_BAD_CODEC_CONFIG,
+ 					"Invalid samples per block for IMA ADPCM compression");
++				return AF_FAIL;
+ 			}
+ 
+ 			track->f.sampleWidth = 16;
+-- 
+2.11.0
+

From patchwork Sun Oct  5 13:58:33 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 71645
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 94B75CCA476
	for <webhook@archiver.kernel.org>; Sun,  5 Oct 2025 13:58:40 +0000 (UTC)
Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com
 [209.85.218.47])
 by mx.groups.io with SMTP id smtpd.web10.10965.1759672719647375504
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 05 Oct 2025 06:58:39 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=VmPH2Uci;
 spf=pass (domain: gmail.com, ip: 209.85.218.47,
 mailfrom: skandigraun@gmail.com)
Received: by mail-ej1-f47.google.com with SMTP id
 a640c23a62f3a-afcb7322da8so854210766b.0
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 05 Oct 2025 06:58:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1759672718; x=1760277518;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=upcKTTjWwBcVUIsLUehA7F/Ff05jkzpogNkUYUHRS8I=;
        b=VmPH2UciiDSP7njBEwrLdYHsNnc5w2fL66h0FObj6tZ5PUaQAPDkDQAA9d5YgqWfHj
         YuYHPre8AOI/YR/wb88g7YzMxNh8BOSgDe9fA07YeKudX1J3qn02h4we9qjQZU4Y8Uxl
         8f9QUpVgm8h3G2Hd2jq3anLnxdCb8Q81EfTlteWR+2nR0aij3hSvrSvbPd6ssuAUKKrg
         xJFW7CQxr01C0J6Y1QRPLTsHIfT0zz+aPSLjDBLpbyvFnBWvNJ+5IfCd7FolX+bw+xyD
         Y+baNM93ItWAfxf384cz+1BQku/VWl64n1tX8H1QgSRzCQPcIjn14OsaFQHq2PUQZH9x
         WHvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1759672718; x=1760277518;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=upcKTTjWwBcVUIsLUehA7F/Ff05jkzpogNkUYUHRS8I=;
        b=Wq1SeXCT4avVIirANrPiPvebop4G39kBxgoQFqeiwAdOi0dcmgP5ghWJeEYcWFE2Yx
         aRgBorqk2f2CClroV5wn+a1yC634hIGgBhEoTyIGQB5zZmQoGu6Q53Xat5G6Sz/q9UXT
         fo29A91AaMOOr4+TERBMcjUMukx4k5q44R+dXMYsFGe+WenWrXsQwNLytD7OTj1AIts+
         d9yPCW8Zk/dpk9Z4l37BliVt1rMy3OjMbOI4CyT6aLVzOD/cPMEA5OZdFetdQbkOubXn
         0aNB78h9dLol8l2vT3p71KZQ5OsdWNb9Ov+LXf/oi2KfZinOynOIDs4mA5Ys8g3EARRh
         QnAg==
X-Gm-Message-State: AOJu0YwCbyp2guYnkYzwYm5Ehy9gHtk8RMzgKw2YdDqW5qyJx9n3TjTB
	BpQx2RurV2g8LZhDA03PC+1uvBURi9vv8CqKlJaC30V74bn1FUGFL9Bh9Wm1kg==
X-Gm-Gg: ASbGncvtqTN9wHk0h8fz/heaMa//si01v238R62rx5rt9n5cyYplgIZNQj27rzDb8HH
	S1+DL1dURxjomvatqgthzcMkYq5c05g3/V3v0TM+O7YDZ59MG4rdUEZLh+AsOK7aL/zkxvRh02H
	gt5HfzqYQnCJFZp0HbZQaU08Efk0yydRUa/WkLUbrPD/bbTzBlXJO2pGrxKFXRTD8tVMsxfG5BQ
	WmMveMvRvRifvhYZhHjgwjg9xMXKnBUE5IoO1sUj1T2bF62C2xkz1esLMwHZUeIQ9K3y1O/0f6a
	OplnNWlQBbAvBB3GvN0oCffncZ7z0ehlN2BCYSRjvnnjSuhRGNCbUzMGdp3MZcEeEr2+n92yXpn
	qmKGK9WG/8gOcPScm1iWPop0VEu1wXLoyRm8oeqzFTOIjU/KFCK28UvI=
X-Google-Smtp-Source: 
 AGHT+IH1CZM55j3A2XTM2SaK1R3WDrIzO8t3DibuWzqwWvqVB0TYZytBZlRsllhOi8tJU0DTfQCuiw==
X-Received: by 2002:a17:907:6ea7:b0:b44:f9fe:913a with SMTP id
 a640c23a62f3a-b49c439b49emr1037716266b.65.1759672717841;
        Sun, 05 Oct 2025 06:58:37 -0700 (PDT)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-b4869c4f314sm909200166b.69.2025.10.05.06.58.37
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Oct 2025 06:58:37 -0700 (PDT)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][PATCH 5/5] audiofile: patch CVE-2017-6839
Date: Sun,  5 Oct 2025 15:58:33 +0200
Message-ID: <20251005135833.879336-5-skandigraun@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251005135833.879336-1-skandigraun@gmail.com>
References: <20251005135833.879336-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 05 Oct 2025 13:58:40 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120255

From: Peter Marko <peter.marko@siemens.com>

Use patch from buildroot:
https://github.com/buildroot/buildroot/commit/844a7c6281eb442881330a5d36d5a0719f2870bf

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 88faae83b2b0e68827c457f4f348f7d7868f5258)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../audiofile/audiofile_0.3.6.bb              |   1 +
 ...lication-overflow-in-MSADPCM-decodeS.patch | 126 ++++++++++++++++++
 2 files changed, 127 insertions(+)
 create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch

diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
index 3d0ce3bfbc..d10c7a8b49 100644
--- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
+++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
     file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \
     file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \
     file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \
+    file://0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch \
 "
 SRC_URI[md5sum] = "235dde14742317328f0109e9866a8008"
 SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782"
diff --git a/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
new file mode 100644
index 0000000000..857ed78c59
--- /dev/null
+++ b/meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
@@ -0,0 +1,126 @@
+From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:43:53 +0100
+Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample
+
+Check for multiplication overflow (using __builtin_mul_overflow
+if available) in MSADPCM.cpp decodeSample and return an empty
+decoded block if an error occurs.
+
+This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+
+CVE: CVE-2017-6839
+Upstream-Status: Inactive-Upstream [lastrelease: 2013]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libaudiofile/modules/BlockCodec.cpp |  5 ++--
+ libaudiofile/modules/MSADPCM.cpp    | 47 +++++++++++++++++++++++++++++++++----
+ 2 files changed, 46 insertions(+), 6 deletions(-)
+
+diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
+index 45925e8..4731be1 100644
+--- a/libaudiofile/modules/BlockCodec.cpp
++++ b/libaudiofile/modules/BlockCodec.cpp
+@@ -52,8 +52,9 @@ void BlockCodec::runPull()
+ 	// Decompress into m_outChunk.
+ 	for (int i=0; i<blocksRead; i++)
+ 	{
+-		decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
+-			static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount);
++		if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
++			static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0)
++			break;
+ 
+ 		framesRead += m_framesPerPacket;
+ 	}
+diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
+index 8ea3c85..ef9c38c 100644
+--- a/libaudiofile/modules/MSADPCM.cpp
++++ b/libaudiofile/modules/MSADPCM.cpp
+@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] =
+ 	768, 614, 512, 409, 307, 230, 230, 230
+ };
+ 
++int firstBitSet(int x)
++{
++        int position=0;
++        while (x!=0)
++        {
++                x>>=1;
++                ++position;
++        }
++        return position;
++}
++
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++int multiplyCheckOverflow(int a, int b, int *result)
++{
++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
++	return __builtin_mul_overflow(a, b, result);
++#else
++	if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
++		return true;
++	*result = a * b;
++	return false;
++#endif
++}
++
++
+ // Compute a linear PCM value from the given differential coded value.
+ static int16_t decodeSample(ms_adpcm_state &state,
+-	uint8_t code, const int16_t *coefficient)
++	uint8_t code, const int16_t *coefficient, bool *ok=NULL)
+ {
+ 	int linearSample = (state.sample1 * coefficient[0] +
+ 		state.sample2 * coefficient[1]) >> 8;
++	int delta;
+ 
+ 	linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta;
+ 
+ 	linearSample = clamp(linearSample, MIN_INT16, MAX_INT16);
+ 
+-	int delta = (state.delta * adaptationTable[code]) >> 8;
++	if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta))
++	{
++                if (ok) *ok=false;
++		_af_error(AF_BAD_COMPRESSION, "Error decoding sample");
++		return 0;
++	}
++	delta >>= 8;
+ 	if (delta < 16)
+ 		delta = 16;
+ 
+ 	state.delta = delta;
+ 	state.sample2 = state.sample1;
+ 	state.sample1 = linearSample;
++	if (ok) *ok=true;
+ 
+ 	return static_cast<int16_t>(linearSample);
+ }
+@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded)
+ 	{
+ 		uint8_t code;
+ 		int16_t newSample;
++		bool ok;
+ 
+ 		code = *encoded >> 4;
+-		newSample = decodeSample(*state[0], code, coefficient[0]);
++		newSample = decodeSample(*state[0], code, coefficient[0], &ok);
++		if (!ok) return 0;
+ 		*decoded++ = newSample;
+ 
+ 		code = *encoded & 0x0f;
+-		newSample = decodeSample(*state[1], code, coefficient[1]);
++		newSample = decodeSample(*state[1], code, coefficient[1], &ok);
++		if (!ok) return 0;
+ 		*decoded++ = newSample;
+ 
+ 		encoded++;
+-- 
+2.11.0
+