Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsndfile for openSUSE:Factory checked in at 2026-05-08 16:42:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsndfile (Old) and /work/SRC/openSUSE:Factory/.libsndfile.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsndfile" Fri May 8 16:42:51 2026 rev:69 rq:1351422 version:1.2.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libsndfile/libsndfile-progs.changes 2026-01-17 21:43:22.443455763 +0100 +++ /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile-progs.changes 2026-05-08 16:43:04.083431325 +0200 @@ -0,0 +1,13 @@ +------------------------------------------------------------------ +Thu May 7 12:36:54 UTC 2026 - Takashi Iwai <[email protected]> + +- Fix IMA-ADPCM integer overflow (bsc#1263695, CVE-2026-37555): + libsndfile-CVE-2026-37555.patch + +------------------------------------------------------------------- +Thu May 7 11:13:50 UTC 2026 - Takashi Iwai <[email protected]> + +- Fix buffer overflow in the ircam_read_header function (bsc#1248458, + CVE-2025-52194): + libsndfile-CVE-2025-52194.patch + --- /work/SRC/openSUSE:Factory/libsndfile/libsndfile.changes 2026-01-17 21:43:22.459456418 +0100 +++ /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile.changes 2026-05-08 16:43:04.103432154 +0200 @@ -1,0 +2,13 @@ +Thu May 7 12:36:54 UTC 2026 - Takashi Iwai <[email protected]> + +- Fix IMA-ADPCM integer overflow (bsc#1263695, CVE-2026-37555): + libsndfile-CVE-2026-37555.patch + +------------------------------------------------------------------- +Thu May 7 11:13:50 UTC 2026 - Takashi Iwai <[email protected]> + +- Fix buffer overflow in the ircam_read_header function (bsc#1248458, + CVE-2025-52194): + libsndfile-CVE-2025-52194.patch + +------------------------------------------------------------------- New: ---- libsndfile-CVE-2025-52194.patch libsndfile-CVE-2026-37555.patch ----------(New B)---------- New:/work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile-progs.changes- CVE-2025-52194): /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile-progs.changes: libsndfile-CVE-2025-52194.patch /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile-progs.changes- -- /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile.changes- CVE-2025-52194): /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile.changes: libsndfile-CVE-2025-52194.patch /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile.changes- New:/work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile-progs.changes-- Fix IMA-ADPCM integer overflow (bsc#1263695, CVE-2026-37555): /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile-progs.changes: libsndfile-CVE-2026-37555.patch /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile-progs.changes- -- /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile.changes-- Fix IMA-ADPCM integer overflow (bsc#1263695, CVE-2026-37555): /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile.changes: libsndfile-CVE-2026-37555.patch /work/SRC/openSUSE:Factory/.libsndfile.new.1966/libsndfile.changes- ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsndfile-progs.spec ++++++ --- /var/tmp/diff_new_pack.uvqHz2/_old 2026-05-08 16:43:04.851463152 +0200 +++ /var/tmp/diff_new_pack.uvqHz2/_new 2026-05-08 16:43:04.855463317 +0200 @@ -30,6 +30,9 @@ Patch2: libsndfile-CVE-2024-50612.patch Patch3: libsndfile-CVE-2025-56226.patch Patch4: sndfile-convert-CVE-2025-56226.patch +# not merged yet to the upstream +Patch5: libsndfile-CVE-2025-52194.patch +Patch6: libsndfile-CVE-2026-37555.patch # PATCH-FIX-OPENSUSE Patch100: sndfile-ocloexec.patch BuildRequires: alsa-devel ++++++ libsndfile.spec ++++++ --- /var/tmp/diff_new_pack.uvqHz2/_old 2026-05-08 16:43:04.895464976 +0200 +++ /var/tmp/diff_new_pack.uvqHz2/_new 2026-05-08 16:43:04.899465141 +0200 @@ -32,6 +32,9 @@ Patch2: libsndfile-CVE-2024-50612.patch Patch3: libsndfile-CVE-2025-56226.patch Patch4: sndfile-convert-CVE-2025-56226.patch +# not merged yet to the upstream +Patch5: libsndfile-CVE-2025-52194.patch +Patch6: libsndfile-CVE-2026-37555.patch # PATCH-FIX-OPENSUSE Patch100: sndfile-ocloexec.patch BuildRequires: cmake ++++++ libsndfile-CVE-2025-52194.patch ++++++ >From c69a058fdf70c9995ee15a3747af1d372452824d Mon Sep 17 00:00:00 2001 From: Zayd Rajab <[email protected]> Date: Tue, 26 Aug 2025 20:57:11 +0000 Subject: [PATCH] ircam: harden header parsing (mitigation for CVE-2025-52194) - Validate samplerate before the downcast to int: finite, > 0.0f, and <= INT_MAX - Endorce channels in 1..SF_MAX_CHANNELS after endianness fixup. - Compute blockwidth in sf_count_t. Add a pre-multiply guard using SF_COUNT_MAX and remove the narrowing cast. Ensure blockwidth > 0. - Guard frames computation (no division by zero) and reject malformed headers early. Refs: #1082 Signed-off-by: Zayd Rajab <[email protected]> --- src/ircam.c | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) --- a/src/ircam.c +++ b/src/ircam.c @@ -22,6 +22,8 @@ #include <fcntl.h> #include <string.h> #include <ctype.h> +#include <math.h> +#include <limits.h> #include "sndfile.h" #include "sfendian.h" @@ -159,8 +161,15 @@ ircam_read_header (SF_PRIVATE *psf) psf->endian = SF_ENDIAN_BIG ; } ; + /* Final channel bounds after endianness resolution. */ + if (psf->sf.channels < 1 || psf->sf.channels > SF_MAX_CHANNELS) + return SFE_IRCAM_BAD_CHANNELS ; + psf_log_printf (psf, "marker: 0x%X\n", marker) ; + /* Validate samplerate before downcast to int. */ + if (!isfinite (samplerate) || samplerate <= 0.0f || samplerate > (float) INT_MAX) + return SFE_MALFORMED_FILE ; psf->sf.samplerate = (int) samplerate ; psf_log_printf (psf, " Sample Rate : %d\n" @@ -171,35 +180,30 @@ ircam_read_header (SF_PRIVATE *psf) switch (encoding) { case IRCAM_PCM_16 : psf->bytewidth = 2 ; - psf->blockwidth = psf->sf.channels * psf->bytewidth ; psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_16 ; break ; case IRCAM_PCM_32 : psf->bytewidth = 4 ; - psf->blockwidth = psf->sf.channels * psf->bytewidth ; psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_32 ; break ; case IRCAM_FLOAT : psf->bytewidth = 4 ; - psf->blockwidth = psf->sf.channels * psf->bytewidth ; psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_FLOAT ; break ; case IRCAM_ALAW : psf->bytewidth = 1 ; - psf->blockwidth = psf->sf.channels * psf->bytewidth ; psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ALAW ; break ; case IRCAM_ULAW : psf->bytewidth = 1 ; - psf->blockwidth = psf->sf.channels * psf->bytewidth ; psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ; break ; @@ -217,11 +221,31 @@ ircam_read_header (SF_PRIVATE *psf) if (error) return error ; + /* Overflow-safe blockwidth calculation in sf_count_t. */ + { + /* Pre-multiply guard ensuring bw <= SF_COUNT_MAX. */ + if ((sf_count_t) psf->sf.channels > + (SF_COUNT_MAX / (sf_count_t) psf->bytewidth)) + return SFE_MALFORMED_FILE ; + + psf->blockwidth = (sf_count_t) psf->sf.channels * (sf_count_t) psf->bytewidth ; + if (psf->blockwidth <= 0) + return SFE_MALFORMED_FILE ; + } + + /* Data region must start at the fixed IRCAM offset. */ + if (psf->filelength < IRCAM_DATA_OFFSET) + return SFE_MALFORMED_FILE ; + psf->dataoffset = IRCAM_DATA_OFFSET ; psf->datalength = psf->filelength - psf->dataoffset ; - if (psf->sf.frames == 0 && psf->blockwidth) - psf->sf.frames = psf->datalength / psf->blockwidth ; + if (psf->sf.frames == 0) + { + if (psf->blockwidth == 0) + return SFE_MALFORMED_FILE ; + psf->sf.frames = psf->datalength / psf->blockwidth ; + } psf_log_printf (psf, " Samples : %d\n", psf->sf.frames) ; ++++++ libsndfile-CVE-2026-37555.patch ++++++ >From 9a829113c88a51e57c1e46473e90609e4b7df151 Mon Sep 17 00:00:00 2001 From: Alex Stewart <[email protected]> Date: Tue, 17 Oct 2023 12:19:12 -0400 Subject: [PATCH] ima_adpcm: fix int overflow in ima_reader_init() When calculating sf.frames, pre-cast samplesperblock to sf_count_t, to provide the calculation with enough numeric space to avoid overflows. Other changes in this commit are syntactic, and only to satisfy the git pre-commit syntax checker. CVE: CVE-2022-33065 Fixes: https://github.com/libsndfile/libsndfile/issues/833 Signed-off-by: Alex Stewart <[email protected]> --- src/ima_adpcm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ima_adpcm.c b/src/ima_adpcm.c index bc61f4e5a..7464d1b33 100644 --- a/src/ima_adpcm.c +++ b/src/ima_adpcm.c @@ -187,7 +187,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) ** to avoid having to branch when pulling apart the nibbles. */ count = ((samplesperblock - 2) | 7) + 2 ; - pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign + samplesperblock + sizeof(short) * count) ; + pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign + samplesperblock + sizeof (short) * count) ; if (! (pima = calloc (1, pimasize))) return SFE_MALLOC_FAILED ; @@ -238,7 +238,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) case SF_FORMAT_AIFF : psf_log_printf (psf, "still need to check block count\n") ; pima->decode_block = aiff_ima_decode_block ; - psf->sf.frames = pima->samplesperblock * pima->blocks / pima->channels ; + psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks / pima->channels ; break ; default : @@ -391,7 +391,7 @@ aiff_ima_encode_block (SF_PRIVATE *psf, IMA_ADPCM_PRIVATE *pima) static int wavlike_ima_decode_block (SF_PRIVATE *psf, IMA_ADPCM_PRIVATE *pima) { int chan, k, predictor, blockindx, indx, indxstart, diff ; - short step, bytecode, stepindx [2] = { 0 }; + short step, bytecode, stepindx [2] = { 0 } ; pima->blockcount ++ ; pima->samplecount = 0 ;
