commit: 585ee02d57684b9b47738d103492543eb5786418
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 7 05:18:53 2021 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu Jan 7 05:18:53 2021 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=585ee02d
media-sound/timidity++: restore CVE patches from 2.14.0
Whoops, misgrep (fooled by {}, I think?)
Thanks-to: Jeroen Roovers
Fixes: 4071642e177ae0e7289d684387d1f01af563cbd1
Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/timidity++-2.14.0-CVE-2017-11546.patch | 31 ++++++++++
.../files/timidity++-2.14.0-CVE-2017-11547.patch | 67 ++++++++++++++++++++++
2 files changed, 98 insertions(+)
diff --git
a/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch
b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch
new file mode 100644
index 00000000000..94135e98b96
--- /dev/null
+++ b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch
@@ -0,0 +1,31 @@
+From 2386ec2c745f6c5075e53ea051da211336b44b84 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <[email protected]>
+Date: Tue, 26 Jun 2018 22:31:27 +0200
+Subject: readmidi: Fix division by zero
+
+References: CVE-2017-11546
+
+An adhoc fix for division by zero in insert_note_steps().
+
+Signed-off-by: Takashi Iwai <[email protected]>
+bug-debian: https://bugs.debian.org/870338
+bug-suse: https://bugzilla.suse.com/show_bug.cgi?id=1081694
+bug: https://bugzilla.suse.com/show_bug.cgi?id=1081694
+origin: https://bugzilla.suse.com/attachment.cgi?id=760825
+---
+ timidity/readmidi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/timidity/readmidi.c b/timidity/readmidi.c
+index 158388a..341777e 100644
+--- a/timidity/readmidi.c
++++ b/timidity/readmidi.c
+@@ -4585,6 +4585,8 @@ static void insert_note_steps(void)
+ if (beat != 0)
+ meas++, beat = 0;
+ num = timesig[n].a, denom = timesig[n].b, n++;
++ if (!denom)
++ denom = 1;
+ }
+ a = (meas + 1) & 0xff;
+ b = (((meas + 1) >> 8) & 0x0f) + ((beat + 1) << 4);
diff --git
a/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch
b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch
new file mode 100644
index 00000000000..12562a577e0
--- /dev/null
+++ b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch
@@ -0,0 +1,67 @@
+From 34328d22cbb4ccf03f29223f54f1834c796d86a2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <[email protected]>
+Date: Tue, 26 Jun 2018 22:31:28 +0200
+Subject: resample: Fix out-of-bound access in resamplers
+
+References: CVE-2017-11547
+
+An adhoc fix for out-of-bound accesses in resamples.
+The offset might overflow the given data range.
+
+Signed-off-by: Takashi Iwai <[email protected]>
+bug-debian: https://bugs.debian.org/870338
+bug-suse: https://bugzilla.suse.com/show_bug.cgi?id=1081694
+origin: https://bugzilla.suse.com/attachment.cgi?id=760826
+---
+ timidity/resample.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/timidity/resample.c b/timidity/resample.c
+index cd6b8e6..4a3fadf 100644
+--- a/timidity/resample.c
++++ b/timidity/resample.c
+@@ -57,6 +57,8 @@ static resample_t resample_cspline(sample_t *src, splen_t
ofs, resample_rec_t *r
+ {
+ int32 ofsi, ofsf, v0, v1, v2, v3, temp;
+
++ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++ return src[ofs >> FRACTION_BITS];
+ ofsi = ofs >> FRACTION_BITS;
+ v1 = src[ofsi];
+ v2 = src[ofsi + 1];
+@@ -96,6 +98,8 @@ static resample_t resample_lagrange(sample_t *src, splen_t
ofs, resample_rec_t *
+ {
+ int32 ofsi, ofsf, v0, v1, v2, v3;
+
++ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++ return src[ofs >> FRACTION_BITS];
+ ofsi = ofs >> FRACTION_BITS;
+ v1 = (int32)src[ofsi];
+ v2 = (int32)src[ofsi + 1];
+@@ -154,6 +158,8 @@ static resample_t resample_gauss(sample_t *src, splen_t
ofs, resample_rec_t *rec
+ sample_t *sptr;
+ int32 left, right, temp_n;
+
++ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++ return src[ofs >> FRACTION_BITS];
+ left = (ofs>>FRACTION_BITS);
+ right = (rec->data_length>>FRACTION_BITS) - left - 1;
+ temp_n = (right<<1)-1;
+@@ -261,6 +267,8 @@ static resample_t resample_newton(sample_t *src, splen_t
ofs, resample_rec_t *re
+ int32 left, right, temp_n;
+ int ii, jj;
+
++ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++ return src[ofs >> FRACTION_BITS];
+ left = (ofs>>FRACTION_BITS);
+ right = (rec->data_length>>FRACTION_BITS)-(ofs>>FRACTION_BITS)-1;
+ temp_n = (right<<1)-1;
+@@ -330,6 +338,8 @@ static resample_t resample_linear(sample_t *src, splen_t
ofs, resample_rec_t *re
+ {
+ int32 v1, v2, ofsi;
+
++ if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++ return src[ofs >> FRACTION_BITS];
+ ofsi = ofs >> FRACTION_BITS;
+ v1 = src[ofsi];
+ v2 = src[ofsi + 1];
