From: Peter Marko <[email protected]> Use patch from buildroot: https://github.com/buildroot/buildroot/commit/bd5f84d301c4e74ca200a9336eca88468ec0e1f3
Signed-off-by: Peter Marko <[email protected]> --- .../audiofile/audiofile_0.3.6.bb | 1 + ...ail-when-error-occurs-in-parseFormat.patch | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch diff --git a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb index 66194fdc8b..08709a35e3 100644 --- a/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb +++ b/meta-oe/recipes-multimedia/audiofile/audiofile_0.3.6.bb @@ -16,6 +16,7 @@ SRC_URI = " \ file://0004-Always-check-the-number-of-coefficients.patch \ file://0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch \ file://0006-Check-for-multiplication-overflow-in-sfconvert.patch \ + file://0007-Actually-fail-when-error-occurs-in-parseFormat.patch \ " SRC_URI[sha256sum] = "ea2449ad3f201ec590d811db9da6d02ffc5e87a677d06b92ab15363d8cb59782" diff --git a/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch new file mode 100644 index 0000000000..38294ca200 --- /dev/null +++ b/meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch @@ -0,0 +1,46 @@ +From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001 +From: Antonio Larrosa <[email protected]> +Date: Mon, 6 Mar 2017 18:59:26 +0100 +Subject: [PATCH] Actually fail when error occurs in parseFormat + +When there's an unsupported number of bits per sample or an invalid +number of samples per block, don't only print an error message using +the error handler, but actually stop parsing the file. + +This fixes #35 (also reported at +https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and +https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/ +) + +Signed-off-by: Peter Korsgaard <[email protected]> + +CVE: CVE-2017-6831 +Upstream-Status: Inactive-Upstream [lastrelease: 2013] +Signed-off-by: Peter Marko <[email protected]> +--- + libaudiofile/WAVE.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp +index 0e81cf7..d762249 100644 +--- a/libaudiofile/WAVE.cpp ++++ b/libaudiofile/WAVE.cpp +@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_NOT_IMPLEMENTED, + "IMA ADPCM compression supports only 4 bits per sample"); ++ return AF_FAIL; + } + + int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount; +@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_CODEC_CONFIG, + "Invalid samples per block for IMA ADPCM compression"); ++ return AF_FAIL; + } + + track->f.sampleWidth = 16; +-- +2.11.0 + -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#114572): https://lists.openembedded.org/g/openembedded-devel/message/114572 Mute This Topic: https://lists.openembedded.org/mt/110303101/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
