On Feb 06 22:56:02, t...@theobuehler.org wrote:
> There is an ongoing discussion on audio/sox on oss-security:
>
> https://marc.info/?l=oss-security&m=167546008232629&w=2
>
> Steffen Nurpmeso ported the patches to apply against the commit
> we also use in our ports, that's what's included in the diff below.
>
> The patches look sensible to me although I haven't reviewed them
> thoroughly.
>
> It's probably a good idea to keep an eye on this discussion both for
> reviews of the patches and for possible developments of a new upstream
> repo containing them.
I just asked upstream - let's wait a on whether the upstream maintainer
decides to include these in the upstream git (SF) that we build from;
I would prefer that to maintaining the patches (thank you Steffen!)
Jan
> ===================================================================
> RCS file: /cvs/ports/audio/sox/Makefile,v
> retrieving revision 1.74
> diff -u -p -r1.74 Makefile
> --- Makefile 11 Mar 2022 18:20:31 -0000 1.74
> +++ Makefile 6 Feb 2023 21:39:18 -0000
> @@ -5,6 +5,7 @@ V= 14.4.2pl20210509
> GIT_V= 14.4.3git
> DISTNAME= sox-${V}
> SHARED_LIBS += sox 4.1 # 3.0
> +REVISION = 0
>
> CATEGORIES= audio
> HOMEPAGE= http://sox.sourceforge.net/
> Index: patches/patch-src_aiff_c
> ===================================================================
> RCS file: patches/patch-src_aiff_c
> diff -N patches/patch-src_aiff_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_aiff_c 6 Feb 2023 21:38:58 -0000
> @@ -0,0 +1,17 @@
> +https://marc.info/?l=oss-security&m=167571683504082&w=2
> +
> +Index: src/aiff.c
> +--- src/aiff.c.orig
> ++++ src/aiff.c
> +@@ -619,6 +619,11 @@ int lsx_aiffstartwrite(sox_format_t * ft)
> + At 48 kHz, 16 bits stereo, this gives ~3 hours of audio.
> + Sorry, the AIFF format does not provide for an indefinite
> + number of samples. */
> ++ if (ft->signal.channels >= (0x7f000000 /
> (ft->encoding.bits_per_sample >> 3)))
> ++ {
> ++ lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF
> header");
> ++ return SOX_EOF;
> ++ }
> + return(aiffwriteheader(ft, (uint64_t) 0x7f000000 /
> ((ft->encoding.bits_per_sample>>3)*ft->signal.channels)));
> + }
> +
> Index: patches/patch-src_formats_c
> ===================================================================
> RCS file: /cvs/ports/audio/sox/patches/patch-src_formats_c,v
> retrieving revision 1.8
> diff -u -p -r1.8 patch-src_formats_c
> --- patches/patch-src_formats_c 11 Mar 2022 18:20:31 -0000 1.8
> +++ patches/patch-src_formats_c 6 Feb 2023 21:38:58 -0000
> @@ -1,3 +1,5 @@
> +https://marc.info/?l=oss-security&m=167571683504082&w=2
> +
> Index: src/formats.c
> --- src/formats.c.orig
> +++ src/formats.c
> @@ -19,3 +21,11 @@ Index: src/formats.c
> char * command = lsx_malloc(strlen(command_format) +
> strlen(identifier));
> sprintf(command, command_format, identifier);
> f = popen(command, POPEN_MODE);
> +@@ -627,6 +627,7 @@ error:
> + free(ft->priv);
> + free(ft->filename);
> + free(ft->filetype);
> ++ sox_delete_comments(&ft->oob.comments);
> + free(ft);
> + return NULL;
> + }
> Index: patches/patch-src_formats_i_c
> ===================================================================
> RCS file: patches/patch-src_formats_i_c
> diff -N patches/patch-src_formats_i_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_formats_i_c 6 Feb 2023 21:38:58 -0000
> @@ -0,0 +1,42 @@
> +https://marc.info/?l=oss-security&m=167571683504082&w=2
> +
> +Index: src/formats_i.c
> +--- src/formats_i.c.orig
> ++++ src/formats_i.c
> +@@ -19,6 +19,7 @@
> + */
> +
> + #include "sox_i.h"
> ++#include <limits.h>
> + #include <string.h>
> + #include <sys/stat.h>
> + #include <stdarg.h>
> +@@ -60,13 +61,24 @@ int lsx_check_read_params(sox_format_t * ft, unsigned
> + if (ft->seekable)
> + ft->data_start = lsx_tell(ft);
> +
> +- if (channels && ft->signal.channels && ft->signal.channels != channels)
> ++ if (channels && ft->signal.channels && ft->signal.channels != channels) {
> + lsx_warn("`%s': overriding number of channels", ft->filename);
> +- else ft->signal.channels = channels;
> ++ } else if (channels > SHRT_MAX) {
> ++ lsx_fail_errno(ft, EINVAL, "implausibly large number of channels");
> ++ return SOX_EOF;
> ++ } else {
> ++ ft->signal.channels = channels;
> ++ }
> +
> +- if (rate && ft->signal.rate && ft->signal.rate != rate)
> ++ if (rate && ft->signal.rate && ft->signal.rate != rate) {
> + lsx_warn("`%s': overriding sample rate", ft->filename);
> +- else ft->signal.rate = rate;
> ++ /* Since NaN comparisons yield false, the negation rejects them. */
> ++ } else if (!(rate > 0)) {
> ++ lsx_fail_errno(ft, EINVAL, "invalid rate value");
> ++ return SOX_EOF;
> ++ } else {
> ++ ft->signal.rate = rate;
> ++ }
> +
> + if (encoding && ft->encoding.encoding && ft->encoding.encoding !=
> encoding)
> + lsx_warn("`%s': overriding encoding type", ft->filename);
> Index: patches/patch-src_hcom_c
> ===================================================================
> RCS file: patches/patch-src_hcom_c
> diff -N patches/patch-src_hcom_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_hcom_c 6 Feb 2023 21:38:58 -0000
> @@ -0,0 +1,57 @@
> +https://marc.info/?l=oss-security&m=167571683504082&w=2
> +
> +Index: src/hcom.c
> +--- src/hcom.c.orig
> ++++ src/hcom.c
> +@@ -141,6 +141,11 @@ static int startread(sox_format_t * ft)
> + return (SOX_EOF);
> + }
> + lsx_readw(ft, &dictsize);
> ++ if (dictsize == 0 || dictsize > 511)
> ++ {
> ++ lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size
> in HCOM header");
> ++ return SOX_EOF;
> ++ }
> +
> + /* Translate to sox parameters */
> + ft->encoding.encoding = SOX_ENCODING_HCOM;
> +@@ -161,13 +166,18 @@ static int startread(sox_format_t * ft)
> + p->dictionary[i].dict_rightson);
> + if (!dictvalid(i, dictsize, p->dictionary[i].dict_leftson,
> + p->dictionary[i].dict_rightson)) {
> ++ free(p->dictionary);
> ++ p->dictionary = NULL;
> + lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary");
> + return SOX_EOF;
> + }
> + }
> + rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */
> +- if (rc)
> ++ if (rc) {
> ++ free(p->dictionary);
> ++ p->dictionary = NULL;
> + return rc;
> ++ }
> +
> + /* Initialized the decompression engine */
> + p->checksum = checksum;
> +@@ -249,6 +259,9 @@ static int stopread(sox_format_t * ft)
> + {
> + register priv_t *p = (priv_t *) ft->priv;
> +
> ++ free(p->dictionary);
> ++ p->dictionary = NULL;
> ++
> + if (p->huffcount != 0)
> + {
> + lsx_fail_errno(ft,SOX_EFMT,"not all HCOM data read");
> +@@ -259,8 +272,7 @@ static int stopread(sox_format_t * ft)
> + lsx_fail_errno(ft,SOX_EFMT,"checksum error in HCOM data");
> + return (SOX_EOF);
> + }
> +- free(p->dictionary);
> +- p->dictionary = NULL;
> ++
> + return (SOX_SUCCESS);
> + }
> +
> Index: patches/patch-src_sphere_c
> ===================================================================
> RCS file: patches/patch-src_sphere_c
> diff -N patches/patch-src_sphere_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_sphere_c 6 Feb 2023 21:38:58 -0000
> @@ -0,0 +1,25 @@
> +https://marc.info/?l=oss-security&m=167571683504082&w=2
> +
> +Index: src/sphere.c
> +--- src/sphere.c.orig
> ++++ src/sphere.c
> +@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft)
> + return (SOX_EOF);
> + }
> +
> +- header_size -= (strlen(buf) + 1);
> ++ bytes_read = strlen(buf);
> ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
> +
> + while (strncmp(buf, "end_head", (size_t)8) != 0) {
> + if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0)
> +@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft)
> + return (SOX_EOF);
> + }
> +
> +- header_size -= (strlen(buf) + 1);
> ++ bytes_read = strlen(buf);
> ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
> + }
> +
> + if (!bytes_per_sample)
> Index: patches/patch-src_voc_c
> ===================================================================
> RCS file: patches/patch-src_voc_c
> diff -N patches/patch-src_voc_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_voc_c 6 Feb 2023 21:38:58 -0000
> @@ -0,0 +1,16 @@
> +https://marc.info/?l=oss-security&m=167571683504082&w=2
> +
> +Index: src/voc.c
> +--- src/voc.c.orig
> ++++ src/voc.c
> +@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft)
> + v->rate = new_rate_32;
> + ft->signal.rate = new_rate_32;
> + lsx_readb(ft, &uc);
> ++ if (uc <= 1) {
> ++ lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required");
> ++ return (SOX_EOF);
> ++ }
> + v->size = uc;
> + lsx_readb(ft, &uc);
> + if (v->channels != -1 && uc != v->channels) {
> Index: patches/patch-src_wav_c
> ===================================================================
> RCS file: patches/patch-src_wav_c
> diff -N patches/patch-src_wav_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_wav_c 6 Feb 2023 21:38:58 -0000
> @@ -0,0 +1,18 @@
> +https://marc.info/?l=oss-security&m=167571683504082&w=2
> +
> +Index: src/wav.c
> +--- src/wav.c.orig
> ++++ src/wav.c
> +@@ -654,6 +654,12 @@ static int wav_read_fmt(sox_format_t *ft, uint32_t len
> + if (err)
> + return SOX_EOF;
> +
> ++ if (wav->bitsPerSample == 0)
> ++ {
> ++ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
> ++ return SOX_EOF;
> ++ }
> ++
> + /* non-PCM formats except alaw and mulaw formats have extended fmt
> chunk.
> + * Check for those cases.
> + */
>
>
