On Feb 06 22:56:02, t...@theobuehler.org wrote: > There is an ongoing discussion on audio/sox on oss-security: > > https://marc.info/?l=oss-security&m=167546008232629&w=2 > > Steffen Nurpmeso ported the patches to apply against the commit > we also use in our ports, that's what's included in the diff below. > > The patches look sensible to me although I haven't reviewed them > thoroughly. > > It's probably a good idea to keep an eye on this discussion both for > reviews of the patches and for possible developments of a new upstream > repo containing them.
I just asked upstream - let's wait a on whether the upstream maintainer decides to include these in the upstream git (SF) that we build from; I would prefer that to maintaining the patches (thank you Steffen!) Jan > =================================================================== > RCS file: /cvs/ports/audio/sox/Makefile,v > retrieving revision 1.74 > diff -u -p -r1.74 Makefile > --- Makefile 11 Mar 2022 18:20:31 -0000 1.74 > +++ Makefile 6 Feb 2023 21:39:18 -0000 > @@ -5,6 +5,7 @@ V= 14.4.2pl20210509 > GIT_V= 14.4.3git > DISTNAME= sox-${V} > SHARED_LIBS += sox 4.1 # 3.0 > +REVISION = 0 > > CATEGORIES= audio > HOMEPAGE= http://sox.sourceforge.net/ > Index: patches/patch-src_aiff_c > =================================================================== > RCS file: patches/patch-src_aiff_c > diff -N patches/patch-src_aiff_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_aiff_c 6 Feb 2023 21:38:58 -0000 > @@ -0,0 +1,17 @@ > +https://marc.info/?l=oss-security&m=167571683504082&w=2 > + > +Index: src/aiff.c > +--- src/aiff.c.orig > ++++ src/aiff.c > +@@ -619,6 +619,11 @@ int lsx_aiffstartwrite(sox_format_t * ft) > + At 48 kHz, 16 bits stereo, this gives ~3 hours of audio. > + Sorry, the AIFF format does not provide for an indefinite > + number of samples. */ > ++ if (ft->signal.channels >= (0x7f000000 / > (ft->encoding.bits_per_sample >> 3))) > ++ { > ++ lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF > header"); > ++ return SOX_EOF; > ++ } > + return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / > ((ft->encoding.bits_per_sample>>3)*ft->signal.channels))); > + } > + > Index: patches/patch-src_formats_c > =================================================================== > RCS file: /cvs/ports/audio/sox/patches/patch-src_formats_c,v > retrieving revision 1.8 > diff -u -p -r1.8 patch-src_formats_c > --- patches/patch-src_formats_c 11 Mar 2022 18:20:31 -0000 1.8 > +++ patches/patch-src_formats_c 6 Feb 2023 21:38:58 -0000 > @@ -1,3 +1,5 @@ > +https://marc.info/?l=oss-security&m=167571683504082&w=2 > + > Index: src/formats.c > --- src/formats.c.orig > +++ src/formats.c > @@ -19,3 +21,11 @@ Index: src/formats.c > char * command = lsx_malloc(strlen(command_format) + > strlen(identifier)); > sprintf(command, command_format, identifier); > f = popen(command, POPEN_MODE); > +@@ -627,6 +627,7 @@ error: > + free(ft->priv); > + free(ft->filename); > + free(ft->filetype); > ++ sox_delete_comments(&ft->oob.comments); > + free(ft); > + return NULL; > + } > Index: patches/patch-src_formats_i_c > =================================================================== > RCS file: patches/patch-src_formats_i_c > diff -N patches/patch-src_formats_i_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_formats_i_c 6 Feb 2023 21:38:58 -0000 > @@ -0,0 +1,42 @@ > +https://marc.info/?l=oss-security&m=167571683504082&w=2 > + > +Index: src/formats_i.c > +--- src/formats_i.c.orig > ++++ src/formats_i.c > +@@ -19,6 +19,7 @@ > + */ > + > + #include "sox_i.h" > ++#include <limits.h> > + #include <string.h> > + #include <sys/stat.h> > + #include <stdarg.h> > +@@ -60,13 +61,24 @@ int lsx_check_read_params(sox_format_t * ft, unsigned > + if (ft->seekable) > + ft->data_start = lsx_tell(ft); > + > +- if (channels && ft->signal.channels && ft->signal.channels != channels) > ++ if (channels && ft->signal.channels && ft->signal.channels != channels) { > + lsx_warn("`%s': overriding number of channels", ft->filename); > +- else ft->signal.channels = channels; > ++ } else if (channels > SHRT_MAX) { > ++ lsx_fail_errno(ft, EINVAL, "implausibly large number of channels"); > ++ return SOX_EOF; > ++ } else { > ++ ft->signal.channels = channels; > ++ } > + > +- if (rate && ft->signal.rate && ft->signal.rate != rate) > ++ if (rate && ft->signal.rate && ft->signal.rate != rate) { > + lsx_warn("`%s': overriding sample rate", ft->filename); > +- else ft->signal.rate = rate; > ++ /* Since NaN comparisons yield false, the negation rejects them. */ > ++ } else if (!(rate > 0)) { > ++ lsx_fail_errno(ft, EINVAL, "invalid rate value"); > ++ return SOX_EOF; > ++ } else { > ++ ft->signal.rate = rate; > ++ } > + > + if (encoding && ft->encoding.encoding && ft->encoding.encoding != > encoding) > + lsx_warn("`%s': overriding encoding type", ft->filename); > Index: patches/patch-src_hcom_c > =================================================================== > RCS file: patches/patch-src_hcom_c > diff -N patches/patch-src_hcom_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_hcom_c 6 Feb 2023 21:38:58 -0000 > @@ -0,0 +1,57 @@ > +https://marc.info/?l=oss-security&m=167571683504082&w=2 > + > +Index: src/hcom.c > +--- src/hcom.c.orig > ++++ src/hcom.c > +@@ -141,6 +141,11 @@ static int startread(sox_format_t * ft) > + return (SOX_EOF); > + } > + lsx_readw(ft, &dictsize); > ++ if (dictsize == 0 || dictsize > 511) > ++ { > ++ lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size > in HCOM header"); > ++ return SOX_EOF; > ++ } > + > + /* Translate to sox parameters */ > + ft->encoding.encoding = SOX_ENCODING_HCOM; > +@@ -161,13 +166,18 @@ static int startread(sox_format_t * ft) > + p->dictionary[i].dict_rightson); > + if (!dictvalid(i, dictsize, p->dictionary[i].dict_leftson, > + p->dictionary[i].dict_rightson)) { > ++ free(p->dictionary); > ++ p->dictionary = NULL; > + lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); > + return SOX_EOF; > + } > + } > + rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */ > +- if (rc) > ++ if (rc) { > ++ free(p->dictionary); > ++ p->dictionary = NULL; > + return rc; > ++ } > + > + /* Initialized the decompression engine */ > + p->checksum = checksum; > +@@ -249,6 +259,9 @@ static int stopread(sox_format_t * ft) > + { > + register priv_t *p = (priv_t *) ft->priv; > + > ++ free(p->dictionary); > ++ p->dictionary = NULL; > ++ > + if (p->huffcount != 0) > + { > + lsx_fail_errno(ft,SOX_EFMT,"not all HCOM data read"); > +@@ -259,8 +272,7 @@ static int stopread(sox_format_t * ft) > + lsx_fail_errno(ft,SOX_EFMT,"checksum error in HCOM data"); > + return (SOX_EOF); > + } > +- free(p->dictionary); > +- p->dictionary = NULL; > ++ > + return (SOX_SUCCESS); > + } > + > Index: patches/patch-src_sphere_c > =================================================================== > RCS file: patches/patch-src_sphere_c > diff -N patches/patch-src_sphere_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_sphere_c 6 Feb 2023 21:38:58 -0000 > @@ -0,0 +1,25 @@ > +https://marc.info/?l=oss-security&m=167571683504082&w=2 > + > +Index: src/sphere.c > +--- src/sphere.c.orig > ++++ src/sphere.c > +@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft) > + return (SOX_EOF); > + } > + > +- header_size -= (strlen(buf) + 1); > ++ bytes_read = strlen(buf); > ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; > + > + while (strncmp(buf, "end_head", (size_t)8) != 0) { > + if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0) > +@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft) > + return (SOX_EOF); > + } > + > +- header_size -= (strlen(buf) + 1); > ++ bytes_read = strlen(buf); > ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; > + } > + > + if (!bytes_per_sample) > Index: patches/patch-src_voc_c > =================================================================== > RCS file: patches/patch-src_voc_c > diff -N patches/patch-src_voc_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_voc_c 6 Feb 2023 21:38:58 -0000 > @@ -0,0 +1,16 @@ > +https://marc.info/?l=oss-security&m=167571683504082&w=2 > + > +Index: src/voc.c > +--- src/voc.c.orig > ++++ src/voc.c > +@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft) > + v->rate = new_rate_32; > + ft->signal.rate = new_rate_32; > + lsx_readb(ft, &uc); > ++ if (uc <= 1) { > ++ lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required"); > ++ return (SOX_EOF); > ++ } > + v->size = uc; > + lsx_readb(ft, &uc); > + if (v->channels != -1 && uc != v->channels) { > Index: patches/patch-src_wav_c > =================================================================== > RCS file: patches/patch-src_wav_c > diff -N patches/patch-src_wav_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_wav_c 6 Feb 2023 21:38:58 -0000 > @@ -0,0 +1,18 @@ > +https://marc.info/?l=oss-security&m=167571683504082&w=2 > + > +Index: src/wav.c > +--- src/wav.c.orig > ++++ src/wav.c > +@@ -654,6 +654,12 @@ static int wav_read_fmt(sox_format_t *ft, uint32_t len > + if (err) > + return SOX_EOF; > + > ++ if (wav->bitsPerSample == 0) > ++ { > ++ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero"); > ++ return SOX_EOF; > ++ } > ++ > + /* non-PCM formats except alaw and mulaw formats have extended fmt > chunk. > + * Check for those cases. > + */ > >