Date: Saturday, August 12, 2017 @ 21:40:33 Author: jgc Revision: 301990
upgpkg: audiofile 0.3.6-4 Switch to HTTPS Use SHA256 Fix https://security.archlinux.org/AVG-205 security issues using Debian patches. Also fixes CVE-2015-7747 which is not listed in the AVG ticket Added: audiofile/trunk/01_gcc6.patch audiofile/trunk/03_CVE-2015-7747.patch audiofile/trunk/04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch audiofile/trunk/05_Always-check-the-number-of-coefficients.patch audiofile/trunk/06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch audiofile/trunk/07_Check-for-multiplication-overflow-in-sfconvert.patch audiofile/trunk/08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch audiofile/trunk/09_Actually-fail-when-error-occurs-in-parseFormat.patch audiofile/trunk/10_Check-for-division-by-zero-in-BlockCodec-runPull.patch Modified: audiofile/trunk/PKGBUILD -----------------------------------------------------------------+ 01_gcc6.patch | 102 ++++++ 03_CVE-2015-7747.patch | 156 ++++++++++ 04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch | 33 ++ 05_Always-check-the-number-of-coefficients.patch | 30 + 06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch | 116 +++++++ 07_Check-for-multiplication-overflow-in-sfconvert.patch | 66 ++++ 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch | 35 ++ 09_Actually-fail-when-error-occurs-in-parseFormat.patch | 36 ++ 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch | 21 + PKGBUILD | 39 ++ 10 files changed, 630 insertions(+), 4 deletions(-) Added: 01_gcc6.patch =================================================================== --- 01_gcc6.patch (rev 0) +++ 01_gcc6.patch 2017-08-12 21:40:33 UTC (rev 301990) @@ -0,0 +1,102 @@ +Description: Fix FTBFS with GCC 6 +Author: Michael Schwendt <mschwe...@fedoraproject.org> +Origin: vendor, https://github.com/mpruett/audiofile/pull/27 +Bug-Debian: https://bugs.debian.org/812055 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ + +--- a/libaudiofile/modules/SimpleModule.h ++++ b/libaudiofile/modules/SimpleModule.h +@@ -123,7 +123,7 @@ struct signConverter + typedef typename IntTypes<Format>::UnsignedType UnsignedType; + + static const int kScaleBits = (Format + 1) * CHAR_BIT - 1; +- static const int kMinSignedValue = -1 << kScaleBits; ++ static const int kMinSignedValue = 0-(1U<<kScaleBits); + + struct signedToUnsigned : public std::unary_function<SignedType, UnsignedType> + { +--- a/test/FloatToInt.cpp ++++ b/test/FloatToInt.cpp +@@ -115,7 +115,7 @@ TEST_F(FloatToIntTest, Int16) + EXPECT_EQ(readData[i], expectedData[i]); + } + +-static const int32_t kMinInt24 = -1<<23; ++static const int32_t kMinInt24 = 0-(1U<<23); + static const int32_t kMaxInt24 = (1<<23) - 1; + + TEST_F(FloatToIntTest, Int24) +--- a/test/IntToFloat.cpp ++++ b/test/IntToFloat.cpp +@@ -117,7 +117,7 @@ TEST_F(IntToFloatTest, Int16) + EXPECT_EQ(readData[i], expectedData[i]); + } + +-static const int32_t kMinInt24 = -1<<23; ++static const int32_t kMinInt24 = 0-(1U<<23); + static const int32_t kMaxInt24 = (1<<23) - 1; + + TEST_F(IntToFloatTest, Int24) +--- a/test/NeXT.cpp ++++ b/test/NeXT.cpp +@@ -37,13 +37,13 @@ + + #include "TestUtilities.h" + +-const char kDataUnspecifiedLength[] = ++const signed char kDataUnspecifiedLength[] = + { + '.', 's', 'n', 'd', + 0, 0, 0, 24, // offset of 24 bytes +- 0xff, 0xff, 0xff, 0xff, // unspecified length ++ -1, -1, -1, -1, // unspecified length + 0, 0, 0, 3, // 16-bit linear +- 0, 0, 172, 68, // 44100 Hz ++ 0, 0, -84, 68, // 44100 Hz (0xAC44) + 0, 0, 0, 1, // 1 channel + 0, 1, + 0, 1, +@@ -57,13 +57,13 @@ const char kDataUnspecifiedLength[] = + 0, 55 + }; + +-const char kDataTruncated[] = ++const signed char kDataTruncated[] = + { + '.', 's', 'n', 'd', + 0, 0, 0, 24, // offset of 24 bytes + 0, 0, 0, 20, // length of 20 bytes + 0, 0, 0, 3, // 16-bit linear +- 0, 0, 172, 68, // 44100 Hz ++ 0, 0, -84, 68, // 44100 Hz (0xAC44) + 0, 0, 0, 1, // 1 channel + 0, 1, + 0, 1, +@@ -152,13 +152,13 @@ TEST(NeXT, Truncated) + ASSERT_EQ(::unlink(testFileName.c_str()), 0); + } + +-const char kDataZeroChannels[] = ++const signed char kDataZeroChannels[] = + { + '.', 's', 'n', 'd', + 0, 0, 0, 24, // offset of 24 bytes + 0, 0, 0, 2, // 2 bytes + 0, 0, 0, 3, // 16-bit linear +- 0, 0, 172, 68, // 44100 Hz ++ 0, 0, -84, 68, // 44100 Hz (0xAC44) + 0, 0, 0, 0, // 0 channels + 0, 1 + }; +--- a/test/Sign.cpp ++++ b/test/Sign.cpp +@@ -116,7 +116,7 @@ TEST_F(SignConversionTest, Int16) + EXPECT_EQ(readData[i], expectedData[i]); + } + +-static const int32_t kMinInt24 = -1<<23; ++static const int32_t kMinInt24 = 0-(1U<<23); + static const int32_t kMaxInt24 = (1<<23) - 1; + static const uint32_t kMaxUInt24 = (1<<24) - 1; + Added: 03_CVE-2015-7747.patch =================================================================== --- 03_CVE-2015-7747.patch (rev 0) +++ 03_CVE-2015-7747.patch 2017-08-12 21:40:33 UTC (rev 301990) @@ -0,0 +1,156 @@ +Description: fix buffer overflow when changing both sample format and + number of channels +Origin: https://github.com/mpruett/audiofile/pull/25 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721 +Bug-Debian: https://bugs.debian.org/801102 + +--- a/libaudiofile/modules/ModuleState.cpp ++++ b/libaudiofile/modules/ModuleState.cpp +@@ -402,7 +402,7 @@ status ModuleState::arrange(AFfilehandle + addModule(new Transform(outfc, in.pcm, out.pcm)); + + if (in.channelCount != out.channelCount) +- addModule(new ApplyChannelMatrix(infc, isReading, ++ addModule(new ApplyChannelMatrix(outfc, isReading, + in.channelCount, out.channelCount, + in.pcm.minClip, in.pcm.maxClip, + track->channelMatrix)); +--- a/test/Makefile.am ++++ b/test/Makefile.am +@@ -26,6 +26,7 @@ TESTS = \ + VirtualFile \ + floatto24 \ + query2 \ ++ sixteen-stereo-to-eight-mono \ + sixteen-to-eight \ + testchannelmatrix \ + testdouble \ +@@ -139,6 +140,7 @@ printmarkers_SOURCES = printmarkers.c + printmarkers_LDADD = $(LIBAUDIOFILE) -lm + + sixteen_to_eight_SOURCES = sixteen-to-eight.c TestUtilities.cpp TestUtilities.h ++sixteen_stereo_to_eight_mono_SOURCES = sixteen-stereo-to-eight-mono.c TestUtilities.cpp TestUtilities.h + + testchannelmatrix_SOURCES = testchannelmatrix.c TestUtilities.cpp TestUtilities.h + +--- /dev/null ++++ b/test/sixteen-stereo-to-eight-mono.c +@@ -0,0 +1,118 @@ ++/* ++ Audio File Library ++ ++ Copyright 2000, Silicon Graphics, Inc. ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License along ++ with this program; if not, write to the Free Software Foundation, Inc., ++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++*/ ++ ++/* ++ sixteen-stereo-to-eight-mono.c ++ ++ This program tests the conversion from 2-channel 16-bit integers to ++ 1-channel 8-bit integers. ++*/ ++ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif ++ ++#include <stdint.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <unistd.h> ++#include <limits.h> ++ ++#include <audiofile.h> ++ ++#include "TestUtilities.h" ++ ++int main (int argc, char **argv) ++{ ++ AFfilehandle file; ++ AFfilesetup setup; ++ int16_t frames16[] = {14298, 392, 3923, -683, 958, -1921}; ++ int8_t frames8[] = {28, 6, -2}; ++ int i, frameCount = 3; ++ int8_t byte; ++ AFframecount result; ++ ++ setup = afNewFileSetup(); ++ ++ afInitFileFormat(setup, AF_FILE_WAVE); ++ ++ afInitSampleFormat(setup, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 16); ++ afInitChannels(setup, AF_DEFAULT_TRACK, 2); ++ ++ char *testFileName; ++ if (!createTemporaryFile("sixteen-to-eight", &testFileName)) ++ { ++ fprintf(stderr, "Could not create temporary file.\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ file = afOpenFile(testFileName, "w", setup); ++ if (file == AF_NULL_FILEHANDLE) ++ { ++ fprintf(stderr, "could not open file for writing\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ afFreeFileSetup(setup); ++ ++ afWriteFrames(file, AF_DEFAULT_TRACK, frames16, frameCount); ++ ++ afCloseFile(file); ++ ++ file = afOpenFile(testFileName, "r", AF_NULL_FILESETUP); ++ if (file == AF_NULL_FILEHANDLE) ++ { ++ fprintf(stderr, "could not open file for reading\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ afSetVirtualSampleFormat(file, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 8); ++ afSetVirtualChannels(file, AF_DEFAULT_TRACK, 1); ++ ++ for (i=0; i<frameCount; i++) ++ { ++ /* Read one frame. */ ++ result = afReadFrames(file, AF_DEFAULT_TRACK, &byte, 1); ++ ++ if (result != 1) ++ break; ++ ++ /* Compare the byte read with its precalculated value. */ ++ if (memcmp(&byte, &frames8[i], 1) != 0) ++ { ++ printf("error\n"); ++ printf("expected %d, got %d\n", frames8[i], byte); ++ exit(EXIT_FAILURE); ++ } ++ else ++ { ++#ifdef DEBUG ++ printf("got what was expected: %d\n", byte); ++#endif ++ } ++ } ++ ++ afCloseFile(file); ++ unlink(testFileName); ++ free(testFileName); ++ ++ exit(EXIT_SUCCESS); ++} Added: 04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch =================================================================== --- 04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch (rev 0) +++ 04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch 2017-08-12 21:40:33 UTC (rev 301990) @@ -0,0 +1,33 @@ +From: Antonio Larrosa <larr...@kde.org> +Date: Mon, 6 Mar 2017 18:02:31 +0100 +Subject: clamp index values to fix index overflow in IMA.cpp + +This fixes #33 +(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981 +and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/) +--- + libaudiofile/modules/IMA.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp +index 7476d44..df4aad6 100644 +--- a/libaudiofile/modules/IMA.cpp ++++ b/libaudiofile/modules/IMA.cpp +@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded) + if (encoded[1] & 0x80) + m_adpcmState[c].previousValue -= 0x10000; + +- m_adpcmState[c].index = encoded[2]; ++ m_adpcmState[c].index = clamp(encoded[2], 0, 88); + + *decoded++ = m_adpcmState[c].previousValue; + +@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded) + predictor -= 0x10000; + + state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16); +- state.index = encoded[1] & 0x7f; ++ state.index = clamp(encoded[1] & 0x7f, 0, 88); + encoded += 2; + + for (int n=0; n<m_framesPerPacket; n+=2) Added: 05_Always-check-the-number-of-coefficients.patch =================================================================== --- 05_Always-check-the-number-of-coefficients.patch (rev 0) +++ 05_Always-check-the-number-of-coefficients.patch 2017-08-12 21:40:33 UTC (rev 301990) @@ -0,0 +1,30 @@ +From: Antonio Larrosa <larr...@kde.org> +Date: Mon, 6 Mar 2017 12:51:22 +0100 +Subject: Always check the number of coefficients + +When building the library with NDEBUG, asserts are eliminated +so it's better to always check that the number of coefficients +is inside the array range. + +This fixes the 00191-audiofile-indexoob issue in #41 +--- + libaudiofile/WAVE.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp +index 9dd8511..0fc48e8 100644 +--- a/libaudiofile/WAVE.cpp ++++ b/libaudiofile/WAVE.cpp +@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + + /* numCoefficients should be at least 7. */ + assert(numCoefficients >= 7 && numCoefficients <= 255); ++ if (numCoefficients < 7 || numCoefficients > 255) ++ { ++ _af_error(AF_BAD_HEADER, ++ "Bad number of coefficients"); ++ return AF_FAIL; ++ } + + m_msadpcmNumCoefficients = numCoefficients; + Added: 06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch =================================================================== --- 06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch (rev 0) +++ 06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch 2017-08-12 21:40:33 UTC (rev 301990) @@ -0,0 +1,116 @@ +From: Antonio Larrosa <larr...@kde.org> +Date: Mon, 6 Mar 2017 13:43:53 +0100 +Subject: Check for multiplication overflow in MSADPCM decodeSample + +Check for multiplication overflow (using __builtin_mul_overflow +if available) in MSADPCM.cpp decodeSample and return an empty +decoded block if an error occurs. + +This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41 +--- + libaudiofile/modules/BlockCodec.cpp | 5 ++-- + libaudiofile/modules/MSADPCM.cpp | 47 +++++++++++++++++++++++++++++++++---- + 2 files changed, 46 insertions(+), 6 deletions(-) + +diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp +index 45925e8..4731be1 100644 +--- a/libaudiofile/modules/BlockCodec.cpp ++++ b/libaudiofile/modules/BlockCodec.cpp +@@ -52,8 +52,9 @@ void BlockCodec::runPull() + // Decompress into m_outChunk. + for (int i=0; i<blocksRead; i++) + { +- decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket, +- static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount); ++ if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket, ++ static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0) ++ break; + + framesRead += m_framesPerPacket; + } +diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp +index 8ea3c85..ef9c38c 100644 +--- a/libaudiofile/modules/MSADPCM.cpp ++++ b/libaudiofile/modules/MSADPCM.cpp +@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] = + 768, 614, 512, 409, 307, 230, 230, 230 + }; + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ ++ + // Compute a linear PCM value from the given differential coded value. + static int16_t decodeSample(ms_adpcm_state &state, +- uint8_t code, const int16_t *coefficient) ++ uint8_t code, const int16_t *coefficient, bool *ok=NULL) + { + int linearSample = (state.sample1 * coefficient[0] + + state.sample2 * coefficient[1]) >> 8; ++ int delta; + + linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta; + + linearSample = clamp(linearSample, MIN_INT16, MAX_INT16); + +- int delta = (state.delta * adaptationTable[code]) >> 8; ++ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta)) ++ { ++ if (ok) *ok=false; ++ _af_error(AF_BAD_COMPRESSION, "Error decoding sample"); ++ return 0; ++ } ++ delta >>= 8; + if (delta < 16) + delta = 16; + + state.delta = delta; + state.sample2 = state.sample1; + state.sample1 = linearSample; ++ if (ok) *ok=true; + + return static_cast<int16_t>(linearSample); + } +@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded) + { + uint8_t code; + int16_t newSample; ++ bool ok; + + code = *encoded >> 4; +- newSample = decodeSample(*state[0], code, coefficient[0]); ++ newSample = decodeSample(*state[0], code, coefficient[0], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + code = *encoded & 0x0f; +- newSample = decodeSample(*state[1], code, coefficient[1]); ++ newSample = decodeSample(*state[1], code, coefficient[1], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + encoded++; Added: 07_Check-for-multiplication-overflow-in-sfconvert.patch =================================================================== --- 07_Check-for-multiplication-overflow-in-sfconvert.patch (rev 0) +++ 07_Check-for-multiplication-overflow-in-sfconvert.patch 2017-08-12 21:40:33 UTC (rev 301990) @@ -0,0 +1,66 @@ +From: Antonio Larrosa <larr...@kde.org> +Date: Mon, 6 Mar 2017 13:54:52 +0100 +Subject: Check for multiplication overflow in sfconvert + +Checks that a multiplication doesn't overflow when +calculating the buffer size, and if it overflows, +reduce the buffer size instead of failing. + +This fixes the 00192-audiofile-signintoverflow-sfconvert case +in #41 +--- + sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c +index 80a1bc4..970a3e4 100644 +--- a/sfcommands/sfconvert.c ++++ b/sfcommands/sfconvert.c +@@ -45,6 +45,33 @@ void printusage (void); + void usageerror (void); + bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid); + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ + int main (int argc, char **argv) + { + if (argc == 2) +@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid) + { + int frameSize = afGetVirtualFrameSize(infile, trackid, 1); + +- const int kBufferFrameCount = 65536; +- void *buffer = malloc(kBufferFrameCount * frameSize); ++ int kBufferFrameCount = 65536; ++ int bufferSize; ++ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) ++ kBufferFrameCount /= 2; ++ void *buffer = malloc(bufferSize); + + AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK); + AFframecount totalFramesWritten = 0; Added: 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch =================================================================== --- 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch (rev 0) +++ 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch 2017-08-12 21:40:33 UTC (rev 301990) @@ -0,0 +1,35 @@ +From: Antonio Larrosa <larr...@kde.org> +Date: Fri, 10 Mar 2017 15:40:02 +0100 +Subject: Fix signature of multiplyCheckOverflow. It returns a bool, not an int + +--- + libaudiofile/modules/MSADPCM.cpp | 2 +- + sfcommands/sfconvert.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp +index ef9c38c..d8c9553 100644 +--- a/libaudiofile/modules/MSADPCM.cpp ++++ b/libaudiofile/modules/MSADPCM.cpp +@@ -116,7 +116,7 @@ int firstBitSet(int x) + #define __has_builtin(x) 0 + #endif + +-int multiplyCheckOverflow(int a, int b, int *result) ++bool multiplyCheckOverflow(int a, int b, int *result) + { + #if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) + return __builtin_mul_overflow(a, b, result); +diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c +index 970a3e4..367f7a5 100644 +--- a/sfcommands/sfconvert.c ++++ b/sfcommands/sfconvert.c +@@ -60,7 +60,7 @@ int firstBitSet(int x) + #define __has_builtin(x) 0 + #endif + +-int multiplyCheckOverflow(int a, int b, int *result) ++bool multiplyCheckOverflow(int a, int b, int *result) + { + #if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) + return __builtin_mul_overflow(a, b, result); Added: 09_Actually-fail-when-error-occurs-in-parseFormat.patch =================================================================== --- 09_Actually-fail-when-error-occurs-in-parseFormat.patch (rev 0) +++ 09_Actually-fail-when-error-occurs-in-parseFormat.patch 2017-08-12 21:40:33 UTC (rev 301990) @@ -0,0 +1,36 @@ +From: Antonio Larrosa <larr...@kde.org> +Date: Mon, 6 Mar 2017 18:59:26 +0100 +Subject: Actually fail when error occurs in parseFormat + +When there's an unsupported number of bits per sample or an invalid +number of samples per block, don't only print an error message using +the error handler, but actually stop parsing the file. + +This fixes #35 (also reported at +https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and +https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/ +) +--- + libaudiofile/WAVE.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp +index 0fc48e8..d04b796 100644 +--- a/libaudiofile/WAVE.cpp ++++ b/libaudiofile/WAVE.cpp +@@ -332,6 +332,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_NOT_IMPLEMENTED, + "IMA ADPCM compression supports only 4 bits per sample"); ++ return AF_FAIL; + } + + int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount; +@@ -339,6 +340,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_CODEC_CONFIG, + "Invalid samples per block for IMA ADPCM compression"); ++ return AF_FAIL; + } + + track->f.sampleWidth = 16; Added: 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch =================================================================== --- 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch (rev 0) +++ 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch 2017-08-12 21:40:33 UTC (rev 301990) @@ -0,0 +1,21 @@ +From: Antonio Larrosa <larr...@kde.org> +Date: Thu, 9 Mar 2017 10:21:18 +0100 +Subject: Check for division by zero in BlockCodec::runPull + +--- + libaudiofile/modules/BlockCodec.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp +index 4731be1..eb2fb4d 100644 +--- a/libaudiofile/modules/BlockCodec.cpp ++++ b/libaudiofile/modules/BlockCodec.cpp +@@ -47,7 +47,7 @@ void BlockCodec::runPull() + + // Read the compressed data. + ssize_t bytesRead = read(m_inChunk->buffer, m_bytesPerPacket * blockCount); +- int blocksRead = bytesRead >= 0 ? bytesRead / m_bytesPerPacket : 0; ++ int blocksRead = (bytesRead >= 0 && m_bytesPerPacket > 0) ? bytesRead / m_bytesPerPacket : 0; + + // Decompress into m_outChunk. + for (int i=0; i<blocksRead; i++) Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-08-12 21:22:45 UTC (rev 301989) +++ PKGBUILD 2017-08-12 21:40:33 UTC (rev 301990) @@ -4,15 +4,46 @@ pkgname=audiofile pkgver=0.3.6 -pkgrel=3 +pkgrel=4 pkgdesc="Silicon Graphics Audio File Library" arch=('i686' 'x86_64') -url="http://www.68k.org/~michael/audiofile/" +url="https://audiofile.68k.org/" license=('LGPL') depends=('gcc-libs' 'alsa-lib' 'flac') -source=("http://audiofile.68k.org/$pkgname-$pkgver.tar.gz") -md5sums=('2731d79bec0acef3d30d2fc86b0b72fd') +source=("https://audiofile.68k.org/$pkgname-$pkgver.tar.gz" + 01_gcc6.patch + 03_CVE-2015-7747.patch + 04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch + 05_Always-check-the-number-of-coefficients.patch + 06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch + 07_Check-for-multiplication-overflow-in-sfconvert.patch + 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch + 09_Actually-fail-when-error-occurs-in-parseFormat.patch + 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch) +sha256sums=('cdc60df19ab08bfe55344395739bb08f50fc15c92da3962fac334d3bff116965' + 'a1904603c0292e76530f635dfc1828fb4e0d9d13555581cad33c0200640f7a27' + 'bcfc180708d089b5abe0ae1439809b5a4306a08917b0212c3d135e5ec56711f2' + '540c517828d5573ba7bc3fd9b3811f39f4ea0132011d348d22bdfc545e865a8e' + '1b55abeb867d66b7d3b7c34585e77e6d3656c6317b582c99f3280d37523c7718' + '7a464eb7521ae8deb67516309bb396caa93135dc62fbad7351e67923b1766423' + '2ed5cc3b57394ea33ad466ca9844b766e4cb91dd7b1e2b71deaf15cf881dbf51' + '257f157cf2cc8947e0f5be4bff2c4afddbe73643e9e39a83171dbea02f5d52f4' + '48deaaa07bfade35208edb9e22b4fe78f91470012414ddb26cd68f684c95e33d' + 'f31d51ebd8f8e0bd076cd1bce34b210c4dbbd959ca9b87693ad86a6399c492a3') +prepare() { + cd $pkgname-$pkgver + patch -Np1 -i ../01_gcc6.patch + patch -Np1 -i ../03_CVE-2015-7747.patch + patch -Np1 -i ../04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch + patch -Np1 -i ../05_Always-check-the-number-of-coefficients.patch + patch -Np1 -i ../06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch + patch -Np1 -i ../07_Check-for-multiplication-overflow-in-sfconvert.patch + patch -Np1 -i ../08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch + patch -Np1 -i ../09_Actually-fail-when-error-occurs-in-parseFormat.patch + patch -Np1 -i ../10_Check-for-division-by-zero-in-BlockCodec-runPull.patch +} + build() { cd "$srcdir/$pkgname-$pkgver"