From 005e5abdcbc880b34aff9c204a4f0987711caa5d Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Fri, 19 Feb 2021 16:09:05 +0800 Subject: [PATCH] fix CVE-2017-6828 CVE-2017-6829 CVE-2017-6831 CVE-2017-6838 CVE-2017-6839 (cherry picked from commit 4904c4a8775fe56d84030ea1c108bf8f9b6117c7) --- audiofile.spec | 13 +++- backport-CVE-2017-6828.patch | 31 ++++++++++ backport-CVE-2017-6829.patch | 34 ++++++++++ backport-CVE-2017-6831.patch | 37 +++++++++++ backport-CVE-2017-6838.patch | 67 ++++++++++++++++++++ backport-CVE-2017-6839.patch | 117 +++++++++++++++++++++++++++++++++++ 6 files changed, 298 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2017-6828.patch create mode 100644 backport-CVE-2017-6829.patch create mode 100644 backport-CVE-2017-6831.patch create mode 100644 backport-CVE-2017-6838.patch create mode 100644 backport-CVE-2017-6839.patch diff --git a/audiofile.spec b/audiofile.spec index dd6a5e5..8e4e5fd 100644 --- a/audiofile.spec +++ b/audiofile.spec @@ -1,6 +1,6 @@ Name: audiofile Version: 0.3.6 -Release: 24 +Release: 25 Summary: Library for reading and writing audio files in many common formats License: LGPLv2+ and GPLv2+ URL: http://audiofile.68k.org/ @@ -8,6 +8,11 @@ Source0: http://audiofile.68k.org/%{name}-%{version}.tar.gz Patch0: audiofile-CVE-2015-7747.patch Patch1: audiofile-fix-gcc6-compile-error.patch Patch2: audiofile-fix-test-compile-err.patch +Patch3: backport-CVE-2017-6828.patch +Patch4: backport-CVE-2017-6829.patch +Patch5: backport-CVE-2017-6831.patch +Patch6: backport-CVE-2017-6838.patch +Patch7: backport-CVE-2017-6839.patch BuildRequires: gcc-c++ libtool alsa-lib-devel flac-devel gdb @@ -75,6 +80,12 @@ make check %{_mandir}/man3/* %changelog +* Fri Feb 19 2021 shixuantong - 0.3.6-25 +- Type:cves +- ID:CVE-2017-6828 CVE-2017-6829 CVE-2017-6831 CVE-2017-6838 CVE-2017-6839 +- SUG:NA +- DESC:fix CVE-2017-6828 CVE-2017-6829 CVE-2017-6831 CVE-2017-6838 CVE-2017-6839 + * Sat Mar 21 2020 Shouping Wang - 0.3.6-24 - Type:bugfix - ID:NA diff --git a/backport-CVE-2017-6828.patch b/backport-CVE-2017-6828.patch new file mode 100644 index 0000000..9fd7c18 --- /dev/null +++ b/backport-CVE-2017-6828.patch @@ -0,0 +1,31 @@ +From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001 +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 12:51:22 +0100 +Subject: [PATCH] Always check the number of coefficients + +When building the library with NDEBUG, asserts are eliminated +so it's better to always check that the number of coefficients +is inside the array range. + +This fixes the 00191-audiofile-indexoob issue in #41 +--- + libaudiofile/WAVE.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp +index 0e81cf7..61f9541 100644 +--- a/libaudiofile/WAVE.cpp ++++ b/libaudiofile/WAVE.cpp +@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + + /* numCoefficients should be at least 7. */ + assert(numCoefficients >= 7 && numCoefficients <= 255); ++ if (numCoefficients < 7 || numCoefficients > 255) ++ { ++ _af_error(AF_BAD_HEADER, ++ "Bad number of coefficients"); ++ return AF_FAIL; ++ } + + m_msadpcmNumCoefficients = numCoefficients; + diff --git a/backport-CVE-2017-6829.patch b/backport-CVE-2017-6829.patch new file mode 100644 index 0000000..1070e33 --- /dev/null +++ b/backport-CVE-2017-6829.patch @@ -0,0 +1,34 @@ +From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001 +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 18:02:31 +0100 +Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp + +This fixes #33 +(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981 +and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/) +--- + libaudiofile/modules/IMA.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp +index 7476d44..df4aad6 100644 +--- a/libaudiofile/modules/IMA.cpp ++++ b/libaudiofile/modules/IMA.cpp +@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded) + if (encoded[1] & 0x80) + m_adpcmState[c].previousValue -= 0x10000; + +- m_adpcmState[c].index = encoded[2]; ++ m_adpcmState[c].index = clamp(encoded[2], 0, 88); + + *decoded++ = m_adpcmState[c].previousValue; + +@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded) + predictor -= 0x10000; + + state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16); +- state.index = encoded[1] & 0x7f; ++ state.index = clamp(encoded[1] & 0x7f, 0, 88); + encoded += 2; + + for (int n=0; n +Date: Mon, 6 Mar 2017 18:59:26 +0100 +Subject: [PATCH] Actually fail when error occurs in parseFormat + +When there's an unsupported number of bits per sample or an invalid +number of samples per block, don't only print an error message using +the error handler, but actually stop parsing the file. + +This fixes #35 (also reported at +https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and +https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/ +) +--- + libaudiofile/WAVE.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp +index 0e81cf7..d762249 100644 +--- a/libaudiofile/WAVE.cpp ++++ b/libaudiofile/WAVE.cpp +@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_NOT_IMPLEMENTED, + "IMA ADPCM compression supports only 4 bits per sample"); ++ return AF_FAIL; + } + + int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount; +@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_CODEC_CONFIG, + "Invalid samples per block for IMA ADPCM compression"); ++ return AF_FAIL; + } + + track->f.sampleWidth = 16; diff --git a/backport-CVE-2017-6838.patch b/backport-CVE-2017-6838.patch new file mode 100644 index 0000000..ac42c15 --- /dev/null +++ b/backport-CVE-2017-6838.patch @@ -0,0 +1,67 @@ +From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001 +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 13:54:52 +0100 +Subject: [PATCH] Check for multiplication overflow in sfconvert + +Checks that a multiplication doesn't overflow when +calculating the buffer size, and if it overflows, +reduce the buffer size instead of failing. + +This fixes the 00192-audiofile-signintoverflow-sfconvert case +in #41 +--- + sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c +index 80a1bc4..970a3e4 100644 +--- a/sfcommands/sfconvert.c ++++ b/sfcommands/sfconvert.c +@@ -45,6 +45,33 @@ void printusage (void); + void usageerror (void); + bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid); + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ + int main (int argc, char **argv) + { + if (argc == 2) +@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid) + { + int frameSize = afGetVirtualFrameSize(infile, trackid, 1); + +- const int kBufferFrameCount = 65536; +- void *buffer = malloc(kBufferFrameCount * frameSize); ++ int kBufferFrameCount = 65536; ++ int bufferSize; ++ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) ++ kBufferFrameCount /= 2; ++ void *buffer = malloc(bufferSize); + + AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK); + AFframecount totalFramesWritten = 0; diff --git a/backport-CVE-2017-6839.patch b/backport-CVE-2017-6839.patch new file mode 100644 index 0000000..8d24ef6 --- /dev/null +++ b/backport-CVE-2017-6839.patch @@ -0,0 +1,117 @@ +From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001 +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 13:43:53 +0100 +Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample + +Check for multiplication overflow (using __builtin_mul_overflow +if available) in MSADPCM.cpp decodeSample and return an empty +decoded block if an error occurs. + +This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41 +--- + libaudiofile/modules/BlockCodec.cpp | 5 +-- + libaudiofile/modules/MSADPCM.cpp | 47 ++++++++++++++++++++++++++--- + 2 files changed, 46 insertions(+), 6 deletions(-) + +diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp +index 45925e8..4731be1 100644 +--- a/libaudiofile/modules/BlockCodec.cpp ++++ b/libaudiofile/modules/BlockCodec.cpp +@@ -52,8 +52,9 @@ void BlockCodec::runPull() + // Decompress into m_outChunk. + for (int i=0; i(m_inChunk->buffer) + i * m_bytesPerPacket, +- static_cast(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount); ++ if (decodeBlock(static_cast(m_inChunk->buffer) + i * m_bytesPerPacket, ++ static_cast(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0) ++ break; + + framesRead += m_framesPerPacket; + } +diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp +index 8ea3c85..ef9c38c 100644 +--- a/libaudiofile/modules/MSADPCM.cpp ++++ b/libaudiofile/modules/MSADPCM.cpp +@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] = + 768, 614, 512, 409, 307, 230, 230, 230 + }; + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ ++ + // Compute a linear PCM value from the given differential coded value. + static int16_t decodeSample(ms_adpcm_state &state, +- uint8_t code, const int16_t *coefficient) ++ uint8_t code, const int16_t *coefficient, bool *ok=NULL) + { + int linearSample = (state.sample1 * coefficient[0] + + state.sample2 * coefficient[1]) >> 8; ++ int delta; + + linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta; + + linearSample = clamp(linearSample, MIN_INT16, MAX_INT16); + +- int delta = (state.delta * adaptationTable[code]) >> 8; ++ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta)) ++ { ++ if (ok) *ok=false; ++ _af_error(AF_BAD_COMPRESSION, "Error decoding sample"); ++ return 0; ++ } ++ delta >>= 8; + if (delta < 16) + delta = 16; + + state.delta = delta; + state.sample2 = state.sample1; + state.sample1 = linearSample; ++ if (ok) *ok=true; + + return static_cast(linearSample); + } +@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded) + { + uint8_t code; + int16_t newSample; ++ bool ok; + + code = *encoded >> 4; +- newSample = decodeSample(*state[0], code, coefficient[0]); ++ newSample = decodeSample(*state[0], code, coefficient[0], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + code = *encoded & 0x0f; +- newSample = decodeSample(*state[1], code, coefficient[1]); ++ newSample = decodeSample(*state[1], code, coefficient[1], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + encoded++; -- Gitee