From 4a1a8277bba490d227f413e218138e39f1fe1203 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Thu, 30 Mar 2017 23:03:33 +0200 Subject: [PATCH] audiofile: add security patch for CVE-2017-6830 / CVE-2017-6834 / CVE-2017-6836 / CVE-2017-6838 CVE-2017-6830: A heap-based buffer overflow in the alaw2linear_buf function in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp https://github.com/mpruett/audiofile/issues/34 CVE-2017-6834: A heap-based buffer overflow in the ulaw2linear_buf function in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp https://github.com/mpruett/audiofile/issues/38 CVE-2017-6836: A heap-based buffer overflow in the Expand3To4Module::run function in libaudiofile/modules/SimpleModule.h in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h https://github.com/mpruett/audiofile/issues/40 CVE-2017-6838: Integer overflow in sfcommands/sfconvert.c in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ https://github.com/mpruett/audiofile/issues/41 Signed-off-by: Peter Korsgaard --- ...multiplication-overflow-in-sfconvert.patch | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 package/audiofile/0005-Check-for-multiplication-overflow-in-sfconvert.patch diff --git a/package/audiofile/0005-Check-for-multiplication-overflow-in-sfconvert.patch b/package/audiofile/0005-Check-for-multiplication-overflow-in-sfconvert.patch new file mode 100644 index 0000000000..c72619030b --- /dev/null +++ b/package/audiofile/0005-Check-for-multiplication-overflow-in-sfconvert.patch @@ -0,0 +1,72 @@ +From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001 +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 13:54:52 +0100 +Subject: [PATCH] Check for multiplication overflow in sfconvert + +Checks that a multiplication doesn't overflow when +calculating the buffer size, and if it overflows, +reduce the buffer size instead of failing. + +This fixes the 00192-audiofile-signintoverflow-sfconvert case +in #41 + +Signed-off-by: Peter Korsgaard +--- + sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c +index 80a1bc4..970a3e4 100644 +--- a/sfcommands/sfconvert.c ++++ b/sfcommands/sfconvert.c +@@ -45,6 +45,33 @@ void printusage (void); + void usageerror (void); + bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid); + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ + int main (int argc, char **argv) + { + if (argc == 2) +@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid) + { + int frameSize = afGetVirtualFrameSize(infile, trackid, 1); + +- const int kBufferFrameCount = 65536; +- void *buffer = malloc(kBufferFrameCount * frameSize); ++ int kBufferFrameCount = 65536; ++ int bufferSize; ++ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) ++ kBufferFrameCount /= 2; ++ void *buffer = malloc(bufferSize); + + AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK); + AFframecount totalFramesWritten = 0; +-- +2.11.0 + -- 2.30.2