tj@ had a diff to backport CVE fixes for audio/sox. Here, I tweaked it
so the patches apply cleanly.
This diff:
- adds devel/quirks entry (so, apply the diff in /usr/ports)
- bumps minor to 4.1 due to addition of symbols
check_sym output: https://namtsui.com/public/sox.txt
- moves to CONFIGURE_STYLE autoreconf because Makefile.am is patched
- backports fixes for CVEs since 2017
- backported fixes can be viewed online:
https://namtsui.com/public/sox_cve.txt
- tweaks from sthen@: BUILD_DEPENDS MODGNU_AUTO{CONF,MAKE}_DEPENDS and
libtool not needed because autoreconf already adds them.
`make test' works. `play' works to stream rtp audio over my LAN. I
successfully tested some, but not all, consumers: audacity, vlc and
pacpl.
Remaining issues:
- sthen@ said SHARED_LIBS bump for -stable might be a problem. Should
this be committed to the two previous releases in addition to
-current?
- Since maintaining this many patches is clunky, should we consider
mirroring the latest git checkout?
Comments? OK?
Index: audio/sox/Makefile
===================================================================
RCS file: /cvs/ports/audio/sox/Makefile,v
retrieving revision 1.72
diff -u -p -u -p -r1.72 Makefile
--- audio/sox/Makefile 12 Jul 2019 20:43:41 -0000 1.72
+++ audio/sox/Makefile 3 Jul 2021 22:27:09 -0000
@@ -5,8 +5,8 @@ BROKEN-hppa = bend.c:155:12: internal co
COMMENT= Sound eXchange, the Swiss Army knife of audio manipulation
DISTNAME= sox-14.4.2
-REVISION= 5
-SHARED_LIBS += sox 4.0 # 3.0
+REVISION= 6
+SHARED_LIBS += sox 4.1 # 3.0
CATEGORIES= audio
HOMEPAGE= http://sox.sourceforge.net/
@@ -40,7 +40,11 @@ LIB_DEPENDS= \
converters/libiconv \
graphics/png
-CONFIGURE_STYLE=gnu
+CONFIGURE_STYLE= autoreconf
+
+AUTOCONF_VERSION= 2.69
+AUTOMAKE_VERSION= 1.16
+
CONFIGURE_ARGS= --datarootdir=${LOCALBASE} \
--enable-largefile \
--disable-silent-libtool \
Index: audio/sox/patches/patch-src_Makefile_am
===================================================================
RCS file: audio/sox/patches/patch-src_Makefile_am
diff -N audio/sox/patches/patch-src_Makefile_am
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_Makefile_am 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,44 @@
+$OpenBSD$
+
+From 0d70a21c6f98575984c28f4e98a1fbf929195456 Mon Sep 17 00:00:00 2001
+From: Jiri Kucera <jkucera@redhat.com>
+Date: Thu, 25 Jan 2018 21:53:30 +0100
+Subject: [PATCH] make: add $(DESTDIR) in installcheck target [bug #302]
+
+From ec073861aa9c0f779a3741c456e4f97d59366ffb Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 15:40:16 +0000
+Subject: [PATCH] make: update exported symbol list [bug #266]
+
+From ccedd08802f62ed896f69d778e6a106d00f9ab58 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Tue, 8 Dec 2015 22:52:41 +0000
+Subject: [PATCH] Clean up lsx_malloc() and friends
+
+From f8587e2d50dad72d40453ac1191c539ee9e50381 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 17:39:45 +0100
+Subject: [PATCH] fix possible overflow in lsx_(re)valloc() size calculation
+ (CVE-2019-8355)
+
+Index: src/Makefile.am
+--- src/Makefile.am.orig
++++ src/Makefile.am
+@@ -95,7 +95,7 @@ libsox_la_LIBADD += @GOMP_LIBS@
+
+ libsox_la_CFLAGS = @WARN_CFLAGS@
+ libsox_la_LDFLAGS = @APP_LDFLAGS@ -version-info @SHLIB_VERSION@ \
+- -export-symbols-regex '^(sox_.*|lsx_(check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|fail_errno|filelength|find_(enum_(text|value)|file_extension)|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|realloc|rewind|seeki|sigfigs3p?|strcasecmp|tell|unreadb|write(b|_b_buf|buf|s)))$$'
++ -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc.*|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$'
+
+ if HAVE_WIN32_LTDL
+ libsox_la_SOURCES += win32-ltdl.c win32-ltdl.h
+@@ -194,6 +194,6 @@ loc:
+ # would run the test suite, but an uninstalled libltdl build cannot
+ # currently load its formats and effects, so the checks would fail.
+ installcheck:
+- $(srcdir)/tests.sh --bindir=${bindir} --builddir=${builddir} --srcdir=${srcdir}
+- $(srcdir)/testall.sh --bindir=${bindir} --srcdir=${srcdir}
++ $(srcdir)/tests.sh --bindir=$(DESTDIR)${bindir} --builddir=${builddir} --srcdir=${srcdir}
++ $(srcdir)/testall.sh --bindir=$(DESTDIR)${bindir} --srcdir=${srcdir}
+
Index: audio/sox/patches/patch-src_adpcm_c
===================================================================
RCS file: audio/sox/patches/patch-src_adpcm_c
diff -N audio/sox/patches/patch-src_adpcm_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_adpcm_c 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,39 @@
+$OpenBSD$
+
+From 001c337552912d286ba68086ac378f6fdc1e8b50 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 8 Nov 2017 00:27:46 +0000
+Subject: [PATCH] adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
+
+Index: src/adpcm.c
+--- src/adpcm.c.orig
++++ src/adpcm.c
+@@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] = {
+ { 392,-232}
+ };
+
++extern void *lsx_ms_adpcm_alloc(unsigned chans)
++{
++ return lsx_malloc(chans * sizeof(MsState_t));
++}
++
+ static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state,
+ sox_sample_t sample1, sox_sample_t sample2)
+ {
+@@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(sox_sample_t c,
+
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
+ const char *lsx_ms_adpcm_block_expand_i(
++ void *priv,
+ unsigned chans, /* total channels */
+ int nCoef,
+ const short *coef,
+@@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i(
+ const unsigned char *ip;
+ unsigned ch;
+ const char *errmsg = NULL;
+- MsState_t state[4]; /* One decompressor state for each channel */
++ MsState_t *state = priv; /* One decompressor state for each channel */
+
+ /* Read the four-byte header for each channel */
+ ip = ibuff;
Index: audio/sox/patches/patch-src_adpcm_h
===================================================================
RCS file: audio/sox/patches/patch-src_adpcm_h
diff -N audio/sox/patches/patch-src_adpcm_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_adpcm_h 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
+
+Index: src/adpcm.h
+--- src/adpcm.h.orig
++++ src/adpcm.h
+@@ -29,8 +29,11 @@
+ /* default coef sets */
+ extern const short lsx_ms_adpcm_i_coef[7][2];
+
++extern void *lsx_ms_adpcm_alloc(unsigned chans);
++
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
+ extern const char *lsx_ms_adpcm_block_expand_i(
++ void *priv,
+ unsigned chans, /* total channels */
+ int nCoef,
+ const short *coef,
Index: audio/sox/patches/patch-src_aiff_c
===================================================================
RCS file: audio/sox/patches/patch-src_aiff_c
diff -N audio/sox/patches/patch-src_aiff_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_aiff_c 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+From 0be259eaa9ce3f3fa587a3ef0cf2c0b9c73167a2 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Mon, 20 Nov 2017 11:03:15 +0000
+Subject: [PATCH] aiff: fix crash on empty comment chunk (CVE-2017-15642)
+
+Index: src/aiff.c
+--- src/aiff.c.orig
++++ src/aiff.c
+@@ -62,7 +62,6 @@ int lsx_aiffstartread(sox_format_t * ft)
+ size_t ssndsize = 0;
+ char *annotation;
+ char *author;
+- char *comment = NULL;
+ char *copyright;
+ char *nametext;
+
+@@ -270,6 +269,7 @@ int lsx_aiffstartread(sox_format_t * ft)
+ free(annotation);
+ }
+ else if (strncmp(buf, "COMT", (size_t)4) == 0) {
++ char *comment = NULL;
+ rc = commentChunk(&comment, "Comment:", ft);
+ if (rc) {
+ /* Fail already called in function */
Index: audio/sox/patches/patch-src_effects_i_dsp_c
===================================================================
RCS file: audio/sox/patches/patch-src_effects_i_dsp_c
diff -N audio/sox/patches/patch-src_effects_i_dsp_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_effects_i_dsp_c 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,32 @@
+$OpenBSD$
+
+From f70911261a84333b077c29908e1242f69d7439eb Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 14:57:34 +0100
+Subject: [PATCH] fix possible buffer size overflow in lsx_make_lpf()
+ (CVE-2019-8354)
+
+From 2ce02fea7b350de9ddfbcf542ba4dd59a8ab255b Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 15:08:51 +0100
+Subject: [PATCH] fix possible null pointer deref in lsx_make_lpf()
+ (CVE-2019-8357)
+
+Index: src/effects_i_dsp.c
+--- src/effects_i_dsp.c.orig
++++ src/effects_i_dsp.c
+@@ -357,10 +357,13 @@ double * lsx_make_lpf(int num_taps, double Fc, double
+ double scale, sox_bool dc_norm)
+ {
+ int i, m = num_taps - 1;
+- double * h = malloc(num_taps * sizeof(*h)), sum = 0;
++ double * h = calloc(num_taps, sizeof(*h)), sum = 0;
+ double mult = scale / lsx_bessel_I_0(beta), mult1 = 1 / (.5 * m + rho);
+ assert(Fc >= 0 && Fc <= 1);
+ lsx_debug("make_lpf(n=%i Fc=%.7g β=%g ρ=%g dc-norm=%i scale=%g)", num_taps, Fc, beta, rho, dc_norm, scale);
++
++ if (!h)
++ return NULL;
+
+ for (i = 0; i <= m / 2; ++i) {
+ double z = i - .5 * m, x = z * M_PI, y = z * mult1;
Index: audio/sox/patches/patch-src_fft4g_c
===================================================================
RCS file: audio/sox/patches/patch-src_fft4g_c
diff -N audio/sox/patches/patch-src_fft4g_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_fft4g_c 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,70 @@
+$OpenBSD$
+
+From b7883ae1398499daaa926ae6621f088f0f531ed8 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 16:56:42 +0100
+Subject: [PATCH] fft4g: bail if size too large (CVE-2019-8356)
+
+Index: src/fft4g.c
+--- src/fft4g.c.orig
++++ src/fft4g.c
+@@ -322,6 +322,9 @@ static void rftfsub(int n, double *a, int nc, double c
+
+ void cdft(int n, int isgn, double *a, int *ip, double *w)
+ {
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ if (n > (ip[0] << 2)) {
+ makewt(n >> 2, ip, w);
+ }
+@@ -344,6 +347,9 @@ void rdft(int n, int isgn, double *a, int *ip, double
+ int nw, nc;
+ double xi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -384,6 +390,9 @@ void ddct(int n, int isgn, double *a, int *ip, double
+ int j, nw, nc;
+ double xr;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -435,6 +444,9 @@ void ddst(int n, int isgn, double *a, int *ip, double
+ int j, nw, nc;
+ double xr;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -486,6 +498,9 @@ void dfct(int n, double *a, double *t, int *ip, double
+ int j, k, l, m, mh, nw, nc;
+ double xr, xi, yr, yi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 3)) {
+ nw = n >> 3;
+@@ -576,6 +591,9 @@ void dfst(int n, double *a, double *t, int *ip, double
+ int j, k, l, m, mh, nw, nc;
+ double xr, xi, yr, yi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 3)) {
+ nw = n >> 3;
Index: audio/sox/patches/patch-src_fft4g_h
===================================================================
RCS file: audio/sox/patches/patch-src_fft4g_h
diff -N audio/sox/patches/patch-src_fft4g_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_fft4g_h 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+From b7883ae1398499daaa926ae6621f088f0f531ed8 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 16:56:42 +0100
+Subject: [PATCH] fft4g: bail if size too large (CVE-2019-8356)
+
+Index: src/fft4g.h
+--- src/fft4g.h.orig
++++ src/fft4g.h
+@@ -13,6 +13,8 @@
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
++#define FFT4G_MAX_SIZE 262144
++
+ void lsx_cdft(int, int, double *, int *, double *);
+ void lsx_rdft(int, int, double *, int *, double *);
+ void lsx_ddct(int, int, double *, int *, double *);
Index: audio/sox/patches/patch-src_flac_c
===================================================================
RCS file: audio/sox/patches/patch-src_flac_c
diff -N audio/sox/patches/patch-src_flac_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_flac_c 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,34 @@
+$OpenBSD$
+
+From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 15:57:48 +0000
+Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371)
+
+Index: src/flac.c
+--- src/flac.c.orig
++++ src/flac.c
+@@ -119,9 +119,10 @@ static void decoder_metadata_callback(FLAC__StreamDeco
+ p->total_samples = metadata->data.stream_info.total_samples;
+ }
+ else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) {
++ const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment;
+ size_t i;
+
+- if (metadata->data.vorbis_comment.num_comments == 0)
++ if (vc->num_comments == 0)
+ return;
+
+ if (ft->oob.comments != NULL) {
+@@ -129,8 +130,9 @@ static void decoder_metadata_callback(FLAC__StreamDeco
+ return;
+ }
+
+- for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i)
+- sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry);
++ for (i = 0; i < vc->num_comments; ++i)
++ if (vc->comments[i].entry)
++ sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry);
+ }
+ }
+
Index: audio/sox/patches/patch-src_hcom_c
===================================================================
RCS file: audio/sox/patches/patch-src_hcom_c
diff -N audio/sox/patches/patch-src_hcom_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_hcom_c 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,38 @@
+$OpenBSD$
+
+commit e410d00c4821726accfbe1f825f2def6376e181f
+from: Mans Rullgard <mans@mansr.com>
+date: Sun Apr 29 11:34:19 2018 UTC
+
+hcom: fix crash on input with corrupt dictionary (CVE-2017-11358)
+
+Index: src/hcom.c
+--- src/hcom.c.orig
++++ src/hcom.c
+@@ -73,6 +73,14 @@ typedef struct {
+ size_t pos; /* Where next byte goes */
+ } priv_t;
+
++static int dictvalid(int n, int size, int left, int right)
++{
++ if (n > 0 && left < 0)
++ return 1;
++
++ return (unsigned)left < size && (unsigned)right < size;
++}
++
+ static int startread(sox_format_t * ft)
+ {
+ priv_t *p = (priv_t *) ft->priv;
+@@ -150,6 +158,11 @@ static int startread(sox_format_t * ft)
+ lsx_debug("%d %d",
+ p->dictionary[i].dict_leftson,
+ p->dictionary[i].dict_rightson);
++ if (!dictvalid(i, dictsize, p->dictionary[i].dict_leftson,
++ p->dictionary[i].dict_rightson)) {
++ lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary");
++ return SOX_EOF;
++ }
+ }
+ rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */
+ if (rc)
Index: audio/sox/patches/patch-src_wav_c
===================================================================
RCS file: audio/sox/patches/patch-src_wav_c
diff -N audio/sox/patches/patch-src_wav_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_wav_c 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,98 @@
+$OpenBSD$
+
+From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 16:29:28 +0000
+Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332)
+
+From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 17:02:11 +0000
+Subject: [PATCH] wav: fix crash writing header when channel count >64k
+ (CVE-2017-11359)
+
+From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 16:21:23 +0000
+Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input
+ (CVE-2017-15370)
+
+From 001c337552912d286ba68086ac378f6fdc1e8b50 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 8 Nov 2017 00:27:46 +0000
+Subject: [PATCH] adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
+
+Index: src/wav.c
+--- src/wav.c.orig
++++ src/wav.c
+@@ -82,6 +82,7 @@ typedef struct {
+ /* following used by *ADPCM wav files */
+ unsigned short nCoefs; /* ADPCM: number of coef sets */
+ short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */
++ void *ms_adpcm_data; /* Private data of adpcm decoder */
+ unsigned char *packet; /* Temporary buffer for packets */
+ short *samples; /* interleaved samples buffer */
+ short *samplePtr; /* Pointer to current sample */
+@@ -127,7 +128,7 @@ static unsigned short ImaAdpcmReadBlock(sox_format_t
+ /* work with partial blocks. Specs say it should be null */
+ /* padded but I guess this is better than trailing quiet. */
+ samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0);
+- if (samplesThisBlock == 0)
++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock)
+ {
+ lsx_warn("Premature EOF on .wav input file");
+ return 0;
+@@ -175,7 +176,7 @@ static unsigned short AdpcmReadBlock(sox_format_t * f
+ }
+ }
+
+- errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
++ errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
+
+ if (errmsg)
+ lsx_warn("%s", errmsg);
+@@ -712,6 +713,11 @@ static int startread(sox_format_t * ft)
+ else
+ lsx_report("User options overriding channels read in .wav header");
+
++ if (ft->signal.channels == 0) {
++ lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero");
++ return SOX_EOF;
++ }
++
+ if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond)
+ ft->signal.rate = dwSamplesPerSecond;
+ else
+@@ -786,6 +792,7 @@ static int startread(sox_format_t * ft)
+
+ /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */
+ wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short));
++ wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels);
+ {
+ int i, errct=0;
+ for (i=0; len>=2 && i < 2*wav->nCoefs; i++) {
+@@ -1211,6 +1218,7 @@ static int stopread(sox_format_t * ft)
+ free(wav->packet);
+ free(wav->samples);
+ free(wav->lsx_ms_adpcm_i_coefs);
++ free(wav->ms_adpcm_data);
+ free(wav->comment);
+ wav->comment = NULL;
+
+@@ -1373,6 +1381,16 @@ static int wavwritehdr(sox_format_t * ft, int second_h
+ int bytespersample; /* (uncompressed) bytes per sample (per channel) */
+ long blocksWritten = 0;
+ sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */
++
++ if (ft->signal.channels > UINT16_MAX) {
++ lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)",
++ ft->signal.channels);
++ return SOX_EOF;
++ }
++
++ dwSamplesPerSecond = ft->signal.rate;
++ wChannels = ft->signal.channels;
++ wBitsPerSample = ft->encoding.bits_per_sample;
+
+ dwSamplesPerSecond = ft->signal.rate;
+ wChannels = ft->signal.channels;
Index: audio/sox/patches/patch-src_xa_c
===================================================================
RCS file: audio/sox/patches/patch-src_xa_c
diff -N audio/sox/patches/patch-src_xa_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_xa_c 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,23 @@
+$OpenBSD$
+
+From 09d7388c8ad5701ed9c59d1d600ff6154b066397 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Thu, 9 Nov 2017 11:45:10 +0000
+Subject: [PATCH] xa: validate channel count (CVE-2017-18189)
+
+Index: src/xa.c
+--- src/xa.c.orig
++++ src/xa.c
+@@ -143,6 +143,12 @@ static int startread(sox_format_t * ft)
+ lsx_report("User options overriding rate read in .xa header");
+ }
+
++ if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) {
++ lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d",
++ ft->signal.channels);
++ return SOX_EOF;
++ }
++
+ /* Check for supported formats */
+ if (ft->encoding.bits_per_sample != 16) {
+ lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.",
Index: audio/sox/patches/patch-src_xmalloc_c
===================================================================
RCS file: audio/sox/patches/patch-src_xmalloc_c
diff -N audio/sox/patches/patch-src_xmalloc_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_xmalloc_c 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,68 @@
+$OpenBSD$
+
+From ccedd08802f62ed896f69d778e6a106d00f9ab58 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Tue, 8 Dec 2015 22:52:41 +0000
+Subject: [PATCH] Clean up lsx_malloc() and friends
+
+From f8587e2d50dad72d40453ac1191c539ee9e50381 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 17:39:45 +0100
+Subject: [PATCH] fix possible overflow in lsx_(re)valloc() size calculation
+ (CVE-2019-8355)
+
+Index: src/xmalloc.c
+--- src/xmalloc.c.orig
++++ src/xmalloc.c
+@@ -20,6 +20,17 @@
+ #include "sox_i.h"
+ #include <stdlib.h>
+
++static void *lsx_checkptr(void *ptr)
++{
++ if (!ptr) {
++ lsx_fail("out of memory");
++ exit(2);
++ }
++
++ return ptr;
++}
++
++
+ /* Resize an allocated memory area; abort if not possible.
+ *
+ * For malloc, `If the size of the space requested is zero, the behavior is
+@@ -34,10 +45,30 @@ void *lsx_realloc(void *ptr, size_t newsize)
+ return NULL;
+ }
+
+- if ((ptr = realloc(ptr, newsize)) == NULL) {
+- lsx_fail("out of memory");
++ return lsx_checkptr(realloc(ptr, newsize));
++}
++
++void *lsx_malloc(size_t size)
++{
++ return lsx_checkptr(malloc(size + !size));
++}
++
++void *lsx_calloc(size_t n, size_t size)
++{
++ return lsx_checkptr(calloc(n + !n, size + !size));
++}
++
++void *lsx_realloc_array(void *p, size_t n, size_t size)
++{
++ if (n > (size_t)-1 / size) {
++ lsx_fail("malloc size overflow");
+ exit(2);
+ }
+
+- return ptr;
++ return lsx_realloc(p, n * size);
++}
++
++char *lsx_strdup(const char *s)
++{
++ return lsx_checkptr(strdup(s));
+ }
Index: audio/sox/patches/patch-src_xmalloc_h
===================================================================
RCS file: audio/sox/patches/patch-src_xmalloc_h
diff -N audio/sox/patches/patch-src_xmalloc_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ audio/sox/patches/patch-src_xmalloc_h 3 Jul 2021 22:27:09 -0000
@@ -0,0 +1,36 @@
+$OpenBSD$
+
+From ccedd08802f62ed896f69d778e6a106d00f9ab58 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Tue, 8 Dec 2015 22:52:41 +0000
+Subject: [PATCH] Clean up lsx_malloc() and friends
+
+From f8587e2d50dad72d40453ac1191c539ee9e50381 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 17:39:45 +0100
+Subject: [PATCH] fix possible overflow in lsx_(re)valloc() size calculation
+ (CVE-2019-8355)
+
+Index: src/xmalloc.h
+--- src/xmalloc.h.orig
++++ src/xmalloc.h
+@@ -23,12 +23,14 @@
+ #include <stddef.h>
+ #include <string.h>
+
+-#define lsx_malloc(size) lsx_realloc(NULL, (size))
+-#define lsx_calloc(n,s) (((n)*(s))? memset(lsx_malloc((n)*(s)),0,(n)*(s)) : NULL)
++LSX_RETURN_VALID void *lsx_malloc(size_t size);
++LSX_RETURN_VALID void *lsx_calloc(size_t n, size_t size);
++LSX_RETURN_VALID void *lsx_realloc_array(void *p, size_t n, size_t size);
++LSX_RETURN_VALID char *lsx_strdup(const char *s);
++
+ #define lsx_Calloc(v,n) v = lsx_calloc(n,sizeof(*(v)))
+-#define lsx_strdup(p) ((p)? strcpy((char *)lsx_malloc(strlen(p) + 1), p) : NULL)
+ #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL)
+-#define lsx_valloc(v,n) v = lsx_malloc((n)*sizeof(*(v)))
+-#define lsx_revalloc(v,n) v = lsx_realloc(v, (n)*sizeof(*(v)))
++#define lsx_valloc(v,n) v = lsx_realloc_array(NULL, n, sizeof(*(v)))
++#define lsx_revalloc(v,n) v = lsx_realloc_array(v, n, sizeof(*(v)))
+
+
No comments:
Post a Comment