[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/02: gnu: soundtouch: Fix CVE-2018-{1000223,14044,14045}.
|
From: |
Leo Famulari |
|
Subject: |
02/02: gnu: soundtouch: Fix CVE-2018-{1000223,14044,14045}. |
|
Date: |
Wed, 22 Aug 2018 13:46:48 -0400 (EDT) |
lfam pushed a commit to branch master
in repository guix.
commit 373a9fd4db00f6dae8379cfd0d6aadc7251dc595
Author: Leo Famulari <address@hidden>
Date: Wed Aug 22 13:07:42 2018 -0400
gnu: soundtouch: Fix CVE-2018-{1000223,14044,14045}.
* gnu/packages/patches/soundtouch-CVE-2018-14044-14045.patch,
gnu/packages/patches/soundtouch-CVE-2018-1000223.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/audio.scm (soundtouch)[source]: Use them.
---
gnu/local.mk | 2 +
gnu/packages/audio.scm | 2 +
.../patches/soundtouch-CVE-2018-1000223.patch | 143 +++++++++++++++++++++
.../patches/soundtouch-CVE-2018-14044-14045.patch | 138 ++++++++++++++++++++
4 files changed, 285 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index eb08624..72f0e19 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1139,6 +1139,8 @@ dist_patch_DATA =
\
%D%/packages/patches/slim-reset.patch \
%D%/packages/patches/slim-login.patch \
%D%/packages/patches/sooperlooper-build-with-wx-30.patch \
+ %D%/packages/patches/soundtouch-CVE-2018-14044-14045.patch \
+ %D%/packages/patches/soundtouch-CVE-2018-1000223.patch \
%D%/packages/patches/steghide-fixes.patch \
%D%/packages/patches/superlu-dist-scotchmetis.patch \
%D%/packages/patches/swish-e-search.patch \
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index 66210db..1e54e86 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -2589,6 +2589,8 @@ Tracker 3 S3M and Impulse Tracker IT files.")
(uri
(string-append
"http://www.surina.net/soundtouch/soundtouch-"; version ".tar.gz"))
+ (patches (search-patches "soundtouch-CVE-2018-14044-14045.patch"
+ "soundtouch-CVE-2018-1000223.patch"))
(sha256
(base32
"09cxr02mfyj2bg731bj0i9hh565x8l9p91aclxs8wpqv8b8zf96j"))))
diff --git a/gnu/packages/patches/soundtouch-CVE-2018-1000223.patch
b/gnu/packages/patches/soundtouch-CVE-2018-1000223.patch
new file mode 100644
index 0000000..961a183
--- /dev/null
+++ b/gnu/packages/patches/soundtouch-CVE-2018-1000223.patch
@@ -0,0 +1,143 @@
+Fix CVE-2018-1000223:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000223
+https://gitlab.com/soundtouch/soundtouch/issues/6
+
+Patches copied from upstream source repository:
+
+https://gitlab.com/soundtouch/soundtouch/commit/9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e
+https://gitlab.com/soundtouch/soundtouch/commit/e0240689056e4182fffdc2a16aa6e3425a15e275
+https://gitlab.com/soundtouch/soundtouch/commit/46531e5b92dd80dd9a7947463d6224fc7cb21967
+
+From 9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e Mon Sep 17 00:00:00 2001
+From: oparviainen <address@hidden>
+Date: Sun, 12 Aug 2018 20:24:37 +0300
+Subject: [PATCH] Added minimum size check for WAV header block lengh values
+
+---
+ source/SoundStretch/WavFile.cpp | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
+index 7e7ade2..68818c9 100644
+--- a/source/SoundStretch/WavFile.cpp
++++ b/source/SoundStretch/WavFile.cpp
+@@ -530,7 +530,11 @@ int WavInFile::readHeaderBlock()
+ // read length of the format field
+ if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
+ // swap byte order if necessary
+- _swap32(nLen); // int format_len;
++ _swap32(nLen);
++
++ // verify that header length isn't smaller than expected
++ if (nLen < sizeof(header.format) - 8) return -1;
++
+ header.format.format_len = nLen;
+
+ // calculate how much length differs from expected
+@@ -572,6 +576,10 @@ int WavInFile::readHeaderBlock()
+ if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
+ // swap byte order if necessary
+ _swap32(nLen); // int fact_len;
++
++ // verify that fact length isn't smaller than expected
++ if (nLen < sizeof(header.fact) - 8) return -1;
++
+ header.fact.fact_len = nLen;
+
+ // calculate how much length differs from expected
+--
+2.18.0
+
+From e0240689056e4182fffdc2a16aa6e3425a15e275 Mon Sep 17 00:00:00 2001
+From: oparviainen <address@hidden>
+Date: Mon, 13 Aug 2018 19:16:16 +0300
+Subject: [PATCH] Fixed WavFile header/fact not-too-small check
+
+---
+ source/SoundStretch/WavFile.cpp | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
+index 4af7a4c..3421bca 100644
+--- a/source/SoundStretch/WavFile.cpp
++++ b/source/SoundStretch/WavFile.cpp
+@@ -518,13 +518,13 @@ int WavInFile::readHeaderBlock()
+ // swap byte order if necessary
+ _swap32(nLen);
+
+- // verify that header length isn't smaller than expected
+- if (nLen < sizeof(header.format) - 8) return -1;
++ // calculate how much length differs from expected
++ nDump = nLen - ((int)sizeof(header.format) - 8);
+
+- header.format.format_len = nLen;
++ // verify that header length isn't smaller than expected structure
++ if (nDump < 0) return -1;
+
+- // calculate how much length differs from expected
+- nDump = nLen - ((int)sizeof(header.format) - 8);
++ header.format.format_len = nLen;
+
+ // if format_len is larger than expected, read only as much data as
we've space for
+ if (nDump > 0)
+@@ -561,16 +561,16 @@ int WavInFile::readHeaderBlock()
+ // read length of the fact field
+ if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
+ // swap byte order if necessary
+- _swap32(nLen); // int fact_len;
+-
+- // verify that fact length isn't smaller than expected
+- if (nLen < sizeof(header.fact) - 8) return -1;
+-
+- header.fact.fact_len = nLen;
++ _swap32(nLen);
+
+ // calculate how much length differs from expected
+ nDump = nLen - ((int)sizeof(header.fact) - 8);
+
++ // verify that fact length isn't smaller than expected structure
++ if (nDump < 0) return -1;
++
++ header.fact.fact_len = nLen;
++
+ // if format_len is larger than expected, read only as much data as
we've space for
+ if (nDump > 0)
+ {
+--
+2.18.0
+
+From 46531e5b92dd80dd9a7947463d6224fc7cb21967 Mon Sep 17 00:00:00 2001
+From: olli <address@hidden>
+Date: Mon, 13 Aug 2018 19:42:58 +0300
+Subject: [PATCH] Improved WavFile header/fact not-too-small check
+
+---
+ source/SoundStretch/WavFile.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
+index 3421bca..9d90b8a 100644
+--- a/source/SoundStretch/WavFile.cpp
++++ b/source/SoundStretch/WavFile.cpp
+@@ -522,7 +522,7 @@ int WavInFile::readHeaderBlock()
+ nDump = nLen - ((int)sizeof(header.format) - 8);
+
+ // verify that header length isn't smaller than expected structure
+- if (nDump < 0) return -1;
++ if ((nLen < 0) || (nDump < 0)) return -1;
+
+ header.format.format_len = nLen;
+
+@@ -567,7 +567,7 @@ int WavInFile::readHeaderBlock()
+ nDump = nLen - ((int)sizeof(header.fact) - 8);
+
+ // verify that fact length isn't smaller than expected structure
+- if (nDump < 0) return -1;
++ if ((nLen < 0) || (nDump < 0)) return -1;
+
+ header.fact.fact_len = nLen;
+
+--
+2.18.0
+
diff --git a/gnu/packages/patches/soundtouch-CVE-2018-14044-14045.patch
b/gnu/packages/patches/soundtouch-CVE-2018-14044-14045.patch
new file mode 100644
index 0000000..cc0282f
--- /dev/null
+++ b/gnu/packages/patches/soundtouch-CVE-2018-14044-14045.patch
@@ -0,0 +1,138 @@
+Fix CVE-2018-14044 and CVE-2018-14045:
+
+https://gitlab.com/soundtouch/soundtouch/issues/7
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14044
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14045
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/soundtouch/soundtouch/commit/107f2c5d201a4dfea1b7f15c5957ff2ac9e5f260
+
+From 107f2c5d201a4dfea1b7f15c5957ff2ac9e5f260 Mon Sep 17 00:00:00 2001
+From: oparviainen <address@hidden>
+Date: Sun, 12 Aug 2018 20:00:56 +0300
+Subject: [PATCH] Replaced illegal-number-of-channel assertions with run-time
+ exception
+
+---
+ include/FIFOSamplePipe.h | 12 ++++++++++++
+ include/STTypes.h | 3 +++
+ source/SoundTouch/FIFOSampleBuffer.cpp | 3 ++-
+ source/SoundTouch/RateTransposer.cpp | 5 ++---
+ source/SoundTouch/SoundTouch.cpp | 8 ++------
+ source/SoundTouch/TDStretch.cpp | 5 ++---
+ 6 files changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/include/FIFOSamplePipe.h b/include/FIFOSamplePipe.h
+index 4ec9275..b08f836 100644
+--- a/include/FIFOSamplePipe.h
++++ b/include/FIFOSamplePipe.h
+@@ -51,6 +51,18 @@ namespace soundtouch
+ /// Abstract base class for FIFO (first-in-first-out) sample processing
classes.
+ class FIFOSamplePipe
+ {
++protected:
++
++ bool verifyNumberOfChannels(int nChannels) const
++ {
++ if ((nChannels > 0) && (nChannels <= SOUNDTOUCH_MAX_CHANNELS))
++ {
++ return true;
++ }
++ ST_THROW_RT_ERROR("Error: Illegal number of channels");
++ return false;
++ }
++
+ public:
+ // virtual default destructor
+ virtual ~FIFOSamplePipe() {}
+diff --git a/include/STTypes.h b/include/STTypes.h
+index 03e7e07..862505e 100644
+--- a/include/STTypes.h
++++ b/include/STTypes.h
+@@ -56,6 +56,9 @@ typedef unsigned long ulong;
+
+ namespace soundtouch
+ {
++ /// Max allowed number of channels
++ #define SOUNDTOUCH_MAX_CHANNELS 16
++
+ /// Activate these undef's to overrule the possible sampletype
+ /// setting inherited from some other header file:
+ //#undef SOUNDTOUCH_INTEGER_SAMPLES
+diff --git a/source/SoundTouch/FIFOSampleBuffer.cpp
b/source/SoundTouch/FIFOSampleBuffer.cpp
+index f0d5e42..706e869 100644
+--- a/source/SoundTouch/FIFOSampleBuffer.cpp
++++ b/source/SoundTouch/FIFOSampleBuffer.cpp
+@@ -73,7 +73,8 @@ void FIFOSampleBuffer::setChannels(int numChannels)
+ {
+ uint usedBytes;
+
+- assert(numChannels > 0);
++ if (!verifyNumberOfChannels(numChannels)) return;
++
+ usedBytes = channels * samplesInBuffer;
+ channels = (uint)numChannels;
+ samplesInBuffer = usedBytes / channels;
+diff --git a/source/SoundTouch/RateTransposer.cpp
b/source/SoundTouch/RateTransposer.cpp
+index 8b66be3..d115a4c 100644
+--- a/source/SoundTouch/RateTransposer.cpp
++++ b/source/SoundTouch/RateTransposer.cpp
+@@ -179,11 +179,10 @@ void RateTransposer::processSamples(const SAMPLETYPE
*src, uint nSamples)
+ // Sets the number of channels, 1 = mono, 2 = stereo
+ void RateTransposer::setChannels(int nChannels)
+ {
+- assert(nChannels > 0);
++ if (!verifyNumberOfChannels(nChannels) ||
++ (pTransposer->numChannels == nChannels)) return;
+
+- if (pTransposer->numChannels == nChannels) return;
+ pTransposer->setChannels(nChannels);
+-
+ inputBuffer.setChannels(nChannels);
+ midBuffer.setChannels(nChannels);
+ outputBuffer.setChannels(nChannels);
+diff --git a/source/SoundTouch/SoundTouch.cpp
b/source/SoundTouch/SoundTouch.cpp
+index 7b6756b..06bdd56 100644
+--- a/source/SoundTouch/SoundTouch.cpp
++++ b/source/SoundTouch/SoundTouch.cpp
+@@ -139,18 +139,14 @@ uint SoundTouch::getVersionId()
+ // Sets the number of channels, 1 = mono, 2 = stereo
+ void SoundTouch::setChannels(uint numChannels)
+ {
+- /*if (numChannels != 1 && numChannels != 2)
+- {
+- //ST_THROW_RT_ERROR("Illegal number of channels");
+- return;
+- }*/
++ if (!verifyNumberOfChannels(numChannels)) return;
++
+ channels = numChannels;
+ pRateTransposer->setChannels((int)numChannels);
+ pTDStretch->setChannels((int)numChannels);
+ }
+
+
+-
+ // Sets new rate control value. Normal rate = 1.0, smaller values
+ // represent slower rate, larger faster rates.
+ void SoundTouch::setRate(double newRate)
+diff --git a/source/SoundTouch/TDStretch.cpp b/source/SoundTouch/TDStretch.cpp
+index 149cdb9..be2dc88 100644
+--- a/source/SoundTouch/TDStretch.cpp
++++ b/source/SoundTouch/TDStretch.cpp
+@@ -588,9 +588,8 @@ void TDStretch::setTempo(double newTempo)
+ // Sets the number of channels, 1 = mono, 2 = stereo
+ void TDStretch::setChannels(int numChannels)
+ {
+- assert(numChannels > 0);
+- if (channels == numChannels) return;
+-// assert(numChannels == 1 || numChannels == 2);
++ if (!verifyNumberOfChannels(numChannels) ||
++ (channels == numChannels)) return;
+
+ channels = numChannels;
+ inputBuffer.setChannels(channels);
+--
+2.18.0
+