tj@ had a diff to backport CVE fixes for audio/sox. Here, I tweaked it so the patches apply cleanly.
This diff: - adds devel/quirks entry (so, apply the diff in /usr/ports) - bumps minor to 4.1 due to addition of symbols check_sym output: https://namtsui.com/public/sox.txt - moves to CONFIGURE_STYLE autoreconf because Makefile.am is patched - backports fixes for CVEs since 2017 - backported fixes can be viewed online: https://namtsui.com/public/sox_cve.txt - tweaks from sthen@: BUILD_DEPENDS MODGNU_AUTO{CONF,MAKE}_DEPENDS and libtool not needed because autoreconf already adds them. `make test' works. `play' works to stream rtp audio over my LAN. I successfully tested some, but not all, consumers: audacity, vlc and pacpl. Remaining issues: - sthen@ said SHARED_LIBS bump for -stable might be a problem. Should this be committed to the two previous releases in addition to -current? - Since maintaining this many patches is clunky, should we consider mirroring the latest git checkout? Comments? OK? Index: audio/sox/Makefile =================================================================== RCS file: /cvs/ports/audio/sox/Makefile,v retrieving revision 1.72 diff -u -p -u -p -r1.72 Makefile --- audio/sox/Makefile 12 Jul 2019 20:43:41 -0000 1.72 +++ audio/sox/Makefile 3 Jul 2021 22:27:09 -0000 @@ -5,8 +5,8 @@ BROKEN-hppa = bend.c:155:12: internal co COMMENT= Sound eXchange, the Swiss Army knife of audio manipulation DISTNAME= sox-14.4.2 -REVISION= 5 -SHARED_LIBS += sox 4.0 # 3.0 +REVISION= 6 +SHARED_LIBS += sox 4.1 # 3.0 CATEGORIES= audio HOMEPAGE= http://sox.sourceforge.net/ @@ -40,7 +40,11 @@ LIB_DEPENDS= \ converters/libiconv \ graphics/png -CONFIGURE_STYLE=gnu +CONFIGURE_STYLE= autoreconf + +AUTOCONF_VERSION= 2.69 +AUTOMAKE_VERSION= 1.16 + CONFIGURE_ARGS= --datarootdir=${LOCALBASE} \ --enable-largefile \ --disable-silent-libtool \ Index: audio/sox/patches/patch-src_Makefile_am =================================================================== RCS file: audio/sox/patches/patch-src_Makefile_am diff -N audio/sox/patches/patch-src_Makefile_am --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_Makefile_am 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,44 @@ +$OpenBSD$ + +From 0d70a21c6f98575984c28f4e98a1fbf929195456 Mon Sep 17 00:00:00 2001 +From: Jiri Kucera <jkuc...@redhat.com> +Date: Thu, 25 Jan 2018 21:53:30 +0100 +Subject: [PATCH] make: add $(DESTDIR) in installcheck target [bug #302] + +From ec073861aa9c0f779a3741c456e4f97d59366ffb Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Sun, 5 Nov 2017 15:40:16 +0000 +Subject: [PATCH] make: update exported symbol list [bug #266] + +From ccedd08802f62ed896f69d778e6a106d00f9ab58 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Tue, 8 Dec 2015 22:52:41 +0000 +Subject: [PATCH] Clean up lsx_malloc() and friends + +From f8587e2d50dad72d40453ac1191c539ee9e50381 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Wed, 24 Apr 2019 17:39:45 +0100 +Subject: [PATCH] fix possible overflow in lsx_(re)valloc() size calculation + (CVE-2019-8355) + +Index: src/Makefile.am +--- src/Makefile.am.orig ++++ src/Makefile.am +@@ -95,7 +95,7 @@ libsox_la_LIBADD += @GOMP_LIBS@ + + libsox_la_CFLAGS = @WARN_CFLAGS@ + libsox_la_LDFLAGS = @APP_LDFLAGS@ -version-info @SHLIB_VERSION@ \ +- -export-symbols-regex '^(sox_.*|lsx_(check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|fail_errno|filelength|find_(enum_(text|value)|file_extension)|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|realloc|rewind|seeki|sigfigs3p?|strcasecmp|tell|unreadb|write(b|_b_buf|buf|s)))$$' ++ -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc.*|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$' + + if HAVE_WIN32_LTDL + libsox_la_SOURCES += win32-ltdl.c win32-ltdl.h +@@ -194,6 +194,6 @@ loc: + # would run the test suite, but an uninstalled libltdl build cannot + # currently load its formats and effects, so the checks would fail. + installcheck: +- $(srcdir)/tests.sh --bindir=${bindir} --builddir=${builddir} --srcdir=${srcdir} +- $(srcdir)/testall.sh --bindir=${bindir} --srcdir=${srcdir} ++ $(srcdir)/tests.sh --bindir=$(DESTDIR)${bindir} --builddir=${builddir} --srcdir=${srcdir} ++ $(srcdir)/testall.sh --bindir=$(DESTDIR)${bindir} --srcdir=${srcdir} + Index: audio/sox/patches/patch-src_adpcm_c =================================================================== RCS file: audio/sox/patches/patch-src_adpcm_c diff -N audio/sox/patches/patch-src_adpcm_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_adpcm_c 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,39 @@ +$OpenBSD$ + +From 001c337552912d286ba68086ac378f6fdc1e8b50 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Wed, 8 Nov 2017 00:27:46 +0000 +Subject: [PATCH] adpcm: fix stack overflow with >4 channels (CVE-2017-15372) + +Index: src/adpcm.c +--- src/adpcm.c.orig ++++ src/adpcm.c +@@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] = { + { 392,-232} + }; + ++extern void *lsx_ms_adpcm_alloc(unsigned chans) ++{ ++ return lsx_malloc(chans * sizeof(MsState_t)); ++} ++ + static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state, + sox_sample_t sample1, sox_sample_t sample2) + { +@@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(sox_sample_t c, + + /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ + const char *lsx_ms_adpcm_block_expand_i( ++ void *priv, + unsigned chans, /* total channels */ + int nCoef, + const short *coef, +@@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i( + const unsigned char *ip; + unsigned ch; + const char *errmsg = NULL; +- MsState_t state[4]; /* One decompressor state for each channel */ ++ MsState_t *state = priv; /* One decompressor state for each channel */ + + /* Read the four-byte header for each channel */ + ip = ibuff; Index: audio/sox/patches/patch-src_adpcm_h =================================================================== RCS file: audio/sox/patches/patch-src_adpcm_h diff -N audio/sox/patches/patch-src_adpcm_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_adpcm_h 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,19 @@ +$OpenBSD$ + +adpcm: fix stack overflow with >4 channels (CVE-2017-15372) + +Index: src/adpcm.h +--- src/adpcm.h.orig ++++ src/adpcm.h +@@ -29,8 +29,11 @@ + /* default coef sets */ + extern const short lsx_ms_adpcm_i_coef[7][2]; + ++extern void *lsx_ms_adpcm_alloc(unsigned chans); ++ + /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ + extern const char *lsx_ms_adpcm_block_expand_i( ++ void *priv, + unsigned chans, /* total channels */ + int nCoef, + const short *coef, Index: audio/sox/patches/patch-src_aiff_c =================================================================== RCS file: audio/sox/patches/patch-src_aiff_c diff -N audio/sox/patches/patch-src_aiff_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_aiff_c 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,26 @@ +$OpenBSD$ + +From 0be259eaa9ce3f3fa587a3ef0cf2c0b9c73167a2 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Mon, 20 Nov 2017 11:03:15 +0000 +Subject: [PATCH] aiff: fix crash on empty comment chunk (CVE-2017-15642) + +Index: src/aiff.c +--- src/aiff.c.orig ++++ src/aiff.c +@@ -62,7 +62,6 @@ int lsx_aiffstartread(sox_format_t * ft) + size_t ssndsize = 0; + char *annotation; + char *author; +- char *comment = NULL; + char *copyright; + char *nametext; + +@@ -270,6 +269,7 @@ int lsx_aiffstartread(sox_format_t * ft) + free(annotation); + } + else if (strncmp(buf, "COMT", (size_t)4) == 0) { ++ char *comment = NULL; + rc = commentChunk(&comment, "Comment:", ft); + if (rc) { + /* Fail already called in function */ Index: audio/sox/patches/patch-src_effects_i_dsp_c =================================================================== RCS file: audio/sox/patches/patch-src_effects_i_dsp_c diff -N audio/sox/patches/patch-src_effects_i_dsp_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_effects_i_dsp_c 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,32 @@ +$OpenBSD$ + +From f70911261a84333b077c29908e1242f69d7439eb Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Wed, 24 Apr 2019 14:57:34 +0100 +Subject: [PATCH] fix possible buffer size overflow in lsx_make_lpf() + (CVE-2019-8354) + +From 2ce02fea7b350de9ddfbcf542ba4dd59a8ab255b Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Wed, 24 Apr 2019 15:08:51 +0100 +Subject: [PATCH] fix possible null pointer deref in lsx_make_lpf() + (CVE-2019-8357) + +Index: src/effects_i_dsp.c +--- src/effects_i_dsp.c.orig ++++ src/effects_i_dsp.c +@@ -357,10 +357,13 @@ double * lsx_make_lpf(int num_taps, double Fc, double + double scale, sox_bool dc_norm) + { + int i, m = num_taps - 1; +- double * h = malloc(num_taps * sizeof(*h)), sum = 0; ++ double * h = calloc(num_taps, sizeof(*h)), sum = 0; + double mult = scale / lsx_bessel_I_0(beta), mult1 = 1 / (.5 * m + rho); + assert(Fc >= 0 && Fc <= 1); + lsx_debug("make_lpf(n=%i Fc=%.7g β=%g ρ=%g dc-norm=%i scale=%g)", num_taps, Fc, beta, rho, dc_norm, scale); ++ ++ if (!h) ++ return NULL; + + for (i = 0; i <= m / 2; ++i) { + double z = i - .5 * m, x = z * M_PI, y = z * mult1; Index: audio/sox/patches/patch-src_fft4g_c =================================================================== RCS file: audio/sox/patches/patch-src_fft4g_c diff -N audio/sox/patches/patch-src_fft4g_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_fft4g_c 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,70 @@ +$OpenBSD$ + +From b7883ae1398499daaa926ae6621f088f0f531ed8 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Wed, 24 Apr 2019 16:56:42 +0100 +Subject: [PATCH] fft4g: bail if size too large (CVE-2019-8356) + +Index: src/fft4g.c +--- src/fft4g.c.orig ++++ src/fft4g.c +@@ -322,6 +322,9 @@ static void rftfsub(int n, double *a, int nc, double c + + void cdft(int n, int isgn, double *a, int *ip, double *w) + { ++ if (n > FFT4G_MAX_SIZE) ++ return; ++ + if (n > (ip[0] << 2)) { + makewt(n >> 2, ip, w); + } +@@ -344,6 +347,9 @@ void rdft(int n, int isgn, double *a, int *ip, double + int nw, nc; + double xi; + ++ if (n > FFT4G_MAX_SIZE) ++ return; ++ + nw = ip[0]; + if (n > (nw << 2)) { + nw = n >> 2; +@@ -384,6 +390,9 @@ void ddct(int n, int isgn, double *a, int *ip, double + int j, nw, nc; + double xr; + ++ if (n > FFT4G_MAX_SIZE) ++ return; ++ + nw = ip[0]; + if (n > (nw << 2)) { + nw = n >> 2; +@@ -435,6 +444,9 @@ void ddst(int n, int isgn, double *a, int *ip, double + int j, nw, nc; + double xr; + ++ if (n > FFT4G_MAX_SIZE) ++ return; ++ + nw = ip[0]; + if (n > (nw << 2)) { + nw = n >> 2; +@@ -486,6 +498,9 @@ void dfct(int n, double *a, double *t, int *ip, double + int j, k, l, m, mh, nw, nc; + double xr, xi, yr, yi; + ++ if (n > FFT4G_MAX_SIZE) ++ return; ++ + nw = ip[0]; + if (n > (nw << 3)) { + nw = n >> 3; +@@ -576,6 +591,9 @@ void dfst(int n, double *a, double *t, int *ip, double + int j, k, l, m, mh, nw, nc; + double xr, xi, yr, yi; + ++ if (n > FFT4G_MAX_SIZE) ++ return; ++ + nw = ip[0]; + if (n > (nw << 3)) { + nw = n >> 3; Index: audio/sox/patches/patch-src_fft4g_h =================================================================== RCS file: audio/sox/patches/patch-src_fft4g_h diff -N audio/sox/patches/patch-src_fft4g_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_fft4g_h 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,19 @@ +$OpenBSD$ + +From b7883ae1398499daaa926ae6621f088f0f531ed8 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Wed, 24 Apr 2019 16:56:42 +0100 +Subject: [PATCH] fft4g: bail if size too large (CVE-2019-8356) + +Index: src/fft4g.h +--- src/fft4g.h.orig ++++ src/fft4g.h +@@ -13,6 +13,8 @@ + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + ++#define FFT4G_MAX_SIZE 262144 ++ + void lsx_cdft(int, int, double *, int *, double *); + void lsx_rdft(int, int, double *, int *, double *); + void lsx_ddct(int, int, double *, int *, double *); Index: audio/sox/patches/patch-src_flac_c =================================================================== RCS file: audio/sox/patches/patch-src_flac_c diff -N audio/sox/patches/patch-src_flac_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_flac_c 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,34 @@ +$OpenBSD$ + +From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Sun, 5 Nov 2017 15:57:48 +0000 +Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371) + +Index: src/flac.c +--- src/flac.c.orig ++++ src/flac.c +@@ -119,9 +119,10 @@ static void decoder_metadata_callback(FLAC__StreamDeco + p->total_samples = metadata->data.stream_info.total_samples; + } + else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) { ++ const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment; + size_t i; + +- if (metadata->data.vorbis_comment.num_comments == 0) ++ if (vc->num_comments == 0) + return; + + if (ft->oob.comments != NULL) { +@@ -129,8 +130,9 @@ static void decoder_metadata_callback(FLAC__StreamDeco + return; + } + +- for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i) +- sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry); ++ for (i = 0; i < vc->num_comments; ++i) ++ if (vc->comments[i].entry) ++ sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry); + } + } + Index: audio/sox/patches/patch-src_hcom_c =================================================================== RCS file: audio/sox/patches/patch-src_hcom_c diff -N audio/sox/patches/patch-src_hcom_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_hcom_c 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,38 @@ +$OpenBSD$ + +commit e410d00c4821726accfbe1f825f2def6376e181f +from: Mans Rullgard <m...@mansr.com> +date: Sun Apr 29 11:34:19 2018 UTC + +hcom: fix crash on input with corrupt dictionary (CVE-2017-11358) + +Index: src/hcom.c +--- src/hcom.c.orig ++++ src/hcom.c +@@ -73,6 +73,14 @@ typedef struct { + size_t pos; /* Where next byte goes */ + } priv_t; + ++static int dictvalid(int n, int size, int left, int right) ++{ ++ if (n > 0 && left < 0) ++ return 1; ++ ++ return (unsigned)left < size && (unsigned)right < size; ++} ++ + static int startread(sox_format_t * ft) + { + priv_t *p = (priv_t *) ft->priv; +@@ -150,6 +158,11 @@ static int startread(sox_format_t * ft) + lsx_debug("%d %d", + p->dictionary[i].dict_leftson, + p->dictionary[i].dict_rightson); ++ if (!dictvalid(i, dictsize, p->dictionary[i].dict_leftson, ++ p->dictionary[i].dict_rightson)) { ++ lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); ++ return SOX_EOF; ++ } + } + rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */ + if (rc) Index: audio/sox/patches/patch-src_wav_c =================================================================== RCS file: audio/sox/patches/patch-src_wav_c diff -N audio/sox/patches/patch-src_wav_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_wav_c 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,98 @@ +$OpenBSD$ + +From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Sun, 5 Nov 2017 16:29:28 +0000 +Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332) + +From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Sun, 5 Nov 2017 17:02:11 +0000 +Subject: [PATCH] wav: fix crash writing header when channel count >64k + (CVE-2017-11359) + +From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Sun, 5 Nov 2017 16:21:23 +0000 +Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input + (CVE-2017-15370) + +From 001c337552912d286ba68086ac378f6fdc1e8b50 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Wed, 8 Nov 2017 00:27:46 +0000 +Subject: [PATCH] adpcm: fix stack overflow with >4 channels (CVE-2017-15372) + +Index: src/wav.c +--- src/wav.c.orig ++++ src/wav.c +@@ -82,6 +82,7 @@ typedef struct { + /* following used by *ADPCM wav files */ + unsigned short nCoefs; /* ADPCM: number of coef sets */ + short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */ ++ void *ms_adpcm_data; /* Private data of adpcm decoder */ + unsigned char *packet; /* Temporary buffer for packets */ + short *samples; /* interleaved samples buffer */ + short *samplePtr; /* Pointer to current sample */ +@@ -127,7 +128,7 @@ static unsigned short ImaAdpcmReadBlock(sox_format_t + /* work with partial blocks. Specs say it should be null */ + /* padded but I guess this is better than trailing quiet. */ + samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0); +- if (samplesThisBlock == 0) ++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock) + { + lsx_warn("Premature EOF on .wav input file"); + return 0; +@@ -175,7 +176,7 @@ static unsigned short AdpcmReadBlock(sox_format_t * f + } + } + +- errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); ++ errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); + + if (errmsg) + lsx_warn("%s", errmsg); +@@ -712,6 +713,11 @@ static int startread(sox_format_t * ft) + else + lsx_report("User options overriding channels read in .wav header"); + ++ if (ft->signal.channels == 0) { ++ lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero"); ++ return SOX_EOF; ++ } ++ + if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond) + ft->signal.rate = dwSamplesPerSecond; + else +@@ -786,6 +792,7 @@ static int startread(sox_format_t * ft) + + /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */ + wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short)); ++ wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels); + { + int i, errct=0; + for (i=0; len>=2 && i < 2*wav->nCoefs; i++) { +@@ -1211,6 +1218,7 @@ static int stopread(sox_format_t * ft) + free(wav->packet); + free(wav->samples); + free(wav->lsx_ms_adpcm_i_coefs); ++ free(wav->ms_adpcm_data); + free(wav->comment); + wav->comment = NULL; + +@@ -1373,6 +1381,16 @@ static int wavwritehdr(sox_format_t * ft, int second_h + int bytespersample; /* (uncompressed) bytes per sample (per channel) */ + long blocksWritten = 0; + sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */ ++ ++ if (ft->signal.channels > UINT16_MAX) { ++ lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)", ++ ft->signal.channels); ++ return SOX_EOF; ++ } ++ ++ dwSamplesPerSecond = ft->signal.rate; ++ wChannels = ft->signal.channels; ++ wBitsPerSample = ft->encoding.bits_per_sample; + + dwSamplesPerSecond = ft->signal.rate; + wChannels = ft->signal.channels; Index: audio/sox/patches/patch-src_xa_c =================================================================== RCS file: audio/sox/patches/patch-src_xa_c diff -N audio/sox/patches/patch-src_xa_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_xa_c 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,23 @@ +$OpenBSD$ + +From 09d7388c8ad5701ed9c59d1d600ff6154b066397 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Thu, 9 Nov 2017 11:45:10 +0000 +Subject: [PATCH] xa: validate channel count (CVE-2017-18189) + +Index: src/xa.c +--- src/xa.c.orig ++++ src/xa.c +@@ -143,6 +143,12 @@ static int startread(sox_format_t * ft) + lsx_report("User options overriding rate read in .xa header"); + } + ++ if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) { ++ lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d", ++ ft->signal.channels); ++ return SOX_EOF; ++ } ++ + /* Check for supported formats */ + if (ft->encoding.bits_per_sample != 16) { + lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.", Index: audio/sox/patches/patch-src_xmalloc_c =================================================================== RCS file: audio/sox/patches/patch-src_xmalloc_c diff -N audio/sox/patches/patch-src_xmalloc_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_xmalloc_c 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,68 @@ +$OpenBSD$ + +From ccedd08802f62ed896f69d778e6a106d00f9ab58 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Tue, 8 Dec 2015 22:52:41 +0000 +Subject: [PATCH] Clean up lsx_malloc() and friends + +From f8587e2d50dad72d40453ac1191c539ee9e50381 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Wed, 24 Apr 2019 17:39:45 +0100 +Subject: [PATCH] fix possible overflow in lsx_(re)valloc() size calculation + (CVE-2019-8355) + +Index: src/xmalloc.c +--- src/xmalloc.c.orig ++++ src/xmalloc.c +@@ -20,6 +20,17 @@ + #include "sox_i.h" + #include <stdlib.h> + ++static void *lsx_checkptr(void *ptr) ++{ ++ if (!ptr) { ++ lsx_fail("out of memory"); ++ exit(2); ++ } ++ ++ return ptr; ++} ++ ++ + /* Resize an allocated memory area; abort if not possible. + * + * For malloc, `If the size of the space requested is zero, the behavior is +@@ -34,10 +45,30 @@ void *lsx_realloc(void *ptr, size_t newsize) + return NULL; + } + +- if ((ptr = realloc(ptr, newsize)) == NULL) { +- lsx_fail("out of memory"); ++ return lsx_checkptr(realloc(ptr, newsize)); ++} ++ ++void *lsx_malloc(size_t size) ++{ ++ return lsx_checkptr(malloc(size + !size)); ++} ++ ++void *lsx_calloc(size_t n, size_t size) ++{ ++ return lsx_checkptr(calloc(n + !n, size + !size)); ++} ++ ++void *lsx_realloc_array(void *p, size_t n, size_t size) ++{ ++ if (n > (size_t)-1 / size) { ++ lsx_fail("malloc size overflow"); + exit(2); + } + +- return ptr; ++ return lsx_realloc(p, n * size); ++} ++ ++char *lsx_strdup(const char *s) ++{ ++ return lsx_checkptr(strdup(s)); + } Index: audio/sox/patches/patch-src_xmalloc_h =================================================================== RCS file: audio/sox/patches/patch-src_xmalloc_h diff -N audio/sox/patches/patch-src_xmalloc_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ audio/sox/patches/patch-src_xmalloc_h 3 Jul 2021 22:27:09 -0000 @@ -0,0 +1,36 @@ +$OpenBSD$ + +From ccedd08802f62ed896f69d778e6a106d00f9ab58 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Tue, 8 Dec 2015 22:52:41 +0000 +Subject: [PATCH] Clean up lsx_malloc() and friends + +From f8587e2d50dad72d40453ac1191c539ee9e50381 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <m...@mansr.com> +Date: Wed, 24 Apr 2019 17:39:45 +0100 +Subject: [PATCH] fix possible overflow in lsx_(re)valloc() size calculation + (CVE-2019-8355) + +Index: src/xmalloc.h +--- src/xmalloc.h.orig ++++ src/xmalloc.h +@@ -23,12 +23,14 @@ + #include <stddef.h> + #include <string.h> + +-#define lsx_malloc(size) lsx_realloc(NULL, (size)) +-#define lsx_calloc(n,s) (((n)*(s))? memset(lsx_malloc((n)*(s)),0,(n)*(s)) : NULL) ++LSX_RETURN_VALID void *lsx_malloc(size_t size); ++LSX_RETURN_VALID void *lsx_calloc(size_t n, size_t size); ++LSX_RETURN_VALID void *lsx_realloc_array(void *p, size_t n, size_t size); ++LSX_RETURN_VALID char *lsx_strdup(const char *s); ++ + #define lsx_Calloc(v,n) v = lsx_calloc(n,sizeof(*(v))) +-#define lsx_strdup(p) ((p)? strcpy((char *)lsx_malloc(strlen(p) + 1), p) : NULL) + #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL) +-#define lsx_valloc(v,n) v = lsx_malloc((n)*sizeof(*(v))) +-#define lsx_revalloc(v,n) v = lsx_realloc(v, (n)*sizeof(*(v))) ++#define lsx_valloc(v,n) v = lsx_realloc_array(NULL, n, sizeof(*(v))) ++#define lsx_revalloc(v,n) v = lsx_realloc_array(v, n, sizeof(*(v))) + + #endif Index: audio/sox/pkg/PLIST =================================================================== RCS file: /cvs/ports/audio/sox/pkg/PLIST,v retrieving revision 1.9 diff -u -p -u -p -r1.9 PLIST --- audio/sox/pkg/PLIST 18 Mar 2015 13:13:08 -0000 1.9 +++ audio/sox/pkg/PLIST 3 Jul 2021 22:27:09 -0000 @@ -7,7 +7,7 @@ bin/rec @bin bin/sox bin/soxi include/sox.h -lib/libsox.a +@static-lib lib/libsox.a lib/libsox.la @lib lib/libsox.so.${LIBsox_VERSION} lib/pkgconfig/sox.pc Index: devel/quirks/Makefile =================================================================== RCS file: /cvs/ports/devel/quirks/Makefile,v retrieving revision 1.1270 diff -u -p -u -p -r1.1270 Makefile --- devel/quirks/Makefile 20 Jun 2021 22:53:50 -0000 1.1270 +++ devel/quirks/Makefile 3 Jul 2021 22:27:15 -0000 @@ -5,7 +5,7 @@ CATEGORIES = devel databases DISTFILES = # API.rev -PKGNAME = quirks-4.23 +PKGNAME = quirks-4.24 PKG_ARCH = * MAINTAINER = Marc Espie <es...@openbsd.org> Index: devel/quirks/files/Quirks.pm =================================================================== RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v retrieving revision 1.1286 diff -u -p -u -p -r1.1286 Quirks.pm --- devel/quirks/files/Quirks.pm 20 Jun 2021 22:53:50 -0000 1.1286 +++ devel/quirks/files/Quirks.pm 3 Jul 2021 22:27:15 -0000 @@ -1373,6 +1373,7 @@ my $cve = { 'archivers/lz4' => 'lz4-<1.9.3p0', 'archivers/p5-Archive-Zip' => 'p5-Archive-Zip-<1.64', 'audio/flac' => 'flac-<1.3.0p1', + 'audio/sox' => 'sox-<14.4.2p6', 'databases/mariadb,-main' => 'mariadb-client-<10.3.22', 'databases/mariadb,-server' => 'mariadb-server-<10.3.15', 'databases/postgresql,-main' => 'postgresql-client-<10.6',
