audio/libsndfile patch bugs

Wed, 09 Mar 2022 00:55:23 -0800 

Dear ports@,

I noticed that two unfixed heap overflow bugs in audio/libsndfile
exist for about a year now and there is still no new release available.

I attached the diffs from upstream.

mbuhl

Index: audio/libsndfile/Makefile
===================================================================
RCS file: /cvs/ports/audio/libsndfile/Makefile,v
retrieving revision 1.37
diff -u -p -r1.37 Makefile
--- audio/libsndfile/Makefile   24 Apr 2021 06:17:13 -0000      1.37
+++ audio/libsndfile/Makefile   9 Mar 2022 08:28:54 -0000
@@ -8,6 +8,7 @@ CATEGORIES=     audio
 GH_ACCOUNT=    libsndfile
 GH_PROJECT=    libsndfile
 GH_TAGNAME=    ${VER}
+REVISION=      0
 
 HOMEPAGE=      https://github.com/libsndfile/libsndfile/
 
Index: audio/libsndfile/patches/patch-src_flac_c
===================================================================
RCS file: audio/libsndfile/patches/patch-src_flac_c
diff -N audio/libsndfile/patches/patch-src_flac_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ audio/libsndfile/patches/patch-src_flac_c   9 Mar 2022 08:28:54 -0000
@@ -0,0 +1,21 @@
+$OpenBSD$
+
+Fix heap overflow:
+https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc
+https://github.com/libsndfile/libsndfile/issues/731
+
+Index: src/flac.c
+--- src/flac.c.orig
++++ src/flac.c
+@@ -948,7 +948,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len)
+       /* Decode some more. */
+       while (pflac->pos < pflac->len)
+       {       if (FLAC__stream_decoder_process_single (pflac->fsd) == 0)
++              {       psf_log_printf (psf, 
"FLAC__stream_decoder_process_single returned false\n") ;
++                      /* Current frame is busted, so NULL the pointer. */
++                      pflac->frame = NULL ;
+                       break ;
++                      } ;
+               state = FLAC__stream_decoder_get_state (pflac->fsd) ;
+               if (state >= FLAC__STREAM_DECODER_END_OF_STREAM)
+               {       psf_log_printf (psf, "FLAC__stream_decoder_get_state 
returned %s\n", FLAC__StreamDecoderStateString [state]) ;
Index: audio/libsndfile/patches/patch-src_ms_adpcm_c
===================================================================
RCS file: audio/libsndfile/patches/patch-src_ms_adpcm_c
diff -N audio/libsndfile/patches/patch-src_ms_adpcm_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ audio/libsndfile/patches/patch-src_ms_adpcm_c       9 Mar 2022 08:28:54 
-0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+CVE-2021-3246:
+https://security-tracker.debian.org/tracker/CVE-2021-3246
+https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32
+
+Index: src/ms_adpcm.c
+--- src/ms_adpcm.c.orig
++++ src/ms_adpcm.c
+@@ -128,8 +128,14 @@ wavlike_msadpcm_init      (SF_PRIVATE *psf, int 
blockalign,
+       if (psf->file.mode == SFM_WRITE)
+               samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / 
psf->sf.channels ;
+ 
+-      if (blockalign < 7 * psf->sf.channels)
+-      {       psf_log_printf (psf, "*** Error blockalign (%d) should be > 
%d.\n", blockalign, 7 * psf->sf.channels) ;
++      /* There's 7 samples per channel in the preamble of each block */
++      if (samplesperblock < 7 * psf->sf.channels)
++      {       psf_log_printf (psf, "*** Error samplesperblock (%d) should be 
>= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
++              return SFE_INTERNAL ;
++              } ;
++
++      if (2 * blockalign < samplesperblock * psf->sf.channels)
++      {       psf_log_printf (psf, "*** Error blockalign (%d) should be >= 
%d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
+               return SFE_INTERNAL ;
+               } ;
+ 
Index: audio/libsndfile/patches/patch-src_wavlike_c
===================================================================
RCS file: audio/libsndfile/patches/patch-src_wavlike_c
diff -N audio/libsndfile/patches/patch-src_wavlike_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ audio/libsndfile/patches/patch-src_wavlike_c        9 Mar 2022 08:28:54 
-0000
@@ -0,0 +1,22 @@
+$OpenBSD$
+
+CVE-2021-3246:
+https://security-tracker.debian.org/tracker/CVE-2021-3246
+https://github.com/libsndfile/libsndfile/commit/a9815b3f228df00086e0a40bcc43162fc19896a1
+
+Index: src/wavlike.c
+--- src/wavlike.c.orig
++++ src/wavlike.c
+@@ -830,7 +830,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf, uint32_t chu
+               return 0 ;
+               } ;
+ 
+-      if (chunksize >= sizeof (SF_CART_INFO_16K))
++      /*
++      **      SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't 
part
++      **      of the chunk, so don't include it in the size check.
++      */
++      if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
+       {       psf_log_printf (psf, "cart : %u too big to be handled\n", 
chunksize) ;
+               psf_binheader_readf (psf, "j", chunksize) ;
+               return 0 ;

Reply via email to