I have committed this. Jan, do you want to stay listed as maintainer?
On 2022/03/29 08:46, Stuart Henderson wrote: > CC'ing MAINTAINER, any comments? > > On 2022/03/28 23:54, Brad Smith wrote: > > On Thu, Mar 17, 2022 at 01:40:12AM -0400, Brad Smith wrote: > > > Here is an update to libsndfile 1.1.0beta2, plus two other fixes since > > > the release. > > > > > > There are more security related bug fixes that have gone in between > > > 1.0.31 and > > > 1.1.0. I usually don't push beta releases but their release cycle is > > > super slow > > > due to lack of man power, but I think an update to this relase is worth > > > it for > > > the rollup of security fixes. > > > > > > > > > ### Added > > > > > > * MPEG Encode/Decode Support. > > > > > > Uses libmpg123 for decode, liblame for encode. Encoding and decoding > > > support > > > is independent of each other and is split into separate files. MPEG > > > support > > > is generalized as subformats, `SF_FORMAT_MPEG_LAYER`(I,II,III) so that > > > it > > > might be used by other containers (`MPEG1WAVEFORMAT` for example), but > > > also > > > contains a major format `SF_FORMAT_MPEG` for 'mp3 files.' > > > > > > Encoding Status: > > > * Layer III encoding > > > * ID3v1 writing > > > * ID3v2 writing > > > * Lame/Xing Tag writing > > > * Bitrate selection command > > > * VBR or CBR > > > > > > Decoding Status: > > > * Layers I/II/III decoding > > > * ID3v1 reading > > > * ID3v2 reading > > > * Seeking > > > * New fuzzer for OSS-Fuzz, thanks @DavidKorczynski. > > > * This `CHANGELOG.md`. All notable changes to this project will be > > > documented in > > > this file. The old `NEWS` file has been renamed to `NEWS.OLD` and is no > > > longer > > > updated. > > > * Add support for decoding MPEG III Audio in WAV files. > > > * `SECURITY.md` file to give people instructions for reporting security > > > vulnerabilities, thanks @zidingz. > > > * Support for [Vcpkg manifest > > > mode](https://vcpkg.readthedocs.io/en/latest/users/manifests/). > > > > > > If you have problems with manifest mode, disable it with > > > `VCPKG_MANIFEST_MODE` > > > switch. > > > > > > ### Changed > > > > > > * `SFC_SET_DITHER_ON_READ` and `SFC_SET_DITHER_ON_WRITE` enums comments in > > > public header, thanks @SmiVan (issue #677). > > > * `ENABLE_SNDFILE_WINDOWS_PROTOTYPES` define is deprecated and not needed > > > anymore. > > > > > > Previously, in order for the > > > [`sf_wchar_open`()](http://libsndfile.github.io/libsndfile/api.html#open) > > > function to become available on the Windows platform, it was required > > > to > > > perform certain actions: > > > > > > ```c > > > #include <windows.h> > > > #define ENABLE_SNDFILE_WINDOWS_PROTOTYPES 1 > > > #including <sndfile.h> > > > ``` > > > > > > These steps are no longer required and the `sf_wchar_open`() function is > > > always available on the Windows platform. > > > * Use UTF-8 as internal path encoding on Windows platform. > > > > > > This is an internal change to unify and simplify the handling of file > > > paths. > > > > > > On the Windows platform, the file path is always converted to UTF-8 and > > > converted to UTF-16 only for calls to WinAPI functions. > > > > > > The behavior of the functions for opening files on other platforms does > > > not > > > change. > > > * Switch to .xz over .bz2 for release tarballs. > > > * Disable static builds using Autotools by default. If you want static > > > libraries, pass --enable-static to ./configure > > > > > > ### Fixed > > > > > > * Typo in `docs/index.md`. > > > * Typo in `programs/sndfile-convert.c`, thanks @fjl. > > > * Memory leak in `caf_read_header`(), credit to OSS-Fuzz ([issue > > > 30375](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30375)). > > > * Stack overflow in `guess_file_type`(), thanks @bobsayshilol, credit to > > > OSS-Fuzz ([issue > > > 29339](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29339)). > > > * Abort in fuzzer, thanks @bobsayshilol, credit to OSS-Fuzz > > > ([issue > > > 26257](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26257)). > > > * Infinite loop in `svx_read_header`(), thanks @bobsayshilol, credit to > > > OSS-Fuzz > > > ([issue > > > 25442](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25442)). > > > * GCC and Clang pedantic warnings, thanks @bobsayshilol. > > > * Normalisation issue when scaling floating point data to `int` in > > > `replace_read_f2i`(), thanks @bobsayshilol, (issue #702). > > > * Missing samples when doing a partial read of Ogg file from index till > > > the end > > > of file, thanks @arthurt (issue #643). > > > * sndfile-salvage: Handle files > 4 GB on Windows OS > > > * Undefined shift in `dyn_get_32bit`(), credit to OSS-Fuzz > > > ([issue > > > 27366](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27366)). > > > * Integer overflow in `nms_adpcm_update`(), credit to OSS-Fuzz > > > ([issue > > > 25522](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25522)). > > > * Integer overflow in `psf_log_printf`(), credit to OSS-Fuzz > > > ([issue > > > 28441](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28441)), > > > ([issue > > > 25624](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25624)). > > > * ABI version incompatibility between Autotools and CMake build on Apple > > > platforms. > > > > > > Now ABI must be compatible with Autotools builds. Note that this change > > > requires CMake >= 3.17 for building dylib on Apple platforms. > > > > > > * Fix build with Autotools + MinGW toolchain on Windows platform. > > > > > > See https://github.com/msys2/MINGW-packages/issues/5803 for details. > > > > > > ### Security > > > > > > * Heap buffer overflow in `wavlike_ima_decode_block`(), thanks > > > @bobsayshilol, > > > credit to OSS-Fuzz ([issue > > > 25530](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25530)). > > > * Heap buffer overflow in `msadpcm_decode_block`(), thanks @bobsayshilol, > > > credit to OSS-Fuzz ([issue > > > 26803](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803)). > > > * Heap buffer overflow in `psf_binheader_readf`(), thanks @bobsayshilol, > > > credit to OSS-Fuzz ([issue > > > 26026](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026)). > > > * Index out of bounds in `psf_nms_adpcm_decode_block`(), credit to > > > OSS-Fuzz > > > ([issue > > > 25561](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25561)). > > > * Heap buffer overflow in `flac_buffer_copy`(), thanks @yuawn, > > > @bobsayshilol. > > > * Heap buffer overflow in `copyPredictorTo24`(), thanks @bobsayshilol, > > > credit to OSS-Fuzz ([issue > > > 27503](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27503)). > > > * Uninitialized variable in `psf_binheader_readf`(), thanks @shao-hua-li, > > > credit to OSS-Fuzz ([issue > > > 25364](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25364)). > > > > And a final release was made a few days after I posted this with one small > > commit > > for compiler warnings flag handling. > > > > Index: Makefile > =================================================================== > RCS file: /home/cvs/ports/audio/libsndfile/Makefile,v > retrieving revision 1.40 > diff -u -p -u -p -r1.40 Makefile > --- Makefile 16 Mar 2022 19:21:14 -0000 1.40 > +++ Makefile 29 Mar 2022 03:39:26 -0000 > @@ -1,14 +1,11 @@ > COMMENT= library to handle various audio file formats > > -VER= 1.0.31 > -DISTNAME= libsndfile-${VER} > -CATEGORIES= audio > GH_ACCOUNT= libsndfile > GH_PROJECT= libsndfile > -GH_TAGNAME= ${VER} > -REVISION= 1 > +GH_TAGNAME= 1.1.0 > +CATEGORIES= audio > > -HOMEPAGE= https://github.com/libsndfile/libsndfile/ > +HOMEPAGE= https://libsndfile.github.io/libsndfile/ > > MAINTAINER= Jan Stary <h...@stare.cz> > > @@ -17,7 +14,7 @@ SHARED_LIBS += sndfile 7.0 > # LGPLv2.1 > PERMIT_PACKAGE= Yes > > -WANTLIB= c m sndio FLAC ogg opus vorbis vorbisenc > +WANTLIB= FLAC c m mp3lame mpg123 ogg opus sndio vorbis vorbisenc > > MODULES= devel/cmake \ > lang/python > @@ -29,8 +26,12 @@ CONFIGURE_ARGS= -DBUILD_SHARED_LIBS:BOOL > -DCMAKE_DISABLE_FIND_PACKAGE_SQLite3:BOOL=True > > LIB_DEPENDS= audio/flac \ > + audio/lame \ > audio/libogg \ > audio/libvorbis \ > + audio/mpg123 \ > audio/opus > + > +NO_TEST= Yes > > .include <bsd.port.mk> > Index: distinfo > =================================================================== > RCS file: /home/cvs/ports/audio/libsndfile/distinfo,v > retrieving revision 1.19 > diff -u -p -u -p -r1.19 distinfo > --- distinfo 24 Apr 2021 06:17:13 -0000 1.19 > +++ distinfo 29 Mar 2022 03:39:51 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (libsndfile-1.0.31.tar.gz) = > jN7grLBrsKPBpspSRXVkPfix86VaCJO03Z+CnQgmN4U= > -SIZE (libsndfile-1.0.31.tar.gz) = 662584 > +SHA256 (libsndfile-1.1.0.tar.gz) = > ZCqHa9YbY/k0ZijbpfigNWo611DH9vQgGdJs5gumoVs= > +SIZE (libsndfile-1.1.0.tar.gz) = 684409 > Index: patches/patch-src_caf_c > =================================================================== > RCS file: patches/patch-src_caf_c > diff -N patches/patch-src_caf_c > --- patches/patch-src_caf_c 11 Mar 2022 18:20:16 -0000 1.3 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,17 +0,0 @@ > -Fix memory leak in caf_read_header(). > - > -Index: src/caf.c > ---- src/caf.c.orig > -+++ src/caf.c > -@@ -416,6 +416,11 @@ caf_read_header (SF_PRIVATE *psf) > - return SFE_CAF_BAD_PEAK ; > - } ; > - > -+ if (psf->peak_info) > -+ { psf_log_printf (psf, "*** Found > existing peak info, using last one.\n") ; > -+ free (psf->peak_info) ; > -+ psf->peak_info = NULL ; > -+ } ; > - if ((psf->peak_info = peak_info_calloc > (psf->sf.channels)) == NULL) > - return SFE_MALLOC_FAILED ; > - > Index: patches/patch-src_flac_c > =================================================================== > RCS file: patches/patch-src_flac_c > diff -N patches/patch-src_flac_c > --- patches/patch-src_flac_c 16 Mar 2022 19:09:59 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,19 +0,0 @@ > -Fix heap overflow: > -https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc > -https://github.com/libsndfile/libsndfile/issues/731 > - > -Index: src/flac.c > ---- src/flac.c.orig > -+++ src/flac.c > -@@ -948,7 +948,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len) > - /* Decode some more. */ > - while (pflac->pos < pflac->len) > - { if (FLAC__stream_decoder_process_single (pflac->fsd) == 0) > -+ { psf_log_printf (psf, > "FLAC__stream_decoder_process_single returned false\n") ; > -+ /* Current frame is busted, so NULL the pointer. */ > -+ pflac->frame = NULL ; > - break ; > -+ } ; > - state = FLAC__stream_decoder_get_state (pflac->fsd) ; > - if (state >= FLAC__STREAM_DECODER_END_OF_STREAM) > - { psf_log_printf (psf, "FLAC__stream_decoder_get_state > returned %s\n", FLAC__StreamDecoderStateString [state]) ; > Index: patches/patch-src_ima_adpcm_c > =================================================================== > RCS file: patches/patch-src_ima_adpcm_c > diff -N patches/patch-src_ima_adpcm_c > --- patches/patch-src_ima_adpcm_c 11 Mar 2022 18:20:16 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,19 +0,0 @@ > -Make sure that there's enough space to store decoded nibbles in when reading > IMA ADPCM data. > - > -Index: src/ima_adpcm.c > ---- src/ima_adpcm.c.orig > -+++ src/ima_adpcm.c > -@@ -182,7 +182,12 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int > - if (psf->file.mode != SFM_READ) > - return SFE_BAD_MODE_RW ; > - > -- pimasize = sizeof (IMA_ADPCM_PRIVATE) + blockalign * psf->sf.channels + > 3 * psf->sf.channels * samplesperblock ; > -+ /* > -+ ** Allocate enough space for 1 more than a multiple of 8 samples > -+ ** to avoid having to branch when pulling apart the nibbles. > -+ */ > -+ count = ((samplesperblock - 2) | 7) + 2 ; > -+ pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign > + samplesperblock + sizeof(short) * count) ; > - > - if (! (pima = calloc (1, pimasize))) > - return SFE_MALLOC_FAILED ; > Index: patches/patch-src_ms_adpcm_c > =================================================================== > RCS file: patches/patch-src_ms_adpcm_c > diff -N patches/patch-src_ms_adpcm_c > --- patches/patch-src_ms_adpcm_c 16 Mar 2022 19:09:59 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,24 +0,0 @@ > -CVE-2021-3246: > -https://security-tracker.debian.org/tracker/CVE-2021-3246 > -https://github.com/libsndfile/libsndfile/commit/deb669ee8be55a94565f6f8a6b60890c2e7c6f32 > - > -Index: src/ms_adpcm.c > ---- src/ms_adpcm.c.orig > -+++ src/ms_adpcm.c > -@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int > blockalign, > - if (psf->file.mode == SFM_WRITE) > - samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / > psf->sf.channels ; > - > -- if (blockalign < 7 * psf->sf.channels) > -- { psf_log_printf (psf, "*** Error blockalign (%d) should be > > %d.\n", blockalign, 7 * psf->sf.channels) ; > -+ /* There's 7 samples per channel in the preamble of each block */ > -+ if (samplesperblock < 7 * psf->sf.channels) > -+ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be > >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; > -+ return SFE_INTERNAL ; > -+ } ; > -+ > -+ if (2 * blockalign < samplesperblock * psf->sf.channels) > -+ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= > %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; > - return SFE_INTERNAL ; > - } ; > - > Index: patches/patch-src_sndfile_c > =================================================================== > RCS file: patches/patch-src_sndfile_c > diff -N patches/patch-src_sndfile_c > --- patches/patch-src_sndfile_c 11 Mar 2022 18:20:16 -0000 1.3 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,22 +0,0 @@ > -Jump back to the start of guess_file_type() rather than recursing into it. > - > -Index: src/sndfile.c > ---- src/sndfile.c.orig > -+++ src/sndfile.c > -@@ -2680,6 +2680,7 @@ static int > - guess_file_type (SF_PRIVATE *psf) > - { uint32_t buffer [3], format ; > - > -+retry: > - if (psf_binheader_readf (psf, "b", &buffer, SIGNED_SIZEOF (buffer)) != > SIGNED_SIZEOF (buffer)) > - { psf->error = SFE_BAD_FILE_READ ; > - return 0 ; > -@@ -2780,7 +2781,7 @@ guess_file_type (SF_PRIVATE *psf) > - || buffer [0] == MAKE_MARKER ('I', 'D', '3', 4)) > - { psf_log_printf (psf, "Found 'ID3' marker.\n") ; > - if (id3_skip (psf)) > -- return guess_file_type (psf) ; > -+ goto retry ; > - return 0 ; > - } ; > - > Index: patches/patch-src_svx_c > =================================================================== > RCS file: patches/patch-src_svx_c > diff -N patches/patch-src_svx_c > --- patches/patch-src_svx_c 11 Mar 2022 18:20:16 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,15 +0,0 @@ > -Jump forwards to the next 4 byte aligned offset rather than always jumping > backwards by 3 bytes. > - > -Index: src/svx.c > ---- src/svx.c.orig > -+++ src/svx.c > -@@ -307,7 +307,8 @@ svx_read_header (SF_PRIVATE *psf) > - if ((chunk_size = psf_ftell (psf)) & > 0x03) > - { psf_log_printf (psf, " Unknown > chunk marker at position %d. Resynching.\n", chunk_size - 4) ; > - > -- psf_binheader_readf (psf, "j", > -3) ; > -+ chunk_size = chunk_size & 3 ; > -+ psf_binheader_readf (psf, "j", > 4 - chunk_size) ; > - break ; > - } ; > - psf_log_printf (psf, "*** Unknown chunk > marker (%X) at position %D. Exiting parser.\n", marker, psf_ftell (psf) - 8) ; > Index: patches/patch-src_wavlike_c > =================================================================== > RCS file: patches/patch-src_wavlike_c > diff -N patches/patch-src_wavlike_c > --- patches/patch-src_wavlike_c 16 Mar 2022 19:09:59 -0000 1.3 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,20 +0,0 @@ > -CVE-2021-3246: > -https://security-tracker.debian.org/tracker/CVE-2021-3246 > -https://github.com/libsndfile/libsndfile/commit/a9815b3f228df00086e0a40bcc43162fc19896a1 > - > -Index: src/wavlike.c > ---- src/wavlike.c.orig > -+++ src/wavlike.c > -@@ -830,7 +830,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf, uint32_t chu > - return 0 ; > - } ; > - > -- if (chunksize >= sizeof (SF_CART_INFO_16K)) > -+ /* > -+ ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't > part > -+ ** of the chunk, so don't include it in the size check. > -+ */ > -+ if (chunksize >= sizeof (SF_CART_INFO_16K) - 4) > - { psf_log_printf (psf, "cart : %u too big to be handled\n", > chunksize) ; > - psf_binheader_readf (psf, "j", chunksize) ; > - return 0 ; >
