audio/sox patches from oss-security

Theo Buehler Mon, 06 Feb 2023 13:56:35 -0800

There is an ongoing discussion on audio/sox on oss-security:

https://marc.info/?l=oss-security&m=167546008232629&w=2


Steffen Nurpmeso ported the patches to apply against the commit
we also use in our ports, that's what's included in the diff below.

The patches look sensible to me although I haven't reviewed them
thoroughly.

It's probably a good idea to keep an eye on this discussion both for
reviews of the patches and for possible developments of a new upstream
repo containing them.

Index: Makefile
===================================================================
RCS file: /cvs/ports/audio/sox/Makefile,v
retrieving revision 1.74
diff -u -p -r1.74 Makefile
--- Makefile    11 Mar 2022 18:20:31 -0000      1.74
+++ Makefile    6 Feb 2023 21:39:18 -0000
@@ -5,6 +5,7 @@ V=              14.4.2pl20210509
 GIT_V=         14.4.3git
 DISTNAME=      sox-${V}
 SHARED_LIBS += sox 4.1 # 3.0
+REVISION =     0
 
 CATEGORIES=    audio
 HOMEPAGE=      http://sox.sourceforge.net/
Index: patches/patch-src_aiff_c
===================================================================
RCS file: patches/patch-src_aiff_c
diff -N patches/patch-src_aiff_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_aiff_c    6 Feb 2023 21:38:58 -0000
@@ -0,0 +1,17 @@
+https://marc.info/?l=oss-security&m=167571683504082&w=2
+
+Index: src/aiff.c
+--- src/aiff.c.orig
++++ src/aiff.c
+@@ -619,6 +619,11 @@ int lsx_aiffstartwrite(sox_format_t * ft)
+            At 48 kHz, 16 bits stereo, this gives ~3 hours of audio.
+            Sorry, the AIFF format does not provide for an indefinite
+            number of samples. */
++        if (ft->signal.channels >= (0x7f000000 / 
(ft->encoding.bits_per_sample >> 3)))
++        {
++                lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF 
header");
++                return SOX_EOF;
++        }
+         return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / 
((ft->encoding.bits_per_sample>>3)*ft->signal.channels)));
+ }
+ 
Index: patches/patch-src_formats_c
===================================================================
RCS file: /cvs/ports/audio/sox/patches/patch-src_formats_c,v
retrieving revision 1.8
diff -u -p -r1.8 patch-src_formats_c
--- patches/patch-src_formats_c 11 Mar 2022 18:20:31 -0000      1.8
+++ patches/patch-src_formats_c 6 Feb 2023 21:38:58 -0000
@@ -1,3 +1,5 @@
+https://marc.info/?l=oss-security&m=167571683504082&w=2
+
 Index: src/formats.c
 --- src/formats.c.orig
 +++ src/formats.c
@@ -19,3 +21,11 @@ Index: src/formats.c
      char * command = lsx_malloc(strlen(command_format) + strlen(identifier));
      sprintf(command, command_format, identifier);
      f = popen(command, POPEN_MODE);
+@@ -627,6 +627,7 @@ error:
+   free(ft->priv);
+   free(ft->filename);
+   free(ft->filetype);
++  sox_delete_comments(&ft->oob.comments);
+   free(ft);
+   return NULL;
+ }
Index: patches/patch-src_formats_i_c
===================================================================
RCS file: patches/patch-src_formats_i_c
diff -N patches/patch-src_formats_i_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_formats_i_c       6 Feb 2023 21:38:58 -0000
@@ -0,0 +1,42 @@
+https://marc.info/?l=oss-security&m=167571683504082&w=2
+
+Index: src/formats_i.c
+--- src/formats_i.c.orig
++++ src/formats_i.c
+@@ -19,6 +19,7 @@
+  */
+ 
+ #include "sox_i.h"
++#include <limits.h>
+ #include <string.h>
+ #include <sys/stat.h>
+ #include <stdarg.h>
+@@ -60,13 +61,24 @@ int lsx_check_read_params(sox_format_t * ft, unsigned 
+   if (ft->seekable)
+     ft->data_start = lsx_tell(ft);
+ 
+-  if (channels && ft->signal.channels && ft->signal.channels != channels)
++  if (channels && ft->signal.channels && ft->signal.channels != channels) {
+     lsx_warn("`%s': overriding number of channels", ft->filename);
+-  else ft->signal.channels = channels;
++  } else if (channels > SHRT_MAX) {
++    lsx_fail_errno(ft, EINVAL, "implausibly large number of channels");
++    return SOX_EOF;
++  } else {
++    ft->signal.channels = channels;
++  }
+ 
+-  if (rate && ft->signal.rate && ft->signal.rate != rate)
++  if (rate && ft->signal.rate && ft->signal.rate != rate) {
+     lsx_warn("`%s': overriding sample rate", ft->filename);
+-  else ft->signal.rate = rate;
++  /* Since NaN comparisons yield false, the negation rejects them. */
++  } else if (!(rate > 0)) {
++    lsx_fail_errno(ft, EINVAL, "invalid rate value");
++    return SOX_EOF;
++  } else {
++    ft->signal.rate = rate;
++  }
+ 
+   if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding)
+     lsx_warn("`%s': overriding encoding type", ft->filename);
Index: patches/patch-src_hcom_c
===================================================================
RCS file: patches/patch-src_hcom_c
diff -N patches/patch-src_hcom_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_hcom_c    6 Feb 2023 21:38:58 -0000
@@ -0,0 +1,57 @@
+https://marc.info/?l=oss-security&m=167571683504082&w=2
+
+Index: src/hcom.c
+--- src/hcom.c.orig
++++ src/hcom.c
+@@ -141,6 +141,11 @@ static int startread(sox_format_t * ft)
+                 return (SOX_EOF);
+         }
+         lsx_readw(ft, &dictsize);
++        if (dictsize == 0 || dictsize > 511)
++        {
++                lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in 
HCOM header");
++                return SOX_EOF;
++        }
+ 
+         /* Translate to sox parameters */
+         ft->encoding.encoding = SOX_ENCODING_HCOM;
+@@ -161,13 +166,18 @@ static int startread(sox_format_t * ft)
+                        p->dictionary[i].dict_rightson);
+                 if (!dictvalid(i, dictsize, p->dictionary[i].dict_leftson,
+                                p->dictionary[i].dict_rightson)) {
++                        free(p->dictionary);
++                        p->dictionary = NULL;
+                         lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary");
+                         return SOX_EOF;
+                 }
+         }
+         rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */
+-        if (rc)
++        if (rc) {
++            free(p->dictionary);
++            p->dictionary = NULL;
+             return rc;
++        }
+ 
+         /* Initialized the decompression engine */
+         p->checksum = checksum;
+@@ -249,6 +259,9 @@ static int stopread(sox_format_t * ft)
+ {
+         register priv_t *p = (priv_t *) ft->priv;
+ 
++        free(p->dictionary);
++        p->dictionary = NULL;
++
+         if (p->huffcount != 0)
+         {
+                 lsx_fail_errno(ft,SOX_EFMT,"not all HCOM data read");
+@@ -259,8 +272,7 @@ static int stopread(sox_format_t * ft)
+                 lsx_fail_errno(ft,SOX_EFMT,"checksum error in HCOM data");
+                 return (SOX_EOF);
+         }
+-        free(p->dictionary);
+-        p->dictionary = NULL;
++
+         return (SOX_SUCCESS);
+ }
+ 
Index: patches/patch-src_sphere_c
===================================================================
RCS file: patches/patch-src_sphere_c
diff -N patches/patch-src_sphere_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_sphere_c  6 Feb 2023 21:38:58 -0000
@@ -0,0 +1,25 @@
+https://marc.info/?l=oss-security&m=167571683504082&w=2
+
+Index: src/sphere.c
+--- src/sphere.c.orig
++++ src/sphere.c
+@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft)
+     return (SOX_EOF);
+   }
+ 
+-  header_size -= (strlen(buf) + 1);
++  bytes_read = strlen(buf);
++  header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
+ 
+   while (strncmp(buf, "end_head", (size_t)8) != 0) {
+     if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0)
+@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft)
+       return (SOX_EOF);
+     }
+ 
+-    header_size -= (strlen(buf) + 1);
++    bytes_read = strlen(buf);
++    header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
+   }
+ 
+   if (!bytes_per_sample)
Index: patches/patch-src_voc_c
===================================================================
RCS file: patches/patch-src_voc_c
diff -N patches/patch-src_voc_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_voc_c     6 Feb 2023 21:38:58 -0000
@@ -0,0 +1,16 @@
+https://marc.info/?l=oss-security&m=167571683504082&w=2
+
+Index: src/voc.c
+--- src/voc.c.orig
++++ src/voc.c
+@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft)
+         v->rate = new_rate_32;
+         ft->signal.rate = new_rate_32;
+         lsx_readb(ft, &uc);
++        if (uc <= 1) {
++          lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required");
++          return (SOX_EOF);
++        }
+         v->size = uc;
+         lsx_readb(ft, &uc);
+         if (v->channels != -1 && uc != v->channels) {
Index: patches/patch-src_wav_c
===================================================================
RCS file: patches/patch-src_wav_c
diff -N patches/patch-src_wav_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_wav_c     6 Feb 2023 21:38:58 -0000
@@ -0,0 +1,18 @@
+https://marc.info/?l=oss-security&m=167571683504082&w=2
+
+Index: src/wav.c
+--- src/wav.c.orig
++++ src/wav.c
+@@ -654,6 +654,12 @@ static int wav_read_fmt(sox_format_t *ft, uint32_t len
+     if (err)
+         return SOX_EOF;
+ 
++    if (wav->bitsPerSample == 0)
++    {
++        lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
++        return SOX_EOF;
++    }
++
+     /* non-PCM formats except alaw and mulaw formats have extended fmt chunk.
+      * Check for those cases.
+      */

audio/sox patches from oss-security

Reply via email to