On Dec 24 12:40:29, st...@openbsd.org wrote:
> This cherry picks a few input-validation fixes for a recent CVE
> from sox git (and a bonus division-by-0 fix from earlier); they will
> have a new release 14.4.2 soon anyway, but I think we'll want this
> for stable anyway.
Compiles and works fine for me on current amd64, i386 and amrv7. Thanks!
I have another minor diff against 14.4.2rc2, will try to push it today.
Jan
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/audio/sox/Makefile,v
> retrieving revision 1.57
> diff -u -p -r1.57 Makefile
> --- Makefile 14 Oct 2014 15:56:59 -0000 1.57
> +++ Makefile 24 Dec 2014 12:37:52 -0000
> @@ -3,6 +3,7 @@
> COMMENT= Sound eXchange, the Swiss Army knife of audio manipulation
>
> DISTNAME= sox-14.4.1
> +REVISION= 0
> SHARED_LIBS += sox 3.0 # .2.1
>
> CATEGORIES= audio
> Index: patches/patch-src_gain_c
> ===================================================================
> RCS file: patches/patch-src_gain_c
> diff -N patches/patch-src_gain_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_gain_c 24 Dec 2014 12:37:52 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +[1c3d52] prevent division by 0 when input signal is entirely non-negative,
> +non-positive, or both
> +
> +--- src/gain.c.orig Wed Dec 24 12:32:38 2014
> ++++ src/gain.c Wed Dec 24 12:32:53 2014
> +@@ -80,7 +80,9 @@ static int start(sox_effect_t * effp)
> + if (!p->do_equalise && !p->do_balance && !p->do_balance_no_clip)
> + effp->flows = 1; /* essentially a conditional SOX_EFF_MCHAN */
> + }
> +- p->mult = p->max = p->min = 0;
> ++ p->mult = 0;
> ++ p->max = 1;
> ++ p->min = -1;
> + if (p->do_scan) {
> + p->tmp_file = lsx_tmpfile();
> + if (p->tmp_file == NULL) {
> Index: patches/patch-src_sphere_c
> ===================================================================
> RCS file: patches/patch-src_sphere_c
> diff -N patches/patch-src_sphere_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_sphere_c 24 Dec 2014 12:37:52 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +[7d3f38] Check for minimum size sphere headers
> +
> +--- src/sphere.c.orig Wed Dec 24 12:31:33 2014
> ++++ src/sphere.c Wed Dec 24 12:31:53 2014
> +@@ -47,6 +47,11 @@ static int start_read(sox_format_t * ft)
> +
> + /* Determine header size, and allocate a buffer large enough to hold it.
> */
> + sscanf(fldsval, "%lu", &header_size_ul);
> ++ if (header_size_ul < 16) {
> ++ lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
> ++ return (SOX_EOF);
> ++ }
> ++
> + buf = lsx_malloc(header_size = header_size_ul);
> +
> + /* Skip what we have read so far */
> Index: patches/patch-src_wav_c
> ===================================================================
> RCS file: patches/patch-src_wav_c
> diff -N patches/patch-src_wav_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_wav_c 24 Dec 2014 12:37:52 -0000
> @@ -0,0 +1,19 @@
> +$OpenBSD$
> +
> +[f39c57] More checks for invalid MS ADPCM blocks.
> +
> +If block doesn't exacty match blockAlign then do not allow
> +number of samples in invalid size block to ever be more than
> +what WAV header defined as samplesPerBlock.
> +
> +--- src/wav.c.orig Wed Dec 24 12:33:35 2014
> ++++ src/wav.c Wed Dec 24 12:33:54 2014
> +@@ -166,7 +166,7 @@ static unsigned short AdpcmReadBlock(sox_format_t * f
> + /* work with partial blocks. Specs say it should be null */
> + /* padded but I guess this is better than trailing quiet. */
> + samplesThisBlock = lsx_ms_adpcm_samples_in((size_t)0,
> (size_t)ft->signal.channels, bytesRead, (size_t)0);
> +- if (samplesThisBlock == 0)
> ++ if (samplesThisBlock == 0 || samplesThisBlock >
> wav->samplesPerBlock)
> + {
> + lsx_warn("Premature EOF on .wav input file");
> + return 0;
>
