Bug#987168: fluidsynth: diff for NMU version 2.1.7-1.1

[Reiner Herrmann]

Control: tags 987168 + patch
Control: tags 987168 + pending

Dear maintainer,

I've prepared an NMU for fluidsynth (versioned as 2.1.7-1.1) and
uploaded it to DELAYED/3. Please feel free to tell me if I
should delay it longer.

Regards,
  Reiner

diff -Nru fluidsynth-2.1.7/debian/changelog fluidsynth-2.1.7/debian/changelog
--- fluidsynth-2.1.7/debian/changelog	2021-02-09 21:43:23.000000000 +0100
+++ fluidsynth-2.1.7/debian/changelog	2021-04-24 13:37:51.000000000 +0200
@@ -1,3 +1,11 @@
+fluidsynth (2.1.7-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Import patch that fixes use-after-free vulnerability. (CVE-2021-28421)
+    (Closes: #987168)
+
+ -- Reiner Herrmann <rei...@reiner-h.de>  Sat, 24 Apr 2021 13:37:51 +0200
+
 fluidsynth (2.1.7-1) unstable; urgency=medium
 
   * New upstream version 2.1.7
diff -Nru fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch
--- fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch	1970-01-01 01:00:00.000000000 +0100
+++ fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch	2021-04-24 13:35:20.000000000 +0200
@@ -0,0 +1,84 @@
+From 005719628aef0bd48dc7b2f860c7e4ca16b81044 Mon Sep 17 00:00:00 2001
+From: Tom M <tom.m...@googlemail.com>
+Date: Mon, 15 Mar 2021 20:12:51 +0100
+Subject: [PATCH] Invalid generators were not removed from zone list (#810)
+Bug: https://github.com/FluidSynth/fluidsynth/issues/808
+Bug-Debian: https://bugs.debian.org/987168
+
+fluid_list_remove() should receive the beginning of a list, so it can adjust the predecessor of the element to be removed. Otherwise the element would remain in the list, which in this case led to a use-after-free afterwards.
+---
+ src/sfloader/fluid_sffile.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/sfloader/fluid_sffile.c b/src/sfloader/fluid_sffile.c
+index 001a0a0a4..47ab98d97 100644
+--- a/src/sfloader/fluid_sffile.c
++++ b/src/sfloader/fluid_sffile.c
+@@ -1355,7 +1355,7 @@ static int load_pmod(SFData *sf, int size)
+  * ------------------------------------------------------------------- */
+ static int load_pgen(SFData *sf, int size)
+ {
+-    fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++    fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+     SFZone *z;
+     SFGen *g;
+     SFGenAmount genval;
+@@ -1369,7 +1369,7 @@ static int load_pgen(SFData *sf, int size)
+         /* traverse through all presets */
+         gzone = FALSE;
+         discarded = FALSE;
+-        p2 = ((SFPreset *)(p->data))->zone;
++        start_of_zone_list = p2 = ((SFPreset *)(p->data))->zone;
+ 
+         if(p2)
+         {
+@@ -1516,11 +1516,13 @@ static int load_pgen(SFData *sf, int size)
+                 }
+                 else
+                 {
++                    p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+                     /* previous global zone exists, discard */
+                     FLUID_LOG(FLUID_WARN, "Preset '%s': Discarding invalid global zone",
+                               ((SFPreset *)(p->data))->name);
+-                    *hz = fluid_list_remove(*hz, p2->data);
+-                    delete_zone((SFZone *)fluid_list_get(p2));
++                    fluid_list_remove(start_of_zone_list, z);
++                    delete_zone(z);
++                    continue;
+                 }
+             }
+ 
+@@ -1864,7 +1866,7 @@ static int load_imod(SFData *sf, int size)
+ /* load instrument generators (see load_pgen for loading rules) */
+ static int load_igen(SFData *sf, int size)
+ {
+-    fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++    fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+     SFZone *z;
+     SFGen *g;
+     SFGenAmount genval;
+@@ -1878,7 +1880,7 @@ static int load_igen(SFData *sf, int size)
+         /* traverse through all instruments */
+         gzone = FALSE;
+         discarded = FALSE;
+-        p2 = ((SFInst *)(p->data))->zone;
++        start_of_zone_list = p2 = ((SFInst *)(p->data))->zone;
+ 
+         if(p2)
+         {
+@@ -2024,11 +2026,13 @@ static int load_igen(SFData *sf, int size)
+                 }
+                 else
+                 {
++                    p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+                     /* previous global zone exists, discard */
+                     FLUID_LOG(FLUID_WARN, "Instrument '%s': Discarding invalid global zone",
+                               ((SFInst *)(p->data))->name);
+-                    *hz = fluid_list_remove(*hz, p2->data);
+-                    delete_zone((SFZone *)fluid_list_get(p2));
++                    fluid_list_remove(start_of_zone_list, z);
++                    delete_zone(z);
++                    continue;
+                 }
+             }
+ 
diff -Nru fluidsynth-2.1.7/debian/patches/series fluidsynth-2.1.7/debian/patches/series
--- fluidsynth-2.1.7/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ fluidsynth-2.1.7/debian/patches/series	2021-04-24 13:35:27.000000000 +0200
@@ -0,0 +1 @@
+CVE-2021-28421.patch

signature.asc
Description: PGP signature