From: Ross Burton <ross.bur...@intel.com>
The previous fix for CVE-2018-19758 wasn't complete, so backport another patch
to solve it properly.
(From OE-Core rev: aeaca9bb1b1c8bf44818945dc4b2cbd6d4b5cef2)
Signed-off-by: Ross Burton <ross.bur...@intel.com>
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
Signed-off-by: Sana Kazi <sana.k...@kpit.com>
---
.../libsndfile1/CVE-2019-3832.patch | 37 +++++++++++++++++++
.../libsndfile/libsndfile1_1.0.28.bb | 5 +++
2 files changed, 42 insertions(+)
create mode 100644
meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
new file mode 100644
index 0000000000..ab37211399
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
@@ -0,0 +1,37 @@
+From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001
+From: Emilio Pozuelo Monfort <poch...@gmail.com>
+Date: Tue, 5 Mar 2019 11:27:17 +0100
+Subject: [PATCH] wav_write_header: don't read past the array end
+
+CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder.
+
+CVE: CVE-2019-3832
+Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e]
+Signed-off-by: Ross Burton <ross.bur...@intel.com>
+
+If loop_count is bigger than the array, truncate it to the array
+length (and not to 32k).
+
+CVE-2019-3832
+
+---
+ src/wav.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/wav.c b/src/wav.c
+index daae3cc..8851549 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
+ psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
+ psf_binheader_writef (psf, "44", psf->instrument->loop_count,
0) ;
+
+- /* Loop count is signed 16 bit number so we limit it range to
something sensible. */
+- psf->instrument->loop_count &= 0x7fff ;
++ /* Make sure we don't read past the loops array end. */
++ if (psf->instrument->loop_count > ARRAY_LEN
(psf->instrument->loops))
++ psf->instrument->loop_count = ARRAY_LEN
(psf->instrument->loops) ;
++
+ for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+ { int type ;
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index b28f675286..e52105fa2b 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -13,6 +13,11 @@ SRC_URI =
"http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
file://CVE-2017-14245-14246.patch \
file://CVE-2017-14634.patch \
file://CVE-2018-13139.patch \
+ file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
+ file://CVE-2018-19432.patch \
+ file://CVE-2017-12562.patch \
+ file://CVE-2018-19758.patch \
+ file://CVE-2019-3832.patch \
"
SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
--
2.17.1
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146466):
https://lists.openembedded.org/g/openembedded-core/message/146466
Mute This Topic: https://lists.openembedded.org/mt/79495952/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
