On Wed, Mar 09, 2022 at 09:54:44AM +0100, Moritz Buhl wrote: > Dear ports@, > > I noticed that two unfixed heap overflow bugs in audio/libsndfile > exist for about a year now and there is still no new release available. > > I attached the diffs from upstream.
OK kn without RCSIDs. Alterntively, you can also just pull the patches like this MASTER_SITES0 = https://github.com/libsndfile/libsndfile/commit/ # https://github.com/libsndfile/libsndfile/issues/731 # https://security-tracker.debian.org/tracker/CVE-2021-3246 PATCHFILES = libsndfile-fix-heap-overflow-{}ced91d7b.patch:0 \ libsndfile-cve-2021-4346-1-{}deb669ee.patch:0 \ libsndfile-cve-2021-4346-2-{}a9815b3f.patch:0 PATCH_DIST_ARGS = -p1 or simply update to a GH_COMMIT that contains them in case there isn't much else you'd pull in doing that. > mbuhl > > Index: audio/libsndfile/Makefile > =================================================================== > RCS file: /cvs/ports/audio/libsndfile/Makefile,v > retrieving revision 1.37 > diff -u -p -r1.37 Makefile > --- audio/libsndfile/Makefile 24 Apr 2021 06:17:13 -0000 1.37 > +++ audio/libsndfile/Makefile 9 Mar 2022 08:28:54 -0000 > @@ -8,6 +8,7 @@ CATEGORIES= audio > GH_ACCOUNT= libsndfile > GH_PROJECT= libsndfile > GH_TAGNAME= ${VER} > +REVISION= 0 > > HOMEPAGE= https://github.com/libsndfile/libsndfile/ > > Index: audio/libsndfile/patches/patch-src_flac_c > =================================================================== > RCS file: audio/libsndfile/patches/patch-src_flac_c > diff -N audio/libsndfile/patches/patch-src_flac_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ audio/libsndfile/patches/patch-src_flac_c 9 Mar 2022 08:28:54 -0000 > @@ -0,0 +1,21 @@ > +$OpenBSD$ > + The RCSIDs must go. > +Fix heap overflow: > +https://github.com/libsndfile/libsndfile/commit/971be6173b604154c39279ce90ad87cc > +https://github.com/libsndfile/libsndfile/issues/731 > + > +Index: src/flac.c > +--- src/flac.c.orig > ++++ src/flac.c > +@@ -948,7 +948,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len) > + /* Decode some more. */ > + while (pflac->pos < pflac->len) > + { if (FLAC__stream_decoder_process_single (pflac->fsd) == 0) > ++ { psf_log_printf (psf, > "FLAC__stream_decoder_process_single returned false\n") ; > ++ /* Current frame is busted, so NULL the pointer. */ > ++ pflac->frame = NULL ; > + break ; > ++ } ; > + state = FLAC__stream_decoder_get_state (pflac->fsd) ; > + if (state >= FLAC__STREAM_DECODER_END_OF_STREAM) > + { psf_log_printf (psf, "FLAC__stream_decoder_get_state > returned %s\n", FLAC__StreamDecoderStateString [state]) ; > Index: audio/libsndfile/patches/patch-src_ms_adpcm_c > =================================================================== > RCS file: audio/libsndfile/patches/patch-src_ms_adpcm_c > diff -N audio/libsndfile/patches/patch-src_ms_adpcm_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ audio/libsndfile/patches/patch-src_ms_adpcm_c 9 Mar 2022 08:28:54 > -0000 > @@ -0,0 +1,26 @@ > +$OpenBSD$ > + > +CVE-2021-3246: > +https://security-tracker.debian.org/tracker/CVE-2021-3246 > +https://github.com/libsndfile/libsndfile/commit/8be55a94565f6f8a6b60890c2e7c6f32 > + > +Index: src/ms_adpcm.c > +--- src/ms_adpcm.c.orig > ++++ src/ms_adpcm.c > +@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int > blockalign, > + if (psf->file.mode == SFM_WRITE) > + samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / > psf->sf.channels ; > + > +- if (blockalign < 7 * psf->sf.channels) > +- { psf_log_printf (psf, "*** Error blockalign (%d) should be > > %d.\n", blockalign, 7 * psf->sf.channels) ; > ++ /* There's 7 samples per channel in the preamble of each block */ > ++ if (samplesperblock < 7 * psf->sf.channels) > ++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be > >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; > ++ return SFE_INTERNAL ; > ++ } ; > ++ > ++ if (2 * blockalign < samplesperblock * psf->sf.channels) > ++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= > %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; > + return SFE_INTERNAL ; > + } ; > + > Index: audio/libsndfile/patches/patch-src_wavlike_c > =================================================================== > RCS file: audio/libsndfile/patches/patch-src_wavlike_c > diff -N audio/libsndfile/patches/patch-src_wavlike_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ audio/libsndfile/patches/patch-src_wavlike_c 9 Mar 2022 08:28:54 > -0000 > @@ -0,0 +1,22 @@ > +$OpenBSD$ > + > +CVE-2021-3246: > +https://security-tracker.debian.org/tracker/CVE-2021-3246 > +https://github.com/libsndfile/libsndfile/commit/228df00086e0a40bcc43162fc19896a1 > + > +Index: src/wavlike.c > +--- src/wavlike.c.orig > ++++ src/wavlike.c > +@@ -830,7 +830,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf, uint32_t chu > + return 0 ; > + } ; > + > +- if (chunksize >= sizeof (SF_CART_INFO_16K)) > ++ /* > ++ ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't > part > ++ ** of the chunk, so don't include it in the size check. > ++ */ > ++ if (chunksize >= sizeof (SF_CART_INFO_16K) - 4) > + { psf_log_printf (psf, "cart : %u too big to be handled\n", > chunksize) ; > + psf_binheader_readf (psf, "j", chunksize) ; > + return 0 ; >
