diff -Nru audiofile-0.3.3/debian/changelog audiofile-0.3.3/debian/changelog --- audiofile-0.3.3/debian/changelog 2015-10-20 12:57:52.000000000 +0000 +++ audiofile-0.3.3/debian/changelog 2017-03-22 14:39:46.000000000 +0000 @@ -1,3 +1,23 @@ +audiofile (0.3.3-2ubuntu0.3) precise-security; urgency=medium + + * SECURITY UPDATE: multiple vulnerabilities (LP: #1674005) + - Apply patches backported from Debian 0.3.6-4: + + 04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch + + 05_Always-check-the-number-of-coefficients.patch + + 06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch + + 07_Check-for-multiplication-overflow-in-sfconvert.patch + + 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch + + 09_Actually-fail-when-error-occurs-in-parseFormat.patch + + 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch + - CVE-2017-6827, CVE-2017-6828, CVE-2017-6829, CVE-2017-6830, + CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, + CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, + CVE-2017-6839 + * debian/patches/sfconvert_error_handling.patch: improve sfconvert error + handling so we can test the reproducers. + + -- Marc Deslauriers Wed, 22 Mar 2017 10:39:00 -0400 + audiofile (0.3.3-2ubuntu0.1) precise-security; urgency=medium * SECURITY UPDATE: buffer overflow when changing both sample format and diff -Nru audiofile-0.3.3/debian/patches/04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch audiofile-0.3.3/debian/patches/04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch --- audiofile-0.3.3/debian/patches/04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch 1970-01-01 00:00:00.000000000 +0000 +++ audiofile-0.3.3/debian/patches/04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch 2017-03-21 17:49:27.000000000 +0000 @@ -0,0 +1,40 @@ +Backport of: + +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 18:02:31 +0100 +Subject: clamp index values to fix index overflow in IMA.cpp + +This fixes #33 +(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981 +and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/) +--- + libaudiofile/modules/IMA.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: audiofile-0.3.3/libaudiofile/modules/IMA.cpp +=================================================================== +--- audiofile-0.3.3.orig/libaudiofile/modules/IMA.cpp 2017-03-21 13:48:16.257078620 -0400 ++++ audiofile-0.3.3/libaudiofile/modules/IMA.cpp 2017-03-21 13:49:23.877927206 -0400 +@@ -77,6 +77,13 @@ + { + } + ++static inline int clamp(int x, int low, int high) ++{ ++ if (x < low) return low; ++ if (x > high) return high; ++ return x; ++} ++ + int IMA::decodeBlock (const uint8_t *encoded, int16_t *decoded) + { + int channelCount = m_track->f.channelCount; +@@ -88,7 +95,7 @@ + if (encoded[1] & 0x80) + state[c].valprev -= 0x10000; + +- state[c].index = encoded[2]; ++ state[c].index = clamp(encoded[2], 0, 88); + + *decoded++ = state[c].valprev; + diff -Nru audiofile-0.3.3/debian/patches/05_Always-check-the-number-of-coefficients.patch audiofile-0.3.3/debian/patches/05_Always-check-the-number-of-coefficients.patch --- audiofile-0.3.3/debian/patches/05_Always-check-the-number-of-coefficients.patch 1970-01-01 00:00:00.000000000 +0000 +++ audiofile-0.3.3/debian/patches/05_Always-check-the-number-of-coefficients.patch 2017-03-21 17:14:38.000000000 +0000 @@ -0,0 +1,30 @@ +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 12:51:22 +0100 +Subject: Always check the number of coefficients + +When building the library with NDEBUG, asserts are eliminated +so it's better to always check that the number of coefficients +is inside the array range. + +This fixes the 00191-audiofile-indexoob issue in #41 +--- + libaudiofile/WAVE.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: audiofile-0.3.3/libaudiofile/WAVE.cpp +=================================================================== +--- audiofile-0.3.3.orig/libaudiofile/WAVE.cpp 2017-03-21 13:14:34.439197675 -0400 ++++ audiofile-0.3.3/libaudiofile/WAVE.cpp 2017-03-21 13:14:34.419197431 -0400 +@@ -269,6 +269,12 @@ + + /* numCoefficients should be at least 7. */ + assert(numCoefficients >= 7 && numCoefficients <= 255); ++ if (numCoefficients < 7 || numCoefficients > 255) ++ { ++ _af_error(AF_BAD_HEADER, ++ "Bad number of coefficients"); ++ return AF_FAIL; ++ } + + for (int i=0; i +Date: Mon, 6 Mar 2017 13:43:53 +0100 +Subject: Check for multiplication overflow in MSADPCM decodeSample + +Check for multiplication overflow (using __builtin_mul_overflow +if available) in MSADPCM.cpp decodeSample and return an empty +decoded block if an error occurs. + +This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41 +--- + libaudiofile/modules/BlockCodec.cpp | 5 ++-- + libaudiofile/modules/MSADPCM.cpp | 47 +++++++++++++++++++++++++++++++++---- + 2 files changed, 46 insertions(+), 6 deletions(-) + +Index: audiofile-0.3.3/libaudiofile/modules/MSADPCM.cpp +=================================================================== +--- audiofile-0.3.3.orig/libaudiofile/modules/MSADPCM.cpp 2017-03-21 13:58:37.676941776 -0400 ++++ audiofile-0.3.3/libaudiofile/modules/MSADPCM.cpp 2017-03-21 13:59:28.737594797 -0400 +@@ -75,12 +75,40 @@ + int decodeBlock(const uint8_t *encoded, int16_t *decoded); + }; + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ ++ + /* + Compute a linear PCM value from the given differential coded + value. + */ + static int16_t ms_adpcm_decode_sample (ms_adpcm_state *state, +- uint8_t code, const int16_t *coefficient) ++ uint8_t code, const int16_t *coefficient, bool *ok=NULL) + { + const int32_t MAX_INT16 = 32767, MIN_INT16 = -32768; + const int32_t adaptive[] = +@@ -104,7 +132,15 @@ + else if (linearSample > MAX_INT16) + linearSample = MAX_INT16; + +- delta = ((int32_t) state->delta * adaptive[code])/256; ++ delta = ((int32_t) state->delta * adaptive[code]); ++ if (multiplyCheckOverflow(state->delta, adaptive[code], &delta)) ++ { ++ if (ok) *ok=false; ++ _af_error(AF_BAD_COMPRESSION, "Error decoding sample"); ++ return 0; ++ } ++ delta >>= 8; ++ + if (delta < 16) + { + delta = 16; +@@ -113,6 +149,7 @@ + state->delta = delta; + state->sample2 = state->sample1; + state->sample1 = linearSample; ++ if (ok) *ok=true; + + /* + Because of earlier range checking, new_sample will be +@@ -185,13 +222,16 @@ + { + uint8_t code; + int16_t newSample; ++ bool ok; + + code = *encoded >> 4; +- newSample = ms_adpcm_decode_sample(state[0], code, coefficient[0]); ++ newSample = ms_adpcm_decode_sample(state[0], code, coefficient[0], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + code = *encoded & 0x0f; +- newSample = ms_adpcm_decode_sample(state[1], code, coefficient[1]); ++ newSample = ms_adpcm_decode_sample(state[1], code, coefficient[1], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + encoded++; +@@ -263,8 +303,9 @@ + /* Decompress into m_outChunk. */ + for (int i=0; i(m_inChunk->buffer) + i * m_blockAlign, +- static_cast(m_outChunk->buffer) + i * m_framesPerBlock * m_track->f.channelCount); ++ if (decodeBlock(static_cast(m_inChunk->buffer) + i * m_blockAlign, ++ static_cast(m_outChunk->buffer) + i * m_framesPerBlock * m_track->f.channelCount)==0) ++ break; + + framesRead += m_framesPerBlock; + } diff -Nru audiofile-0.3.3/debian/patches/07_Check-for-multiplication-overflow-in-sfconvert.patch audiofile-0.3.3/debian/patches/07_Check-for-multiplication-overflow-in-sfconvert.patch --- audiofile-0.3.3/debian/patches/07_Check-for-multiplication-overflow-in-sfconvert.patch 1970-01-01 00:00:00.000000000 +0000 +++ audiofile-0.3.3/debian/patches/07_Check-for-multiplication-overflow-in-sfconvert.patch 2017-03-22 14:38:53.000000000 +0000 @@ -0,0 +1,68 @@ +Backport of: + +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 13:54:52 +0100 +Subject: Check for multiplication overflow in sfconvert + +Checks that a multiplication doesn't overflow when +calculating the buffer size, and if it overflows, +reduce the buffer size instead of failing. + +This fixes the 00192-audiofile-signintoverflow-sfconvert case +in #41 +--- + sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +Index: audiofile-0.3.3/sfcommands/sfconvert.c +=================================================================== +--- audiofile-0.3.3.orig/sfcommands/sfconvert.c 2017-03-22 10:36:36.821546505 -0400 ++++ audiofile-0.3.3/sfcommands/sfconvert.c 2017-03-22 10:38:08.358680386 -0400 +@@ -45,6 +45,33 @@ + int copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid, + AFframecount totalFrameCount); + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ + int main (int argc, char **argv) + { + int i = 1; +@@ -289,8 +316,11 @@ + + frameSize = afGetVirtualFrameSize(infile, trackid, 1); + +- const int kBufferFrameCount = 65536; +- buffer = malloc(kBufferFrameCount * frameSize); ++ int kBufferFrameCount = 65536; ++ int bufferSize; ++ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) ++ kBufferFrameCount /= 2; ++ buffer = malloc(bufferSize); + + while (totalFramesWritten < totalFrameCount) + { diff -Nru audiofile-0.3.3/debian/patches/08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch audiofile-0.3.3/debian/patches/08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch --- audiofile-0.3.3/debian/patches/08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch 1970-01-01 00:00:00.000000000 +0000 +++ audiofile-0.3.3/debian/patches/08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch 2017-03-21 17:49:39.000000000 +0000 @@ -0,0 +1,35 @@ +From: Antonio Larrosa +Date: Fri, 10 Mar 2017 15:40:02 +0100 +Subject: Fix signature of multiplyCheckOverflow. It returns a bool, not an int + +--- + libaudiofile/modules/MSADPCM.cpp | 2 +- + sfcommands/sfconvert.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +Index: audiofile-0.3.3/libaudiofile/modules/MSADPCM.cpp +=================================================================== +--- audiofile-0.3.3.orig/libaudiofile/modules/MSADPCM.cpp 2017-03-21 13:49:38.482110490 -0400 ++++ audiofile-0.3.3/libaudiofile/modules/MSADPCM.cpp 2017-03-21 13:49:38.078105419 -0400 +@@ -90,7 +90,7 @@ + #define __has_builtin(x) 0 + #endif + +-int multiplyCheckOverflow(int a, int b, int *result) ++bool multiplyCheckOverflow(int a, int b, int *result) + { + #if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) + return __builtin_mul_overflow(a, b, result); +Index: audiofile-0.3.3/sfcommands/sfconvert.c +=================================================================== +--- audiofile-0.3.3.orig/sfcommands/sfconvert.c 2017-03-21 13:49:38.482110490 -0400 ++++ audiofile-0.3.3/sfcommands/sfconvert.c 2017-03-21 13:49:38.078105419 -0400 +@@ -60,7 +60,7 @@ + #define __has_builtin(x) 0 + #endif + +-int multiplyCheckOverflow(int a, int b, int *result) ++bool multiplyCheckOverflow(int a, int b, int *result) + { + #if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) + return __builtin_mul_overflow(a, b, result); diff -Nru audiofile-0.3.3/debian/patches/09_Actually-fail-when-error-occurs-in-parseFormat.patch audiofile-0.3.3/debian/patches/09_Actually-fail-when-error-occurs-in-parseFormat.patch --- audiofile-0.3.3/debian/patches/09_Actually-fail-when-error-occurs-in-parseFormat.patch 1970-01-01 00:00:00.000000000 +0000 +++ audiofile-0.3.3/debian/patches/09_Actually-fail-when-error-occurs-in-parseFormat.patch 2017-03-21 17:08:34.000000000 +0000 @@ -0,0 +1,36 @@ +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 18:59:26 +0100 +Subject: Actually fail when error occurs in parseFormat + +When there's an unsupported number of bits per sample or an invalid +number of samples per block, don't only print an error message using +the error handler, but actually stop parsing the file. + +This fixes #35 (also reported at +https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and +https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/ +) +--- + libaudiofile/WAVE.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp +index 0fc48e8..d04b796 100644 +--- a/libaudiofile/WAVE.cpp ++++ b/libaudiofile/WAVE.cpp +@@ -332,6 +332,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_NOT_IMPLEMENTED, + "IMA ADPCM compression supports only 4 bits per sample"); ++ return AF_FAIL; + } + + int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount; +@@ -339,6 +340,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_CODEC_CONFIG, + "Invalid samples per block for IMA ADPCM compression"); ++ return AF_FAIL; + } + + track->f.sampleWidth = 16; diff -Nru audiofile-0.3.3/debian/patches/10_Check-for-division-by-zero-in-BlockCodec-runPull.patch audiofile-0.3.3/debian/patches/10_Check-for-division-by-zero-in-BlockCodec-runPull.patch --- audiofile-0.3.3/debian/patches/10_Check-for-division-by-zero-in-BlockCodec-runPull.patch 1970-01-01 00:00:00.000000000 +0000 +++ audiofile-0.3.3/debian/patches/10_Check-for-division-by-zero-in-BlockCodec-runPull.patch 2017-03-21 17:59:54.000000000 +0000 @@ -0,0 +1,36 @@ +Backport of: + +From: Antonio Larrosa +Date: Thu, 9 Mar 2017 10:21:18 +0100 +Subject: Check for division by zero in BlockCodec::runPull + +--- + libaudiofile/modules/BlockCodec.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: audiofile-0.3.3/libaudiofile/modules/IMA.cpp +=================================================================== +--- audiofile-0.3.3.orig/libaudiofile/modules/IMA.cpp 2017-03-21 13:59:51.929890022 -0400 ++++ audiofile-0.3.3/libaudiofile/modules/IMA.cpp 2017-03-21 13:59:51.929890022 -0400 +@@ -178,7 +178,7 @@ + + /* Read the compressed frames. */ + ssize_t bytesRead = read(m_inChunk->buffer, m_blockAlign * blockCount); +- ssize_t blocksRead = bytesRead >= 0 ? bytesRead / m_blockAlign : 0; ++ ssize_t blocksRead = (bytesRead >= 0 && m_blockAlign > 0) ? bytesRead / m_blockAlign : 0; + + /* This condition would indicate that the file is bad. */ + if (blocksRead < 0) +Index: audiofile-0.3.3/libaudiofile/modules/MSADPCM.cpp +=================================================================== +--- audiofile-0.3.3.orig/libaudiofile/modules/MSADPCM.cpp 2017-03-21 13:59:51.929890022 -0400 ++++ audiofile-0.3.3/libaudiofile/modules/MSADPCM.cpp 2017-03-21 13:59:51.929890022 -0400 +@@ -298,7 +298,7 @@ + + /* Read the compressed frames. */ + ssize_t bytesRead = read(m_inChunk->buffer, m_blockAlign * blockCount); +- size_t blocksRead = bytesRead >= 0 ? bytesRead / m_blockAlign : 0; ++ size_t blocksRead = (bytesRead >= 0 && m_blockAlign > 0) ? bytesRead / m_blockAlign : 0; + + /* Decompress into m_outChunk. */ + for (int i=0; i +Date: Sun, 1 Jul 2012 15:36:16 -0700 +Subject: [PATCH] Improve error handling in sfconvert. + +--- + ChangeLog | 4 ++++ + sfcommands/sfconvert.c | 49 +++++++++++++++++++++++++------------------------ + 2 files changed, 29 insertions(+), 24 deletions(-) + +Index: audiofile-0.3.3/sfcommands/sfconvert.c +=================================================================== +--- audiofile-0.3.3.orig/sfcommands/sfconvert.c 2017-03-22 10:35:35.500786964 -0400 ++++ audiofile-0.3.3/sfcommands/sfconvert.c 2017-03-22 10:35:50.892977613 -0400 +@@ -39,8 +39,6 @@ + + #include "printinfo.h" + +-#define BUFFER_FRAME_COUNT 65536 +- + void printversion (void); + void printusage (void); + void usageerror (void); +@@ -220,11 +218,16 @@ + + afFreeFileSetup(outfilesetup); + +- copyaudiodata(infile, outfile, AF_DEFAULT_TRACK, totalFrames); ++ bool success = copyaudiodata(infile, outfile, AF_DEFAULT_TRACK, totalFrames); + + afCloseFile(infile); + afCloseFile(outfile); + ++ if (!success) ++ { ++ return EXIT_FAILURE; ++ } ++ + printfileinfo(infilename); + putchar('\n'); + printfileinfo(outfilename); +@@ -282,46 +285,43 @@ + AFframecount totalFramesWritten = 0; + void *buffer; + int frameSize; +- bool ok = true, done = false; ++ bool success = true; + + frameSize = afGetVirtualFrameSize(infile, trackid, 1); + +- buffer = malloc(BUFFER_FRAME_COUNT * frameSize); ++ const int kBufferFrameCount = 65536; ++ buffer = malloc(kBufferFrameCount * frameSize); + +- while (!done) ++ while (totalFramesWritten < totalFrameCount) + { +- AFframecount framesToRead = BUFFER_FRAME_COUNT; +- AFframecount framesRead, framesWritten; ++ AFframecount framesToRead = totalFrameCount - totalFramesWritten; ++ if (framesToRead > kBufferFrameCount) ++ framesToRead = kBufferFrameCount; + +- framesRead = afReadFrames(infile, trackid, buffer, ++ AFframecount framesRead = afReadFrames(infile, trackid, buffer, + framesToRead); + +- if (framesRead < 0) ++ if (framesRead < framesToRead) + { + fprintf(stderr, "Bad read of audio track data.\n"); +- ok = false; +- done = true; ++ success = false; ++ break; + } + +- framesWritten = afWriteFrames(outfile, trackid, buffer, ++ AFframecount framesWritten = afWriteFrames(outfile, trackid, buffer, + framesRead); + +- if (framesWritten < 0) ++ if (framesWritten < framesRead) + { + fprintf(stderr, "Bad write of audio track data.\n"); +- ok = false; +- done = true; +- } +- else +- { +- totalFramesWritten += framesWritten; ++ success = false; ++ break; + } + +- if (totalFramesWritten == totalFrameCount) +- done = true; ++ totalFramesWritten += framesWritten; + } + + free(buffer); + +- return ok; ++ return success; + }