fix integer overflows causing CVE-2022-33065 (#RHEL-3751)

Resolves: #RHEL-3751
This commit is contained in:
Michal Hlavinka 2023-11-02 00:24:38 +01:00
parent 01bbfd3458
commit 874b12ae3b
2 changed files with 587 additions and 5 deletions

View File

@ -0,0 +1,576 @@
diff -up libsndfile-1.0.31/src/aiff.c.pullrequest979 libsndfile-1.0.31/src/aiff.c
--- libsndfile-1.0.31/src/aiff.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/aiff.c 2023-11-01 23:24:06.794851022 +0100
@@ -1685,7 +1685,7 @@ static int
aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize)
{ const char * type_str ;
basc_CHUNK bc ;
- int count ;
+ sf_count_t count ;
count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ;
count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ;
diff -up libsndfile-1.0.31/src/au.c.pullrequest979 libsndfile-1.0.31/src/au.c
--- libsndfile-1.0.31/src/au.c.pullrequest979 2020-10-04 12:00:49.000000000 +0200
+++ libsndfile-1.0.31/src/au.c 2023-11-01 23:24:06.794851022 +0100
@@ -291,6 +291,7 @@ static int
au_read_header (SF_PRIVATE *psf)
{ AU_FMT au_fmt ;
int marker, dword ;
+ sf_count_t data_end ;
memset (&au_fmt, 0, sizeof (au_fmt)) ;
psf_binheader_readf (psf, "pm", 0, &marker) ;
@@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf)
return SFE_AU_EMBED_BAD_LEN ;
} ;
+ data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ;
if (psf->fileoffset > 0)
- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
+ { psf->filelength = data_end ;
psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
}
- else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength)
+ else if (au_fmt.datasize == -1 || data_end == psf->filelength)
psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
- else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength)
- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
+ else if (data_end < psf->filelength)
+ { psf->filelength = data_end ;
psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
}
else
diff -up libsndfile-1.0.31/src/avr.c.pullrequest979 libsndfile-1.0.31/src/avr.c
--- libsndfile-1.0.31/src/avr.c.pullrequest979 2020-10-04 12:00:49.000000000 +0200
+++ libsndfile-1.0.31/src/avr.c 2023-11-01 23:24:06.795851033 +0100
@@ -164,7 +164,7 @@ avr_read_header (SF_PRIVATE *psf)
psf->endian = SF_ENDIAN_BIG ;
psf->dataoffset = AVR_HDR_SIZE ;
- psf->datalength = hdr.frames * (hdr.rez / 8) ;
+ psf->datalength = (sf_count_t) hdr.frames * (hdr.rez / 8) ;
if (psf->fileoffset > 0)
psf->filelength = AVR_HDR_SIZE + psf->datalength ;
diff -up libsndfile-1.0.31/src/common.c.pullrequest979 libsndfile-1.0.31/src/common.c
--- libsndfile-1.0.31/src/common.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/common.c 2023-11-01 23:24:06.795851033 +0100
@@ -18,6 +18,7 @@
#include <config.h>
+#include <limits.h>
#include <stdarg.h>
#include <string.h>
#if HAVE_UNISTD_H
@@ -962,6 +963,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
double *doubleptr ;
char c ;
int byte_count = 0, count = 0 ;
+ int read_bytes = 0 ;
if (! format)
return psf_ftell (psf) ;
@@ -970,6 +972,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
while ((c = *format++))
{
+ read_bytes = 0 ;
if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16))
return count ;
@@ -986,7 +989,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
ucptr = (unsigned char*) intptr ;
- byte_count += header_read (psf, ucptr, sizeof (int)) ;
+ read_bytes = header_read (psf, ucptr, sizeof (int)) ;
*intptr = GET_MARKER (ucptr) ;
break ;
@@ -994,7 +997,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
ucptr = (unsigned char*) intptr ;
- byte_count += header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ;
+ read_bytes = header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ;
{ int k ;
intdata = 0 ;
for (k = 0 ; k < 16 ; k++)
@@ -1006,14 +1009,14 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case '1' :
charptr = va_arg (argptr, char*) ;
*charptr = 0 ;
- byte_count += header_read (psf, charptr, sizeof (char)) ;
+ read_bytes = header_read (psf, charptr, sizeof (char)) ;
break ;
case '2' : /* 2 byte value with the current endian-ness */
shortptr = va_arg (argptr, unsigned short*) ;
*shortptr = 0 ;
ucptr = (unsigned char*) shortptr ;
- byte_count += header_read (psf, ucptr, sizeof (short)) ;
+ read_bytes = header_read (psf, ucptr, sizeof (short)) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
*shortptr = GET_BE_SHORT (ucptr) ;
else
@@ -1023,7 +1026,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case '3' : /* 3 byte value with the current endian-ness */
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
- byte_count += header_read (psf, sixteen_bytes, 3) ;
+ read_bytes = header_read (psf, sixteen_bytes, 3) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
*intptr = GET_BE_3BYTE (sixteen_bytes) ;
else
@@ -1034,7 +1037,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
ucptr = (unsigned char*) intptr ;
- byte_count += header_read (psf, ucptr, sizeof (int)) ;
+ read_bytes = header_read (psf, ucptr, sizeof (int)) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
*intptr = psf_get_be32 (ucptr, 0) ;
else
@@ -1044,7 +1047,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case '8' : /* 8 byte value with the current endian-ness */
countptr = va_arg (argptr, sf_count_t *) ;
*countptr = 0 ;
- byte_count += header_read (psf, sixteen_bytes, 8) ;
+ read_bytes = header_read (psf, sixteen_bytes, 8) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
countdata = psf_get_be64 (sixteen_bytes, 0) ;
else
@@ -1055,7 +1058,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case 'f' : /* Float conversion */
floatptr = va_arg (argptr, float *) ;
*floatptr = 0.0 ;
- byte_count += header_read (psf, floatptr, sizeof (float)) ;
+ read_bytes = header_read (psf, floatptr, sizeof (float)) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
*floatptr = float32_be_read ((unsigned char*) floatptr) ;
else
@@ -1065,7 +1068,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case 'd' : /* double conversion */
doubleptr = va_arg (argptr, double *) ;
*doubleptr = 0.0 ;
- byte_count += header_read (psf, doubleptr, sizeof (double)) ;
+ read_bytes = header_read (psf, doubleptr, sizeof (double)) ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
*doubleptr = double64_be_read ((unsigned char*) doubleptr) ;
else
@@ -1089,7 +1092,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
charptr = va_arg (argptr, char*) ;
count = va_arg (argptr, size_t) ;
memset (charptr, 0, count) ;
- byte_count += header_read (psf, charptr, count) ;
+ read_bytes = header_read (psf, charptr, count) ;
break ;
case 'G' :
@@ -1100,7 +1103,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
if (psf->header.indx + count >= psf->header.len && psf_bump_header_allocation (psf, count))
return 0 ;
- byte_count += header_gets (psf, charptr, count) ;
+ read_bytes = header_gets (psf, charptr, count) ;
break ;
case 'z' :
@@ -1124,7 +1127,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case 'j' : /* Seek to position from current position. */
count = va_arg (argptr, size_t) ;
header_seek (psf, count, SEEK_CUR) ;
- byte_count += count ;
+ read_bytes = count ;
break ;
default :
@@ -1132,8 +1135,17 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
psf->error = SFE_INTERNAL ;
break ;
} ;
+
+ if (read_bytes > 0 && byte_count > (INT_MAX - read_bytes))
+ { psf_log_printf (psf, "Header size exceeds INT_MAX. Aborting.", c) ;
+ psf->error = SFE_INTERNAL ;
+ break ;
+ } else
+ { byte_count += read_bytes ;
} ;
+ } ; /*end while*/
+
va_end (argptr) ;
return byte_count ;
diff -up libsndfile-1.0.31/src/common.h.pullrequest979 libsndfile-1.0.31/src/common.h
--- libsndfile-1.0.31/src/common.h.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/common.h 2023-11-01 23:24:06.795851033 +0100
@@ -484,7 +484,7 @@ typedef struct sf_private_tag
sf_count_t datalength ; /* Length in bytes of the audio data. */
sf_count_t dataend ; /* Offset to file tailer. */
- int blockwidth ; /* Size in bytes of one set of interleaved samples. */
+ sf_count_t blockwidth ; /* Size in bytes of one set of interleaved samples. */
int bytewidth ; /* Size in bytes of one sample (one channel). */
void *dither ;
diff -up libsndfile-1.0.31/src/ima_adpcm.c.pullrequest979 libsndfile-1.0.31/src/ima_adpcm.c
--- libsndfile-1.0.31/src/ima_adpcm.c.pullrequest979 2023-11-01 23:24:06.793851012 +0100
+++ libsndfile-1.0.31/src/ima_adpcm.c 2023-11-01 23:24:06.797851053 +0100
@@ -238,7 +238,7 @@ ima_reader_init (SF_PRIVATE *psf, int bl
case SF_FORMAT_AIFF :
psf_log_printf (psf, "still need to check block count\n") ;
pima->decode_block = aiff_ima_decode_block ;
- psf->sf.frames = pima->samplesperblock * pima->blocks / pima->channels ;
+ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks / pima->channels ;
break ;
default :
diff -up libsndfile-1.0.31/src/ircam.c.pullrequest979 libsndfile-1.0.31/src/ircam.c
--- libsndfile-1.0.31/src/ircam.c.pullrequest979 2020-10-04 12:00:49.000000000 +0200
+++ libsndfile-1.0.31/src/ircam.c 2023-11-01 23:24:06.795851033 +0100
@@ -171,35 +171,35 @@ ircam_read_header (SF_PRIVATE *psf)
switch (encoding)
{ case IRCAM_PCM_16 :
psf->bytewidth = 2 ;
- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_16 ;
break ;
case IRCAM_PCM_32 :
psf->bytewidth = 4 ;
- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_32 ;
break ;
case IRCAM_FLOAT :
psf->bytewidth = 4 ;
- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_FLOAT ;
break ;
case IRCAM_ALAW :
psf->bytewidth = 1 ;
- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ALAW ;
break ;
case IRCAM_ULAW :
psf->bytewidth = 1 ;
- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ;
break ;
diff -up libsndfile-1.0.31/src/mat4.c.pullrequest979 libsndfile-1.0.31/src/mat4.c
--- libsndfile-1.0.31/src/mat4.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/mat4.c 2023-11-01 23:24:06.795851033 +0100
@@ -104,7 +104,7 @@ mat4_open (SF_PRIVATE *psf)
psf->container_close = mat4_close ;
- psf->blockwidth = psf->bytewidth * psf->sf.channels ;
+ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
switch (subformat)
{ case SF_FORMAT_PCM_16 :
@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
}
else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
+ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
diff -up libsndfile-1.0.31/src/mat5.c.pullrequest979 libsndfile-1.0.31/src/mat5.c
--- libsndfile-1.0.31/src/mat5.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/mat5.c 2023-11-01 23:24:06.796851043 +0100
@@ -114,7 +114,7 @@ mat5_open (SF_PRIVATE *psf)
psf->container_close = mat5_close ;
- psf->blockwidth = psf->bytewidth * psf->sf.channels ;
+ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
switch (subformat)
{ case SF_FORMAT_PCM_U8 :
diff -up libsndfile-1.0.31/src/nms_adpcm.c.pullrequest979 libsndfile-1.0.31/src/nms_adpcm.c
--- libsndfile-1.0.31/src/nms_adpcm.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/nms_adpcm.c 2023-11-01 23:24:06.796851043 +0100
@@ -48,36 +48,36 @@
/* Variable names from ITU G.726 spec */
struct nms_adpcm_state
{ /* Log of the step size multiplier. Operated on by codewords. */
- int yl ;
+ short yl ;
/* Quantizer step size multiplier. Generated from yl. */
- int y ;
+ short y ;
/* Coefficents of the pole predictor */
- int a [2] ;
+ short a [2] ;
/* Coefficents of the zero predictor */
- int b [6] ;
+ short b [6] ;
/* Previous quantized deltas (multiplied by 2^14) */
- int d_q [7] ;
+ short d_q [7] ;
/* d_q [x] + s_ez [x], used by the pole-predictor for signs only. */
- int p [3] ;
+ short p [3] ;
/* Previous reconstructed signal values. */
- int s_r [2] ;
+ short s_r [2] ;
/* Zero predictor components of the signal estimate. */
- int s_ez ;
+ short s_ez ;
/* Signal estimate, (including s_ez). */
- int s_e ;
+ short s_e ;
/* The most recent codeword (enc:generated, dec:inputted) */
- int Ik ;
+ char Ik ;
- int parity ;
+ char parity ;
/*
** Offset into code tables for the bitrate.
@@ -109,7 +109,7 @@ typedef struct
} NMS_ADPCM_PRIVATE ;
/* Pre-computed exponential interval used in the antilog approximation. */
-static unsigned int table_expn [] =
+static unsigned short table_expn [] =
{ 0x4000, 0x4167, 0x42d5, 0x444c, 0x45cb, 0x4752, 0x48e2, 0x4a7a,
0x4c1b, 0x4dc7, 0x4f7a, 0x5138, 0x52ff, 0x54d1, 0x56ac, 0x5892,
0x5a82, 0x5c7e, 0x5e84, 0x6096, 0x62b4, 0x64dd, 0x6712, 0x6954,
@@ -117,21 +117,21 @@ static unsigned int table_expn [] =
} ;
/* Table mapping codewords to scale factor deltas. */
-static int table_scale_factor_step [] =
+static short table_scale_factor_step [] =
{ 0x0, 0x0, 0x0, 0x0, 0x4b0, 0x0, 0x0, 0x0, /* 2-bit */
-0x3c, 0x0, 0x90, 0x0, 0x2ee, 0x0, 0x898, 0x0, /* 3-bit */
-0x30, 0x12, 0x6b, 0xc8, 0x188, 0x2e0, 0x551, 0x1150, /* 4-bit */
} ;
/* Table mapping codewords to quantized delta interval steps. */
-static unsigned int table_step [] =
+static unsigned short table_step [] =
{ 0x73F, 0, 0, 0, 0x1829, 0, 0, 0, /* 2-bit */
0x3EB, 0, 0xC18, 0, 0x1581, 0, 0x226E, 0, /* 3-bit */
0x20C, 0x635, 0xA83, 0xF12, 0x1418, 0x19E3, 0x211A, 0x2BBA, /* 4-bit */
} ;
/* Binary search lookup table for quantizing using table_step. */
-static int table_step_search [] =
+static short table_step_search [] =
{ 0, 0x1F6D, 0, -0x1F6D, 0, 0, 0, 0, /* 2-bit */
0x1008, 0x1192, 0, -0x219A, 0x1656, -0x1656, 0, 0, /* 3-bit */
0x872, 0x1277, -0x8E6, -0x232B, 0xD06, -0x17D7, -0x11D3, 0, /* 4-bit */
@@ -179,23 +179,23 @@ static sf_count_t nms_adpcm_seek (SF_PRI
** Maps [1,20480] to [1,1024] in an exponential relationship. This is
** approximately ret = b^exp where b = e^(ln(1024)/ln(20480)) ~= 1.0003385
*/
-static inline int
-nms_adpcm_antilog (int exp)
-{ int ret ;
-
- ret = 0x1000 ;
- ret += (((exp & 0x3f) * 0x166b) >> 12) ;
- ret *= table_expn [(exp & 0x7c0) >> 6] ;
- ret >>= (26 - (exp >> 11)) ;
+static inline short
+nms_adpcm_antilog (short exp)
+{ int_fast32_t r ;
+
+ r = 0x1000 ;
+ r += (((int_fast32_t) (exp & 0x3f) * 0x166b) >> 12) ;
+ r *= table_expn [(exp & 0x7c0) >> 6] ;
+ r >>= (26 - (exp >> 11)) ;
- return ret ;
+ return (short) r ;
} /* nms_adpcm_antilog */
static void
nms_adpcm_update (struct nms_adpcm_state *s)
{ /* Variable names from ITU G.726 spec */
- int a1ul ;
- int fa1 ;
+ short a1ul, fa1 ;
+ int_fast32_t se ;
int i ;
/* Decay and Modify the scale factor in the log domain based on the codeword. */
@@ -222,7 +222,7 @@ nms_adpcm_update (struct nms_adpcm_state
else if (fa1 > 256)
fa1 = 256 ;
- s->a [0] = (0xff * s->a [0]) >> 8 ;
+ s->a [0] = (s->a [0] * 0xff) >> 8 ;
if (s->p [0] != 0 && s->p [1] != 0 && ((s->p [0] ^ s->p [1]) < 0))
s->a [0] -= 192 ;
else
@@ -230,7 +230,7 @@ nms_adpcm_update (struct nms_adpcm_state
fa1 = -fa1 ;
}
- s->a [1] = fa1 + ((0xfe * s->a [1]) >> 8) ;
+ s->a [1] = fa1 + ((s->a [1] * 0xfe) >> 8) ;
if (s->p [0] != 0 && s->p [2] != 0 && ((s->p [0] ^ s->p [2]) < 0))
s->a [1] -= 128 ;
else
@@ -250,19 +250,18 @@ nms_adpcm_update (struct nms_adpcm_state
s->a [0] = a1ul ;
} ;
- /* Compute the zero predictor estimate. Rotate past deltas too. */
- s->s_ez = 0 ;
+ /* Compute the zero predictor estimate and rotate past deltas. */
+ se = 0 ;
for (i = 5 ; i >= 0 ; i--)
- { s->s_ez += s->d_q [i] * s->b [i] ;
+ { se += (int_fast32_t) s->d_q [i] * s->b [i] ;
s->d_q [i + 1] = s->d_q [i] ;
} ;
+ s->s_ez = se >> 14 ;
- /* Compute the signal estimate. */
- s->s_e = s->a [0] * s->s_r [0] + s->a [1] * s->s_r [1] + s->s_ez ;
-
- /* Return to scale */
- s->s_ez >>= 14 ;
- s->s_e >>= 14 ;
+ /* Complete the signal estimate. */
+ se += (int_fast32_t) s->a [0] * s->s_r [0] ;
+ se += (int_fast32_t) s->a [1] * s->s_r [1] ;
+ s->s_e = se >> 14 ;
/* Rotate members to prepare for next iteration. */
s->s_r [1] = s->s_r [0] ;
@@ -274,7 +273,7 @@ nms_adpcm_update (struct nms_adpcm_state
static int16_t
nms_adpcm_reconstruct_sample (struct nms_adpcm_state *s, uint8_t I)
{ /* Variable names from ITU G.726 spec */
- int dqx ;
+ int_fast32_t dqx ;
/*
** The ordering of the 12-bit right-shift is a precision loss. It agrees
@@ -308,17 +307,17 @@ nms_adpcm_codec_init (struct nms_adpcm_s
/*
** nms_adpcm_encode_sample()
**
-** Encode a linear 16-bit pcm sample into a 2,3, or 4 bit NMS-ADPCM codeword
+** Encode a linear 16-bit pcm sample into a 2, 3, or 4 bit NMS-ADPCM codeword
** using and updating the predictor state.
*/
static uint8_t
nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl)
{ /* Variable names from ITU G.726 spec */
- int d ;
+ int_fast32_t d ;
uint8_t I ;
/* Down scale the sample from 16 => ~14 bits. */
- sl = (sl * 0x1fdf) / 0x7fff ;
+ sl = ((int_fast32_t) sl * 0x1fdf) / 0x7fff ;
/* Compute estimate, and delta from actual value */
nms_adpcm_update (s) ;
@@ -407,7 +406,7 @@ nms_adpcm_encode_sample (struct nms_adpc
*/
static int16_t
nms_adpcm_decode_sample (struct nms_adpcm_state *s, uint8_t I)
-{ int sl ;
+{ int_fast32_t sl ;
nms_adpcm_update (s) ;
sl = nms_adpcm_reconstruct_sample (s, I) ;
@@ -1091,7 +1090,7 @@ nms_adpcm_init (SF_PRIVATE *psf)
else
pnms->blocks_total = psf->datalength / (pnms->shortsperblock * sizeof (short)) ;
- psf->sf.frames = pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ;
+ psf->sf.frames = (sf_count_t) pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ;
psf->codec_close = nms_adpcm_close ;
psf->seek = nms_adpcm_seek ;
diff -up libsndfile-1.0.31/src/pcm.c.pullrequest979 libsndfile-1.0.31/src/pcm.c
--- libsndfile-1.0.31/src/pcm.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/pcm.c 2023-11-01 23:24:06.796851043 +0100
@@ -127,7 +127,7 @@ pcm_init (SF_PRIVATE *psf)
return SFE_INTERNAL ;
} ;
- psf->blockwidth = psf->bytewidth * psf->sf.channels ;
+ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
if ((SF_CODEC (psf->sf.format)) == SF_FORMAT_PCM_S8)
chars = SF_CHARS_SIGNED ;
diff -up libsndfile-1.0.31/src/rf64.c.pullrequest979 libsndfile-1.0.31/src/rf64.c
--- libsndfile-1.0.31/src/rf64.c.pullrequest979 2020-10-04 12:00:49.000000000 +0200
+++ libsndfile-1.0.31/src/rf64.c 2023-11-01 23:24:06.797851053 +0100
@@ -242,7 +242,7 @@ rf64_read_header (SF_PRIVATE *psf, int *
} ;
} ;
- if (psf->filelength != riff_size + 8)
+ if (psf->filelength - 8 != riff_size)
psf_log_printf (psf, " Riff size : %D (should be %D)\n", riff_size, psf->filelength - 8) ;
else
psf_log_printf (psf, " Riff size : %D\n", riff_size) ;
diff -up libsndfile-1.0.31/src/sds.c.pullrequest979 libsndfile-1.0.31/src/sds.c
--- libsndfile-1.0.31/src/sds.c.pullrequest979 2020-10-04 12:00:49.000000000 +0200
+++ libsndfile-1.0.31/src/sds.c 2023-11-01 23:24:06.797851053 +0100
@@ -454,7 +454,7 @@ sds_2byte_read (SF_PRIVATE *psf, SDS_PRI
ucptr = psds->read_data + 5 ;
for (k = 0 ; k < 120 ; k += 2)
- { sample = arith_shift_left (ucptr [k], 25) + arith_shift_left (ucptr [k + 1], 18) ;
+ { sample = arith_shift_left (ucptr [k], 25) | arith_shift_left (ucptr [k + 1], 18) ;
psds->read_samples [k / 2] = (int) (sample - 0x80000000) ;
} ;
@@ -498,7 +498,7 @@ sds_3byte_read (SF_PRIVATE *psf, SDS_PRI
ucptr = psds->read_data + 5 ;
for (k = 0 ; k < 120 ; k += 3)
- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) ;
+ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) ;
psds->read_samples [k / 3] = (int) (sample - 0x80000000) ;
} ;
@@ -542,7 +542,7 @@ sds_4byte_read (SF_PRIVATE *psf, SDS_PRI
ucptr = psds->read_data + 5 ;
for (k = 0 ; k < 120 ; k += 4)
- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) + (ucptr [k + 3] << 4) ;
+ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) | (ucptr [k + 3] << 4) ;
psds->read_samples [k / 4] = (int) (sample - 0x80000000) ;
} ;

View File

@ -1,7 +1,7 @@
Summary: Library for reading and writing sound files
Name: libsndfile
Version: 1.0.31
Release: 7%{?dist}
Release: 8%{?dist}
License: LGPLv2+ and GPLv2+ and BSD
URL: http://libsndfile.github.io/libsndfile/
Source0: https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2
@ -11,6 +11,8 @@ Patch1: libsndfile-1.0.25-zerodivfix.patch
Patch2: libsndfile-1.0.31-deb669ee.patch
# from upstream, fix #2030508, for <= 1.0.31
Patch3: libsndfile-1.0.31-ced91d7b.patch
# from upstream, fix #RHEL-3751, for <= 1.2.2
Patch4: libsndfile-1.0.31-pullrequest979.patch
BuildRequires: gcc-c++
BuildRequires: alsa-lib-devel
BuildRequires: flac-devel
@ -58,12 +60,13 @@ This package contains command line utilities for libsndfile.
%prep
%setup -q
%patch0 -p1 -b .system-gsm
%patch -P 0 -p1 -b .system-gsm
rm -r src/GSM610
# TODO: check if this patch is still needed
%patch1 -p1 -b .zerodivfix
%patch2 -p1 -b .deb669ee
%patch3 -p1 -b .ced91d7b
%patch -P 1 -p1 -b .zerodivfix
%patch -P 2 -p1 -b .deb669ee
%patch -P 3 -p1 -b .ced91d7b
%patch -P 4 -p1 -b .pullrequest979
%build
autoreconf -I M4 -fiv # for system-gsm patch
@ -155,6 +158,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
%changelog
* Wed Nov 01 2023 Michal Hlavinka <mhlavink@redhat.com> - 1.0.31-8
- fix integer overflows causing CVE-2022-33065 (#RHEL-3751)
* Wed Jan 12 2022 Michal Hlavinka <mhlavink@redhat.com> - 1.0.31-7
- fix heap buffer overflow in flac (#2030508)