Compare commits

..

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

13 changed files with 424 additions and 616 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libsndfile-1.0.28.tar.gz
SOURCES/libsndfile-1.0.31.tar.bz2

View File

@ -1 +1 @@
85aa967e19f6b9bf975601d79669025e5f8bc77d SOURCES/libsndfile-1.0.28.tar.gz
f16a88e7223baef7c4497536dc1b55b56811debc SOURCES/libsndfile-1.0.31.tar.bz2

View File

@ -1,6 +1,87 @@
diff -up libsndfile-1.0.28/src/gsm610.c.systemgsm libsndfile-1.0.28/src/gsm610.c
--- libsndfile-1.0.28/src/gsm610.c.systemgsm 2016-09-10 10:08:27.000000000 +0200
+++ libsndfile-1.0.28/src/gsm610.c 2017-04-11 10:47:40.437162489 +0200
diff -up libsndfile-1.0.31/CMakeLists.txt.nobundlegsm libsndfile-1.0.31/CMakeLists.txt
--- libsndfile-1.0.31/CMakeLists.txt.nobundlegsm 2021-01-24 13:22:23.000000000 +0100
+++ libsndfile-1.0.31/CMakeLists.txt 2021-01-27 12:54:51.112184824 +0100
@@ -230,7 +230,6 @@ add_library (sndfile
src/double64.c
src/ima_adpcm.c
src/ms_adpcm.c
- src/gsm610.c
src/dwvw.c
src/vox_adpcm.c
src/interleave.c
@@ -286,23 +285,6 @@ add_library (sndfile
src/ogg_opus.c
src/ogg_vcomment.c
src/nms_adpcm.c
- src/GSM610/config.h
- src/GSM610/gsm.h
- src/GSM610/gsm610_priv.h
- src/GSM610/add.c
- src/GSM610/code.c
- src/GSM610/decode.c
- src/GSM610/gsm_create.c
- src/GSM610/gsm_decode.c
- src/GSM610/gsm_destroy.c
- src/GSM610/gsm_encode.c
- src/GSM610/gsm_option.c
- src/GSM610/long_term.c
- src/GSM610/lpc.c
- src/GSM610/preprocess.c
- src/GSM610/rpe.c
- src/GSM610/short_term.c
- src/GSM610/table.c
src/G72x/g72x.h
src/G72x/g72x_priv.h
src/G72x/g721.c
@@ -349,6 +331,7 @@ target_link_libraries (sndfile
$<$<BOOL:${HAVE_EXTERNAL_XIPH_LIBS}>:FLAC::FLAC>
$<$<AND:$<BOOL:${ENABLE_EXPERIMENTAL}>,$<BOOL:${HAVE_EXTERNAL_XIPH_LIBS}>,$<BOOL:${HAVE_SPEEX}>>:Speex::Speex>
$<$<BOOL:${HAVE_EXTERNAL_XIPH_LIBS}>:Opus::opus>
+ -lgsm
)
set_target_properties (sndfile PROPERTIES
PUBLIC_HEADER "${sndfile_HDRS}"
diff -up libsndfile-1.0.31/Makefile.am.nobundlegsm libsndfile-1.0.31/Makefile.am
--- libsndfile-1.0.31/Makefile.am.nobundlegsm 2021-01-27 12:57:08.819482207 +0100
+++ libsndfile-1.0.31/Makefile.am 2021-01-27 12:57:08.847481859 +0100
@@ -46,7 +46,6 @@ SYMBOL_FILES = src/Symbols.gnu-binutils
EXTRA_DIST += include/sndfile.h.in src/config.h.in src/test_endswap.tpl src/test_endswap.def \
$(SYMBOL_FILES) src/create_symbols_file.py src/binheader_writef_check.py \
- src/GSM610/README src/GSM610/COPYRIGHT src/GSM610/ChangeLog \
src/G72x/README src/G72x/README.original src/G72x/ChangeLog \
src/make-static-lib-hidden-privates.sh \
src/config.h.cmake
@@ -71,7 +70,7 @@ src_libsndfile_la_SOURCES = src/sndfile.
src/ogg_vorbis.c src/ogg_speex.c src/ogg_pcm.c src/ogg_opus.c src/ogg_vcomment.c \
src/common.h src/sfconfig.h src/sfendian.h src/wavlike.h src/sf_unistd.h src/ogg.h src/chanmap.h src/ogg_vcomment.h
nodist_src_libsndfile_la_SOURCES = $(nodist_include_HEADERS)
-src_libsndfile_la_LIBADD = src/GSM610/libgsm.la src/G72x/libg72x.la src/ALAC/libalac.la \
+src_libsndfile_la_LIBADD = -lgsm src/G72x/libg72x.la src/ALAC/libalac.la \
src/libcommon.la $(EXTERNAL_XIPH_LIBS) -lm
EXTRA_src_libsndfile_la_DEPENDENCIES = $(SYMBOL_FILES)
@@ -90,17 +89,6 @@ src_test_main_SOURCES = src/test_main.c
src/test_binheader_writef.c src/test_nms_adpcm.c
src_test_main_LDADD = src/libcommon.la
-##############
-# src/GSM610 #
-##############
-
-noinst_LTLIBRARIES += src/GSM610/libgsm.la
-src_GSM610_libgsm_la_SOURCES = src/GSM610/config.h src/GSM610/gsm.h src/GSM610/gsm610_priv.h \
- src/GSM610/add.c src/GSM610/code.c src/GSM610/decode.c src/GSM610/gsm_create.c \
- src/GSM610/gsm_decode.c src/GSM610/gsm_destroy.c src/GSM610/gsm_encode.c \
- src/GSM610/gsm_option.c src/GSM610/long_term.c src/GSM610/lpc.c src/GSM610/preprocess.c \
- src/GSM610/rpe.c src/GSM610/short_term.c src/GSM610/table.c
-
############
# src/G72x #
############
diff -up libsndfile-1.0.31/src/gsm610.c.nobundlegsm libsndfile-1.0.31/src/gsm610.c
--- libsndfile-1.0.31/src/gsm610.c.nobundlegsm 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/gsm610.c 2021-01-27 12:54:51.112184824 +0100
@@ -27,7 +27,7 @@
#include "sfendian.h"
#include "common.h"
@ -15,42 +96,8 @@ diff -up libsndfile-1.0.28/src/gsm610.c.systemgsm libsndfile-1.0.28/src/gsm610.c
pgsm610->blockcount = 0 ;
- gsm_init (pgsm610->gsm_data) ;
+ gsm_destroy (pgsm610->gsm_data) ;
+ pgsm610->gsm_data = gsm_create () ;
+ gsm_destroy (pgsm610->gsm_data) ;
+ pgsm610->gsm_data = gsm_create () ;
if ((SF_CONTAINER (psf->sf.format)) == SF_FORMAT_WAV ||
(SF_CONTAINER (psf->sf.format)) == SF_FORMAT_W64)
gsm_option (pgsm610->gsm_data, GSM_OPT_WAV49, &true_flag) ;
diff -up libsndfile-1.0.28/src/Makefile.am.systemgsm libsndfile-1.0.28/src/Makefile.am
--- libsndfile-1.0.28/src/Makefile.am.systemgsm 2017-04-01 09:18:02.000000000 +0200
+++ libsndfile-1.0.28/src/Makefile.am 2017-04-11 10:48:43.855620172 +0200
@@ -8,7 +8,7 @@ lib_LTLIBRARIES = libsndfile.la
include_HEADERS = sndfile.hh
nodist_include_HEADERS = sndfile.h
-noinst_LTLIBRARIES = GSM610/libgsm.la G72x/libg72x.la ALAC/libalac.la libcommon.la
+noinst_LTLIBRARIES = G72x/libg72x.la ALAC/libalac.la libcommon.la
SYMBOL_FILES = Symbols.gnu-binutils Symbols.darwin libsndfile-1.def Symbols.os2 Symbols.static
@@ -43,7 +43,7 @@ libsndfile_la_CPPFLAGS = -DSNDFILE_EXPOR
libsndfile_la_LDFLAGS = -no-undefined -version-info $(SHARED_VERSION_INFO) $(SHLIB_VERSION_ARG)
libsndfile_la_SOURCES = $(FILESPECIFIC) $(noinst_HEADERS)
nodist_libsndfile_la_SOURCES = $(nodist_include_HEADERS)
-libsndfile_la_LIBADD = GSM610/libgsm.la G72x/libg72x.la ALAC/libalac.la \
+libsndfile_la_LIBADD = -lgsm G72x/libg72x.la ALAC/libalac.la \
libcommon.la $(EXTERNAL_XIPH_LIBS) -lm
EXTRA_libsndfile_la_DEPENDENCIES = $(SYMBOL_FILES)
@@ -58,12 +58,6 @@ libcommon_la_SOURCES = common.c file_io.
#======================================================================
# Subdir libraries.
-GSM610_libgsm_la_SOURCES = GSM610/config.h GSM610/gsm.h GSM610/gsm610_priv.h \
- GSM610/add.c GSM610/code.c GSM610/decode.c GSM610/gsm_create.c \
- GSM610/gsm_decode.c GSM610/gsm_destroy.c GSM610/gsm_encode.c \
- GSM610/gsm_option.c GSM610/long_term.c GSM610/lpc.c GSM610/preprocess.c \
- GSM610/rpe.c GSM610/short_term.c GSM610/table.c
-
G72x_libg72x_la_SOURCES = G72x/g72x.h G72x/g72x_priv.h \
G72x/g721.c G72x/g723_16.c G72x/g723_24.c G72x/g723_40.c G72x/g72x.c

View File

@ -1,31 +0,0 @@
From df18323c622b54221ee7ace74b177cdcccc152d7 Mon Sep 17 00:00:00 2001
From: "Brett T. Warden" <brett.t.warden@intel.com>
Date: Tue, 28 Aug 2018 12:01:17 -0700
Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave
Allocated buffer has space for only 16 channels. Verify that input file
meets this limit.
Fixes #397
---
programs/sndfile-deinterleave.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c
index 53660310..225b4d54 100644
--- a/programs/sndfile-deinterleave.c
+++ b/programs/sndfile-deinterleave.c
@@ -89,6 +89,13 @@ main (int argc, char **argv)
exit (1) ;
} ;
+ if (sfinfo.channels > MAX_CHANNELS)
+ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n",
+ argv [1], sfinfo.channels, MAX_CHANNELS) ;
+ exit (1) ;
+ } ;
+
+
state.channels = sfinfo.channels ;
sfinfo.channels = 1 ;

View File

@ -1,88 +0,0 @@
From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
Date: Wed, 14 Jun 2017 12:25:40 +0200
Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
in binheader
Fixes the following problems:
1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
big switch statement by an amount (16 bytes) which is enough for all cases
where only a single value gets added. Cases 's', 'S', 'p' however
additionally write an arbitrary length block of data and again enlarge the
buffer to the required amount. However, the required space calculation does
not take into account the size of the length field which gets output before
the data.
3. Buffer size requirement calculation in case 'S' does not account for the
padding byte ("size += (size & 1) ;" happens after the calculation which
uses "size").
4. Case 'S' can overrun the header buffer by 1 byte when no padding is
involved
("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
the buffer is only guaranteed to have "size" space available).
5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
beyond the space which is guaranteed to be allocated in the header buffer.
6. Case 's' can overrun the provided source string by 1 byte if padding is
involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
plus optionally another 1 which is padding and not guaranteed to be
readable via the source string pointer).
Closes: https://github.com/erikd/libsndfile/issues/292
---
src/common.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/src/common.c b/src/common.c
index 1a6204ca..6b2a2ee9 100644
--- a/src/common.c
+++ b/src/common.c
@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
/* Write a C string (guaranteed to have a zero terminator). */
strptr = va_arg (argptr, char *) ;
size = strlen (strptr) + 1 ;
- size += (size & 1) ;
- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
return count ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
- header_put_be_int (psf, size) ;
+ header_put_be_int (psf, size + (size & 1)) ;
else
- header_put_le_int (psf, size) ;
+ header_put_le_int (psf, size + (size & 1)) ;
memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
+ size += (size & 1) ;
psf->header.indx += size ;
psf->header.ptr [psf->header.indx - 1] = 0 ;
count += 4 + size ;
@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
*/
strptr = va_arg (argptr, char *) ;
size = strlen (strptr) ;
- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
return count ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
header_put_be_int (psf, size) ;
else
header_put_le_int (psf, size) ;
- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
+ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
size += (size & 1) ;
psf->header.indx += size ;
- psf->header.ptr [psf->header.indx] = 0 ;
count += 4 + size ;
break ;
@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
size = (size & 1) ? size : size + 1 ;
size = (size > 254) ? 254 : size ;
- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
+ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
return count ;
header_put_byte (psf, size) ;

View File

@ -1,91 +0,0 @@
From 585cc28a93be27d6938f276af0011401b9f7c0ca Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@owl.eu.com>
Date: Mon, 24 Dec 2018 06:43:48 +0100
Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432)
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
properly, leading to buffer underflow. INT_MIN is a special value
since - INT_MIN cannot be represented as int.
In this case round - INT_MIN to INT_MAX and proceed as usual.
f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
properly, leading to null pointer dereference.
In this case, arbitrarily set the buffer value to 0.
This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
fixes #344 (CVE-2017-17456 and CVE-2017-17457).
---
src/alaw.c | 9 +++++++--
src/ulaw.c | 9 +++++++--
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/alaw.c b/src/alaw.c
index 063fd1a2..4220224c 100644
--- a/src/alaw.c
+++ b/src/alaw.c
@@ -19,6 +19,7 @@
#include "sfconfig.h"
#include <math.h>
+#include <limits.h>
#include "sndfile.h"
#include "common.h"
@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
static inline void
i2alaw_array (const int *ptr, int count, unsigned char *buffer)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
+ { if (ptr [count] == INT_MIN)
+ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
+ else if (ptr [count] >= 0)
buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
else
buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
static inline void
d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
+ { if (!isfinite (ptr [count]))
+ buffer [count] = 0 ;
+ else if (ptr [count] >= 0)
buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
else
buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
diff --git a/src/ulaw.c b/src/ulaw.c
index e50b4cb5..b6070ade 100644
--- a/src/ulaw.c
+++ b/src/ulaw.c
@@ -19,6 +19,7 @@
#include "sfconfig.h"
#include <math.h>
+#include <limits.h>
#include "sndfile.h"
#include "common.h"
@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
static inline void
i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
+ { if (ptr [count] == INT_MIN)
+ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
+ else if (ptr [count] >= 0)
buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
else
buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
static inline void
d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
{ while (--count >= 0)
- { if (ptr [count] >= 0)
+ { if (!isfinite (ptr [count]))
+ buffer [count] = 0 ;
+ else if (ptr [count] >= 0)
buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
else
buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;

View File

@ -1,11 +0,0 @@
diff -up libsndfile-1.0.28/src/sndfile.c.fixfree libsndfile-1.0.28/src/sndfile.c
--- libsndfile-1.0.28/src/sndfile.c.fixfree 2018-10-15 14:24:26.521941046 +0200
+++ libsndfile-1.0.28/src/sndfile.c 2018-10-15 14:24:26.534940869 +0200
@@ -339,6 +339,7 @@ sf_open (const char *path, int mode, SF_
if (copy_filename (psf, path) != 0)
{ sf_errno = psf->error ;
+ free(psf);
return NULL ;
} ;

View File

@ -1,64 +0,0 @@
From fd0484aba8e51d16af1e3a880f9b8b857b385eb3 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Wed, 12 Apr 2017 19:45:30 +1000
Subject: [PATCH] FLAC: Fix a buffer read overrun
Buffer read overrun occurs when reading a FLAC file that switches
from 2 channels to one channel mid-stream. Only option is to
abort the read.
Closes: https://github.com/erikd/libsndfile/issues/230
---
src/common.h | 1 +
src/flac.c | 13 +++++++++++++
src/sndfile.c | 1 +
3 files changed, 15 insertions(+)
diff --git a/src/common.h b/src/common.h
index 0bd810c3..e2669b6a 100644
--- a/src/common.h
+++ b/src/common.h
@@ -725,6 +725,7 @@ enum
SFE_FLAC_INIT_DECODER,
SFE_FLAC_LOST_SYNC,
SFE_FLAC_BAD_SAMPLE_RATE,
+ SFE_FLAC_CHANNEL_COUNT_CHANGED,
SFE_FLAC_UNKOWN_ERROR,
SFE_WVE_NOT_WVE,
diff --git a/src/flac.c b/src/flac.c
index 84de0e26..986a7b8f 100644
--- a/src/flac.c
+++ b/src/flac.c
@@ -434,6 +434,19 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_
switch (metadata->type)
{ case FLAC__METADATA_TYPE_STREAMINFO :
+ if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
+ { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
+ "Nothing to be but to error out.\n" ,
+ psf->sf.channels, metadata->data.stream_info.channels) ;
+ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
+ return ;
+ } ;
+
+ if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate)
+ { psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n"
+ "Carrying on as if nothing happened.",
+ psf->sf.samplerate, metadata->data.stream_info.sample_rate) ;
+ } ;
psf->sf.channels = metadata->data.stream_info.channels ;
psf->sf.samplerate = metadata->data.stream_info.sample_rate ;
psf->sf.frames = metadata->data.stream_info.total_samples ;
diff --git a/src/sndfile.c b/src/sndfile.c
index 41875610..e2a87be8 100644
--- a/src/sndfile.c
+++ b/src/sndfile.c
@@ -245,6 +245,7 @@ ErrorStruct SndfileErrors [] =
{ SFE_FLAC_INIT_DECODER , "Error : problem with initialization of the flac decoder." },
{ SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." },
{ SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." },
+ { SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." },
{ SFE_FLAC_UNKOWN_ERROR , "Error : unknown error in flac decoder." },
{ SFE_WVE_NOT_WVE , "Error : not a WVE file." },

View File

@ -1,114 +0,0 @@
diff -up libsndfile-1.0.28/src/common.c.vafix libsndfile-1.0.28/src/common.c
--- libsndfile-1.0.28/src/common.c.vafix 2018-10-15 14:31:59.805758665 +0200
+++ libsndfile-1.0.28/src/common.c 2018-10-15 14:34:48.978445310 +0200
@@ -561,7 +561,10 @@ psf_binheader_writef (SF_PRIVATE *psf, c
while ((c = *format++))
{
if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16))
+ {
+ va_end (argptr) ;
return count ;
+ } ;
switch (c)
{ case ' ' : /* Do nothing. Just used to space out format string. */
@@ -677,7 +680,10 @@ psf_binheader_writef (SF_PRIVATE *psf, c
size = strlen (strptr) + 1 ;
if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ {
+ va_end (argptr) ;
return count ;
+ } ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
header_put_be_int (psf, size + (size & 1)) ;
@@ -698,7 +704,10 @@ psf_binheader_writef (SF_PRIVATE *psf, c
strptr = va_arg (argptr, char *) ;
size = strlen (strptr) ;
if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ {
+ va_end (argptr) ;
return count ;
+ } ;
if (psf->rwf_endian == SF_ENDIAN_BIG)
header_put_be_int (psf, size) ;
else
@@ -718,7 +727,10 @@ psf_binheader_writef (SF_PRIVATE *psf, c
size = (size > 254) ? 254 : size ;
if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
+ {
+ va_end (argptr) ;
return count ;
+ } ;
header_put_byte (psf, size) ;
memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
@@ -731,7 +743,10 @@ psf_binheader_writef (SF_PRIVATE *psf, c
size = va_arg (argptr, size_t) ;
if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
+ {
+ va_end (argptr) ;
return count ;
+ } ;
memcpy (&(psf->header.ptr [psf->header.indx]), bindata, size) ;
psf->header.indx += size ;
@@ -742,7 +757,10 @@ psf_binheader_writef (SF_PRIVATE *psf, c
size = va_arg (argptr, size_t) ;
if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
+ {
+ va_end (argptr) ;
return count ;
+ } ;
count += size ;
while (size)
@@ -763,7 +781,10 @@ psf_binheader_writef (SF_PRIVATE *psf, c
size = va_arg (argptr, size_t) ;
if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
+ {
+ va_end (argptr) ;
return count ;
+ } ;
psf->header.indx += size ;
count += size ;
@@ -773,7 +794,10 @@ psf_binheader_writef (SF_PRIVATE *psf, c
size = va_arg (argptr, size_t) ;
if ((sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, size))
+ {
+ va_end (argptr) ;
return count ;
+ } ;
psf->header.indx = size ;
break ;
@@ -960,7 +984,10 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
while ((c = *format++))
{
if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16))
+ {
+ va_end (argptr) ;
return count ;
+ } ;
switch (c)
{ case 'e' : /* All conversions are now from LE to host. */
@@ -1087,7 +1114,10 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
memset (charptr, 0, count) ;
if (psf->header.indx + count >= psf->header.len && psf_bump_header_allocation (psf, count))
- return 0 ;
+ {
+ va_end (argptr) ;
+ return count ;
+ } ;
byte_count += header_gets (psf, charptr, count) ;
break ;

View File

@ -1,25 +0,0 @@
From f833c53cb596e9e1792949f762e0b33661822748 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Tue, 23 May 2017 20:15:24 +1000
Subject: [PATCH] src/aiff.c: Fix a buffer read overflow
Secunia Advisory SA76717.
Found by: Laurent Delosieres, Secunia Research at Flexera Software
---
src/aiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/aiff.c b/src/aiff.c
index 5b5f9f53..45864b76 100644
--- a/src/aiff.c
+++ b/src/aiff.c
@@ -1759,7 +1759,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword)
psf_binheader_readf (psf, "j", dword - bytesread) ;
if (map_info->channel_map != NULL)
- { size_t chanmap_size = psf->sf.channels * sizeof (psf->channel_map [0]) ;
+ { size_t chanmap_size = SF_MIN (psf->sf.channels, layout_tag & 0xffff) * sizeof (psf->channel_map [0]) ;
free (psf->channel_map) ;

View File

@ -1,7 +1,7 @@
diff -up libsndfile-1.0.28/src/aiff.c.pullrequest979 libsndfile-1.0.28/src/aiff.c
--- libsndfile-1.0.28/src/aiff.c.pullrequest979 2023-11-01 23:49:50.232622966 +0100
+++ libsndfile-1.0.28/src/aiff.c 2023-11-01 23:49:50.246623108 +0100
@@ -1822,7 +1822,7 @@ static int
diff -up libsndfile-1.0.31/src/aiff.c.pullrequest979 libsndfile-1.0.31/src/aiff.c
--- libsndfile-1.0.31/src/aiff.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/aiff.c 2023-11-01 23:24:06.794851022 +0100
@@ -1685,7 +1685,7 @@ static int
aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize)
{ const char * type_str ;
basc_CHUNK bc ;
@ -10,9 +10,9 @@ diff -up libsndfile-1.0.28/src/aiff.c.pullrequest979 libsndfile-1.0.28/src/aiff.
count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ;
count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ;
diff -up libsndfile-1.0.28/src/au.c.pullrequest979 libsndfile-1.0.28/src/au.c
--- libsndfile-1.0.28/src/au.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200
+++ libsndfile-1.0.28/src/au.c 2023-11-01 23:49:50.246623108 +0100
diff -up libsndfile-1.0.31/src/au.c.pullrequest979 libsndfile-1.0.31/src/au.c
--- libsndfile-1.0.31/src/au.c.pullrequest979 2020-10-04 12:00:49.000000000 +0200
+++ libsndfile-1.0.31/src/au.c 2023-11-01 23:24:06.794851022 +0100
@@ -291,6 +291,7 @@ static int
au_read_header (SF_PRIVATE *psf)
{ AU_FMT au_fmt ;
@ -41,9 +41,9 @@ diff -up libsndfile-1.0.28/src/au.c.pullrequest979 libsndfile-1.0.28/src/au.c
psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
}
else
diff -up libsndfile-1.0.28/src/avr.c.pullrequest979 libsndfile-1.0.28/src/avr.c
--- libsndfile-1.0.28/src/avr.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200
+++ libsndfile-1.0.28/src/avr.c 2023-11-01 23:49:50.246623108 +0100
diff -up libsndfile-1.0.31/src/avr.c.pullrequest979 libsndfile-1.0.31/src/avr.c
--- libsndfile-1.0.31/src/avr.c.pullrequest979 2020-10-04 12:00:49.000000000 +0200
+++ libsndfile-1.0.31/src/avr.c 2023-11-01 23:24:06.795851033 +0100
@@ -164,7 +164,7 @@ avr_read_header (SF_PRIVATE *psf)
psf->endian = SF_ENDIAN_BIG ;
@ -53,9 +53,9 @@ diff -up libsndfile-1.0.28/src/avr.c.pullrequest979 libsndfile-1.0.28/src/avr.c
if (psf->fileoffset > 0)
psf->filelength = AVR_HDR_SIZE + psf->datalength ;
diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/common.c
--- libsndfile-1.0.28/src/common.c.pullrequest979 2023-11-01 23:49:50.237623017 +0100
+++ libsndfile-1.0.28/src/common.c 2023-11-01 23:50:00.446727012 +0100
diff -up libsndfile-1.0.31/src/common.c.pullrequest979 libsndfile-1.0.31/src/common.c
--- libsndfile-1.0.31/src/common.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/common.c 2023-11-01 23:24:06.795851033 +0100
@@ -18,6 +18,7 @@
#include <config.h>
@ -64,7 +64,7 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
#include <stdarg.h>
#include <string.h>
#if HAVE_UNISTD_H
@@ -975,6 +976,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -962,6 +963,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
double *doubleptr ;
char c ;
int byte_count = 0, count = 0 ;
@ -72,15 +72,15 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
if (! format)
return psf_ftell (psf) ;
@@ -983,6 +985,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -970,6 +972,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
while ((c = *format++))
{
+ read_bytes = 0 ;
if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16))
{
va_end (argptr) ;
@@ -1002,7 +1005,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
return count ;
@@ -986,7 +989,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
ucptr = (unsigned char*) intptr ;
@ -89,7 +89,7 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
*intptr = GET_MARKER (ucptr) ;
break ;
@@ -1010,7 +1013,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -994,7 +997,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
ucptr = (unsigned char*) intptr ;
@ -98,7 +98,7 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
{ int k ;
intdata = 0 ;
for (k = 0 ; k < 16 ; k++)
@@ -1022,14 +1025,14 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -1006,14 +1009,14 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case '1' :
charptr = va_arg (argptr, char*) ;
*charptr = 0 ;
@ -115,7 +115,7 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
if (psf->rwf_endian == SF_ENDIAN_BIG)
*shortptr = GET_BE_SHORT (ucptr) ;
else
@@ -1039,7 +1042,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -1023,7 +1026,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case '3' : /* 3 byte value with the current endian-ness */
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
@ -124,7 +124,7 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
if (psf->rwf_endian == SF_ENDIAN_BIG)
*intptr = GET_BE_3BYTE (sixteen_bytes) ;
else
@@ -1050,7 +1053,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -1034,7 +1037,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
intptr = va_arg (argptr, unsigned int*) ;
*intptr = 0 ;
ucptr = (unsigned char*) intptr ;
@ -133,7 +133,7 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
if (psf->rwf_endian == SF_ENDIAN_BIG)
*intptr = psf_get_be32 (ucptr, 0) ;
else
@@ -1060,7 +1063,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -1044,7 +1047,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case '8' : /* 8 byte value with the current endian-ness */
countptr = va_arg (argptr, sf_count_t *) ;
*countptr = 0 ;
@ -142,7 +142,7 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
if (psf->rwf_endian == SF_ENDIAN_BIG)
countdata = psf_get_be64 (sixteen_bytes, 0) ;
else
@@ -1071,7 +1074,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -1055,7 +1058,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case 'f' : /* Float conversion */
floatptr = va_arg (argptr, float *) ;
*floatptr = 0.0 ;
@ -151,7 +151,7 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
if (psf->rwf_endian == SF_ENDIAN_BIG)
*floatptr = float32_be_read ((unsigned char*) floatptr) ;
else
@@ -1081,7 +1084,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -1065,7 +1068,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case 'd' : /* double conversion */
doubleptr = va_arg (argptr, double *) ;
*doubleptr = 0.0 ;
@ -160,7 +160,7 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
if (psf->rwf_endian == SF_ENDIAN_BIG)
*doubleptr = double64_be_read ((unsigned char*) doubleptr) ;
else
@@ -1105,7 +1108,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -1089,7 +1092,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
charptr = va_arg (argptr, char*) ;
count = va_arg (argptr, size_t) ;
memset (charptr, 0, count) ;
@ -169,16 +169,16 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
break ;
case 'G' :
@@ -1119,7 +1122,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
return count ;
} ;
@@ -1100,7 +1103,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
if (psf->header.indx + count >= psf->header.len && psf_bump_header_allocation (psf, count))
return 0 ;
- byte_count += header_gets (psf, charptr, count) ;
+ read_bytes = header_gets (psf, charptr, count) ;
break ;
case 'z' :
@@ -1143,7 +1146,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -1124,7 +1127,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
case 'j' : /* Seek to position from current position. */
count = va_arg (argptr, size_t) ;
header_seek (psf, count, SEEK_CUR) ;
@ -187,7 +187,7 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
break ;
default :
@@ -1151,8 +1154,17 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
@@ -1132,8 +1135,17 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
psf->error = SFE_INTERNAL ;
break ;
} ;
@ -205,10 +205,10 @@ diff -up libsndfile-1.0.28/src/common.c.pullrequest979 libsndfile-1.0.28/src/com
va_end (argptr) ;
return byte_count ;
diff -up libsndfile-1.0.28/src/common.h.pullrequest979 libsndfile-1.0.28/src/common.h
--- libsndfile-1.0.28/src/common.h.pullrequest979 2023-11-01 23:49:50.230622945 +0100
+++ libsndfile-1.0.28/src/common.h 2023-11-01 23:49:50.246623108 +0100
@@ -467,7 +467,7 @@ typedef struct sf_private_tag
diff -up libsndfile-1.0.31/src/common.h.pullrequest979 libsndfile-1.0.31/src/common.h
--- libsndfile-1.0.31/src/common.h.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/common.h 2023-11-01 23:24:06.795851033 +0100
@@ -484,7 +484,7 @@ typedef struct sf_private_tag
sf_count_t datalength ; /* Length in bytes of the audio data. */
sf_count_t dataend ; /* Offset to file tailer. */
@ -217,10 +217,10 @@ diff -up libsndfile-1.0.28/src/common.h.pullrequest979 libsndfile-1.0.28/src/com
int bytewidth ; /* Size in bytes of one sample (one channel). */
void *dither ;
diff -up libsndfile-1.0.28/src/ima_adpcm.c.pullrequest979 libsndfile-1.0.28/src/ima_adpcm.c
--- libsndfile-1.0.28/src/ima_adpcm.c.pullrequest979 2016-09-10 10:08:27.000000000 +0200
+++ libsndfile-1.0.28/src/ima_adpcm.c 2023-11-01 23:49:50.247623119 +0100
@@ -233,7 +233,7 @@ ima_reader_init (SF_PRIVATE *psf, int bl
diff -up libsndfile-1.0.31/src/ima_adpcm.c.pullrequest979 libsndfile-1.0.31/src/ima_adpcm.c
--- libsndfile-1.0.31/src/ima_adpcm.c.pullrequest979 2023-11-01 23:24:06.793851012 +0100
+++ libsndfile-1.0.31/src/ima_adpcm.c 2023-11-01 23:24:06.797851053 +0100
@@ -238,7 +238,7 @@ ima_reader_init (SF_PRIVATE *psf, int bl
case SF_FORMAT_AIFF :
psf_log_printf (psf, "still need to check block count\n") ;
pima->decode_block = aiff_ima_decode_block ;
@ -229,9 +229,9 @@ diff -up libsndfile-1.0.28/src/ima_adpcm.c.pullrequest979 libsndfile-1.0.28/src/
break ;
default :
diff -up libsndfile-1.0.28/src/ircam.c.pullrequest979 libsndfile-1.0.28/src/ircam.c
--- libsndfile-1.0.28/src/ircam.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200
+++ libsndfile-1.0.28/src/ircam.c 2023-11-01 23:49:50.247623119 +0100
diff -up libsndfile-1.0.31/src/ircam.c.pullrequest979 libsndfile-1.0.31/src/ircam.c
--- libsndfile-1.0.31/src/ircam.c.pullrequest979 2020-10-04 12:00:49.000000000 +0200
+++ libsndfile-1.0.31/src/ircam.c 2023-11-01 23:24:06.795851033 +0100
@@ -171,35 +171,35 @@ ircam_read_header (SF_PRIVATE *psf)
switch (encoding)
{ case IRCAM_PCM_16 :
@ -273,9 +273,9 @@ diff -up libsndfile-1.0.28/src/ircam.c.pullrequest979 libsndfile-1.0.28/src/irca
psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ;
break ;
diff -up libsndfile-1.0.28/src/mat4.c.pullrequest979 libsndfile-1.0.28/src/mat4.c
--- libsndfile-1.0.28/src/mat4.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200
+++ libsndfile-1.0.28/src/mat4.c 2023-11-01 23:49:50.247623119 +0100
diff -up libsndfile-1.0.31/src/mat4.c.pullrequest979 libsndfile-1.0.31/src/mat4.c
--- libsndfile-1.0.31/src/mat4.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/mat4.c 2023-11-01 23:24:06.795851033 +0100
@@ -104,7 +104,7 @@ mat4_open (SF_PRIVATE *psf)
psf->container_close = mat4_close ;
@ -294,9 +294,9 @@ diff -up libsndfile-1.0.28/src/mat4.c.pullrequest979 libsndfile-1.0.28/src/mat4.
psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
diff -up libsndfile-1.0.28/src/mat5.c.pullrequest979 libsndfile-1.0.28/src/mat5.c
--- libsndfile-1.0.28/src/mat5.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200
+++ libsndfile-1.0.28/src/mat5.c 2023-11-01 23:49:50.247623119 +0100
diff -up libsndfile-1.0.31/src/mat5.c.pullrequest979 libsndfile-1.0.31/src/mat5.c
--- libsndfile-1.0.31/src/mat5.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/mat5.c 2023-11-01 23:24:06.796851043 +0100
@@ -114,7 +114,7 @@ mat5_open (SF_PRIVATE *psf)
psf->container_close = mat5_close ;
@ -306,10 +306,224 @@ diff -up libsndfile-1.0.28/src/mat5.c.pullrequest979 libsndfile-1.0.28/src/mat5.
switch (subformat)
{ case SF_FORMAT_PCM_U8 :
diff -up libsndfile-1.0.28/src/pcm.c.pullrequest979 libsndfile-1.0.28/src/pcm.c
--- libsndfile-1.0.28/src/pcm.c.pullrequest979 2017-04-02 08:33:16.000000000 +0200
+++ libsndfile-1.0.28/src/pcm.c 2023-11-01 23:49:50.247623119 +0100
@@ -125,7 +125,7 @@ pcm_init (SF_PRIVATE *psf)
diff -up libsndfile-1.0.31/src/nms_adpcm.c.pullrequest979 libsndfile-1.0.31/src/nms_adpcm.c
--- libsndfile-1.0.31/src/nms_adpcm.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/nms_adpcm.c 2023-11-01 23:24:06.796851043 +0100
@@ -48,36 +48,36 @@
/* Variable names from ITU G.726 spec */
struct nms_adpcm_state
{ /* Log of the step size multiplier. Operated on by codewords. */
- int yl ;
+ short yl ;
/* Quantizer step size multiplier. Generated from yl. */
- int y ;
+ short y ;
/* Coefficents of the pole predictor */
- int a [2] ;
+ short a [2] ;
/* Coefficents of the zero predictor */
- int b [6] ;
+ short b [6] ;
/* Previous quantized deltas (multiplied by 2^14) */
- int d_q [7] ;
+ short d_q [7] ;
/* d_q [x] + s_ez [x], used by the pole-predictor for signs only. */
- int p [3] ;
+ short p [3] ;
/* Previous reconstructed signal values. */
- int s_r [2] ;
+ short s_r [2] ;
/* Zero predictor components of the signal estimate. */
- int s_ez ;
+ short s_ez ;
/* Signal estimate, (including s_ez). */
- int s_e ;
+ short s_e ;
/* The most recent codeword (enc:generated, dec:inputted) */
- int Ik ;
+ char Ik ;
- int parity ;
+ char parity ;
/*
** Offset into code tables for the bitrate.
@@ -109,7 +109,7 @@ typedef struct
} NMS_ADPCM_PRIVATE ;
/* Pre-computed exponential interval used in the antilog approximation. */
-static unsigned int table_expn [] =
+static unsigned short table_expn [] =
{ 0x4000, 0x4167, 0x42d5, 0x444c, 0x45cb, 0x4752, 0x48e2, 0x4a7a,
0x4c1b, 0x4dc7, 0x4f7a, 0x5138, 0x52ff, 0x54d1, 0x56ac, 0x5892,
0x5a82, 0x5c7e, 0x5e84, 0x6096, 0x62b4, 0x64dd, 0x6712, 0x6954,
@@ -117,21 +117,21 @@ static unsigned int table_expn [] =
} ;
/* Table mapping codewords to scale factor deltas. */
-static int table_scale_factor_step [] =
+static short table_scale_factor_step [] =
{ 0x0, 0x0, 0x0, 0x0, 0x4b0, 0x0, 0x0, 0x0, /* 2-bit */
-0x3c, 0x0, 0x90, 0x0, 0x2ee, 0x0, 0x898, 0x0, /* 3-bit */
-0x30, 0x12, 0x6b, 0xc8, 0x188, 0x2e0, 0x551, 0x1150, /* 4-bit */
} ;
/* Table mapping codewords to quantized delta interval steps. */
-static unsigned int table_step [] =
+static unsigned short table_step [] =
{ 0x73F, 0, 0, 0, 0x1829, 0, 0, 0, /* 2-bit */
0x3EB, 0, 0xC18, 0, 0x1581, 0, 0x226E, 0, /* 3-bit */
0x20C, 0x635, 0xA83, 0xF12, 0x1418, 0x19E3, 0x211A, 0x2BBA, /* 4-bit */
} ;
/* Binary search lookup table for quantizing using table_step. */
-static int table_step_search [] =
+static short table_step_search [] =
{ 0, 0x1F6D, 0, -0x1F6D, 0, 0, 0, 0, /* 2-bit */
0x1008, 0x1192, 0, -0x219A, 0x1656, -0x1656, 0, 0, /* 3-bit */
0x872, 0x1277, -0x8E6, -0x232B, 0xD06, -0x17D7, -0x11D3, 0, /* 4-bit */
@@ -179,23 +179,23 @@ static sf_count_t nms_adpcm_seek (SF_PRI
** Maps [1,20480] to [1,1024] in an exponential relationship. This is
** approximately ret = b^exp where b = e^(ln(1024)/ln(20480)) ~= 1.0003385
*/
-static inline int
-nms_adpcm_antilog (int exp)
-{ int ret ;
-
- ret = 0x1000 ;
- ret += (((exp & 0x3f) * 0x166b) >> 12) ;
- ret *= table_expn [(exp & 0x7c0) >> 6] ;
- ret >>= (26 - (exp >> 11)) ;
+static inline short
+nms_adpcm_antilog (short exp)
+{ int_fast32_t r ;
+
+ r = 0x1000 ;
+ r += (((int_fast32_t) (exp & 0x3f) * 0x166b) >> 12) ;
+ r *= table_expn [(exp & 0x7c0) >> 6] ;
+ r >>= (26 - (exp >> 11)) ;
- return ret ;
+ return (short) r ;
} /* nms_adpcm_antilog */
static void
nms_adpcm_update (struct nms_adpcm_state *s)
{ /* Variable names from ITU G.726 spec */
- int a1ul ;
- int fa1 ;
+ short a1ul, fa1 ;
+ int_fast32_t se ;
int i ;
/* Decay and Modify the scale factor in the log domain based on the codeword. */
@@ -222,7 +222,7 @@ nms_adpcm_update (struct nms_adpcm_state
else if (fa1 > 256)
fa1 = 256 ;
- s->a [0] = (0xff * s->a [0]) >> 8 ;
+ s->a [0] = (s->a [0] * 0xff) >> 8 ;
if (s->p [0] != 0 && s->p [1] != 0 && ((s->p [0] ^ s->p [1]) < 0))
s->a [0] -= 192 ;
else
@@ -230,7 +230,7 @@ nms_adpcm_update (struct nms_adpcm_state
fa1 = -fa1 ;
}
- s->a [1] = fa1 + ((0xfe * s->a [1]) >> 8) ;
+ s->a [1] = fa1 + ((s->a [1] * 0xfe) >> 8) ;
if (s->p [0] != 0 && s->p [2] != 0 && ((s->p [0] ^ s->p [2]) < 0))
s->a [1] -= 128 ;
else
@@ -250,19 +250,18 @@ nms_adpcm_update (struct nms_adpcm_state
s->a [0] = a1ul ;
} ;
- /* Compute the zero predictor estimate. Rotate past deltas too. */
- s->s_ez = 0 ;
+ /* Compute the zero predictor estimate and rotate past deltas. */
+ se = 0 ;
for (i = 5 ; i >= 0 ; i--)
- { s->s_ez += s->d_q [i] * s->b [i] ;
+ { se += (int_fast32_t) s->d_q [i] * s->b [i] ;
s->d_q [i + 1] = s->d_q [i] ;
} ;
+ s->s_ez = se >> 14 ;
- /* Compute the signal estimate. */
- s->s_e = s->a [0] * s->s_r [0] + s->a [1] * s->s_r [1] + s->s_ez ;
-
- /* Return to scale */
- s->s_ez >>= 14 ;
- s->s_e >>= 14 ;
+ /* Complete the signal estimate. */
+ se += (int_fast32_t) s->a [0] * s->s_r [0] ;
+ se += (int_fast32_t) s->a [1] * s->s_r [1] ;
+ s->s_e = se >> 14 ;
/* Rotate members to prepare for next iteration. */
s->s_r [1] = s->s_r [0] ;
@@ -274,7 +273,7 @@ nms_adpcm_update (struct nms_adpcm_state
static int16_t
nms_adpcm_reconstruct_sample (struct nms_adpcm_state *s, uint8_t I)
{ /* Variable names from ITU G.726 spec */
- int dqx ;
+ int_fast32_t dqx ;
/*
** The ordering of the 12-bit right-shift is a precision loss. It agrees
@@ -308,17 +307,17 @@ nms_adpcm_codec_init (struct nms_adpcm_s
/*
** nms_adpcm_encode_sample()
**
-** Encode a linear 16-bit pcm sample into a 2,3, or 4 bit NMS-ADPCM codeword
+** Encode a linear 16-bit pcm sample into a 2, 3, or 4 bit NMS-ADPCM codeword
** using and updating the predictor state.
*/
static uint8_t
nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl)
{ /* Variable names from ITU G.726 spec */
- int d ;
+ int_fast32_t d ;
uint8_t I ;
/* Down scale the sample from 16 => ~14 bits. */
- sl = (sl * 0x1fdf) / 0x7fff ;
+ sl = ((int_fast32_t) sl * 0x1fdf) / 0x7fff ;
/* Compute estimate, and delta from actual value */
nms_adpcm_update (s) ;
@@ -407,7 +406,7 @@ nms_adpcm_encode_sample (struct nms_adpc
*/
static int16_t
nms_adpcm_decode_sample (struct nms_adpcm_state *s, uint8_t I)
-{ int sl ;
+{ int_fast32_t sl ;
nms_adpcm_update (s) ;
sl = nms_adpcm_reconstruct_sample (s, I) ;
@@ -1091,7 +1090,7 @@ nms_adpcm_init (SF_PRIVATE *psf)
else
pnms->blocks_total = psf->datalength / (pnms->shortsperblock * sizeof (short)) ;
- psf->sf.frames = pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ;
+ psf->sf.frames = (sf_count_t) pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ;
psf->codec_close = nms_adpcm_close ;
psf->seek = nms_adpcm_seek ;
diff -up libsndfile-1.0.31/src/pcm.c.pullrequest979 libsndfile-1.0.31/src/pcm.c
--- libsndfile-1.0.31/src/pcm.c.pullrequest979 2021-01-23 17:12:45.000000000 +0100
+++ libsndfile-1.0.31/src/pcm.c 2023-11-01 23:24:06.796851043 +0100
@@ -127,7 +127,7 @@ pcm_init (SF_PRIVATE *psf)
return SFE_INTERNAL ;
} ;
@ -318,9 +532,9 @@ diff -up libsndfile-1.0.28/src/pcm.c.pullrequest979 libsndfile-1.0.28/src/pcm.c
if ((SF_CODEC (psf->sf.format)) == SF_FORMAT_PCM_S8)
chars = SF_CHARS_SIGNED ;
diff -up libsndfile-1.0.28/src/rf64.c.pullrequest979 libsndfile-1.0.28/src/rf64.c
--- libsndfile-1.0.28/src/rf64.c.pullrequest979 2023-11-01 23:49:50.229622935 +0100
+++ libsndfile-1.0.28/src/rf64.c 2023-11-01 23:49:50.248623129 +0100
diff -up libsndfile-1.0.31/src/rf64.c.pullrequest979 libsndfile-1.0.31/src/rf64.c
--- libsndfile-1.0.31/src/rf64.c.pullrequest979 2020-10-04 12:00:49.000000000 +0200
+++ libsndfile-1.0.31/src/rf64.c 2023-11-01 23:24:06.797851053 +0100
@@ -242,7 +242,7 @@ rf64_read_header (SF_PRIVATE *psf, int *
} ;
} ;
@ -330,9 +544,9 @@ diff -up libsndfile-1.0.28/src/rf64.c.pullrequest979 libsndfile-1.0.28/src/rf64.
psf_log_printf (psf, " Riff size : %D (should be %D)\n", riff_size, psf->filelength - 8) ;
else
psf_log_printf (psf, " Riff size : %D\n", riff_size) ;
diff -up libsndfile-1.0.28/src/sds.c.pullrequest979 libsndfile-1.0.28/src/sds.c
--- libsndfile-1.0.28/src/sds.c.pullrequest979 2017-04-01 09:18:02.000000000 +0200
+++ libsndfile-1.0.28/src/sds.c 2023-11-01 23:49:50.248623129 +0100
diff -up libsndfile-1.0.31/src/sds.c.pullrequest979 libsndfile-1.0.31/src/sds.c
--- libsndfile-1.0.31/src/sds.c.pullrequest979 2020-10-04 12:00:49.000000000 +0200
+++ libsndfile-1.0.31/src/sds.c 2023-11-01 23:24:06.797851053 +0100
@@ -454,7 +454,7 @@ sds_2byte_read (SF_PRIVATE *psf, SDS_PRI
ucptr = psds->read_data + 5 ;

View File

@ -1,37 +0,0 @@
--- libsndfile-1.0.28/src/rf64.c 2017-04-02 09:43:22.000000000 +0200
+++ libsndfile-1.0.27/src/rf64.c 2016-04-01 23:08:53.000000000 +0200
@@ -735,25 +734,27 @@ rf64_write_header (SF_PRIVATE *psf, int
#endif
- pad_size = psf->dataoffset - 16 - psf->header.indx ;
- if (pad_size >= 0)
- psf_binheader_writef (psf, "m4z", PAD_MARKER, pad_size, make_size_t (pad_size)) ;
+ if (psf->header.indx + 8 < psf->dataoffset)
+ { /* Add PAD data if necessary. */
+ int k = psf->dataoffset - 16 - psf->header.indx ;
+ psf_binheader_writef (psf, "m4z", PAD_MARKER, k, make_size_t (k)) ;
+ } ;
if (wpriv->rf64_downgrade && (psf->filelength < RIFF_DOWNGRADE_BYTES))
psf_binheader_writef (psf, "tm8", data_MARKER, psf->datalength) ;
else
psf_binheader_writef (psf, "m4", data_MARKER, 0xffffffff) ;
- psf_fwrite (psf->header.ptr, psf->header.indx, 1, psf) ;
+ psf_fwrite (psf->header.ptr, psf->header.indx, 1, psf) ;
if (psf->error)
return psf->error ;
- if (has_data && psf->dataoffset != psf->header.indx)
- { psf_log_printf (psf, "Oooops : has_data && psf->dataoffset != psf->header.indx\n") ;
+ if (has_data && psf->dataoffset != psf->header.indx)
+ { psf_log_printf (psf, "Oooops : has_data && psf->dataoffset != psf->header.indx\n") ;
return psf->error = SFE_INTERNAL ;
} ;
- psf->dataoffset = psf->header.indx ;
+ psf->dataoffset = psf->header.indx ;
if (NOT (has_data))
psf_fseek (psf, psf->dataoffset, SEEK_SET) ;

View File

@ -1,36 +1,31 @@
Summary: Library for reading and writing sound files
Name: libsndfile
Version: 1.0.28
Release: 14%{?dist}
Version: 1.0.31
Release: 8%{?dist}
License: LGPLv2+ and GPLv2+ and BSD
Group: System Environment/Libraries
URL: http://www.mega-nerd.com/libsndfile/
Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
URL: http://libsndfile.github.io/libsndfile/
Source0: https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2
Patch0: libsndfile-1.0.25-system-gsm.patch
Patch1: libsndfile-1.0.25-zerodivfix.patch
Patch2: revert.patch
Patch3: libsndfile-1.0.28-flacbufovfl.patch
Patch4: libsndfile-1.0.29-cve2017_6892.patch
#libsndfile-1.0.29-cve2017_6892.patch
# from upstream, for <= 1.0.28, rhbz#1483140
Patch5: libsndfile-1.0.28-cve2017_12562.patch
Patch6: libsndfile-1.0.28-fixfree.patch
Patch7: libsndfile-1.0.28-vafix.patch
Patch8: libsndfile-1.0.28-CVE_2018_13139.patch
Patch9: libsndfile-1.0.28-cve_2018_19662.patch
# from upstream, for <= 1.0.31, rhbz#1985028
Patch10: libsndfile-1.0.31-deb669ee.patch
Patch11: libsndfile-1.0.31-ced91d7b.patch
# from upstream, fix #RHEL-3750, for <= 1.2.2
Patch12: libsndfile-1.0.31-pullrequest979.patch
# from upstream, for <= 1.0.31, rhbz#1985029
Patch2: libsndfile-1.0.31-deb669ee.patch
# from upstream, fix #2030508, for <= 1.0.31
Patch3: libsndfile-1.0.31-ced91d7b.patch
# from upstream, fix #RHEL-3751, for <= 1.2.2
Patch4: libsndfile-1.0.31-pullrequest979.patch
BuildRequires: gcc-c++
BuildRequires: alsa-lib-devel
BuildRequires: flac-devel
BuildRequires: gcc
BuildRequires: libogg-devel
BuildRequires: libvorbis-devel
BuildRequires: pkgconfig
BuildRequires: sqlite-devel
BuildRequires: gsm-devel
BuildRequires: libtool
BuildRequires: make
BuildRequires: python3
BuildRequires: opus-devel
%description
@ -43,7 +38,6 @@ compiles and runs on *nix, MacOS, and Win32.
%package devel
Summary: Development files for libsndfile
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{version}-%{release} pkgconfig
@ -55,7 +49,6 @@ This package contains files needed to develop with libsndfile.
%package utils
Summary: Command Line Utilities for libsndfile
Group: Applications/Multimedia
Requires: %{name} = %{version}-%{release}
@ -67,20 +60,13 @@ This package contains command line utilities for libsndfile.
%prep
%setup -q
%patch -P 0 -p1 -b .systemgsm
%patch -P 1 -p1 -b .zerodivfix
%patch -P 2 -p1 -b .revert
%patch -P 3 -p1 -b .flacbufovfl
%patch -P 4 -p1 -b .cve2017_6892
%patch -P 5 -p1 -b .cve2017_12562
%patch -P 6 -p1 -b .fixfree
%patch -P 7 -p1 -b .vafix
%patch -P 8 -p1 -b .CVE_2018_13139
%patch -P 9 -p1 -b .cve_2018_19662
%patch -P 10 -p1 -b .deb669ee
%patch -P 11 -p1 -b .ced91d7b
%patch -P 12 -p1 -b .pullrequest979
%patch -P 0 -p1 -b .system-gsm
rm -r src/GSM610
# TODO: check if this patch is still needed
%patch -P 1 -p1 -b .zerodivfix
%patch -P 2 -p1 -b .deb669ee
%patch -P 3 -p1 -b .ced91d7b
%patch -P 4 -p1 -b .pullrequest979
%build
autoreconf -I M4 -fiv # for system-gsm patch
@ -95,11 +81,11 @@ autoreconf -I M4 -fiv # for system-gsm patch
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
make %{?_smp_mflags}
%make_build
%install
make install DESTDIR=$RPM_BUILD_ROOT
%make_install
rm -rf __docs
mkdir __docs
cp -pR $RPM_BUILD_ROOT%{_docdir}/%{name}/* __docs
@ -131,9 +117,7 @@ rm -f %{buildroot}%{_bindir}/sndfile-jackplay
LD_LIBRARY_PATH=$PWD/src/.libs make check
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%ldconfig_scriptlets
%files
@ -152,7 +136,6 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
%{_bindir}/sndfile-metadata-get
%{_bindir}/sndfile-metadata-set
%{_bindir}/sndfile-play
%{_bindir}/sndfile-regtest
%{_bindir}/sndfile-salvage
%{_mandir}/man1/sndfile-cmp.1*
%{_mandir}/man1/sndfile-concat.1*
@ -175,27 +158,52 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
%changelog
* Wed Nov 01 2023 Michal Hlavinka <mhlavink@redhat.com> - 1.0.28-14
- fix integer overflows causing CVE-2022-33065 (#RHEL-3750)
* Wed Nov 01 2023 Michal Hlavinka <mhlavink@redhat.com> - 1.0.31-8
- fix integer overflows causing CVE-2022-33065 (#RHEL-3751)
* Fri Oct 14 2022 Michal Hlavinka <mhlavink@redhat.com> - 1.0.28-13
- rebuild (#2118285)
* Wed Jan 12 2022 Michal Hlavinka <mhlavink@redhat.com> - 1.0.31-7
- fix heap buffer overflow in flac (#2030508)
* Wed Jan 12 2022 Michal Hlavinka <mhlavink@redhat.com> - 1.0.28-12
- fix heap buffer overflow in flac (#2030507)
* Wed Aug 11 2021 Michal Hlavinka <mhlavink@redhat.com> - 1.0.31-6
- a crafted wav file could cause heap buffer overflow that allowed an arbitrary code execution(#1985029)
* Mon Jul 26 2021 Michal Hlavinka <mhlavink@redhat.com> - 1.0.28-11
- a crafted wav file could cause heap buffer overflow that allowed an arbitrary code execution(#1985028)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com>
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Nov 20 2019 Michal Hlavinka <mhlavink@redhat.com> - 1.0.28-10
- fix CVE-2018-19661 and CVE-2018-19662 - buffer over-read in the function
i2alaw_array in alaw (#1673085)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com>
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Oct 30 2019 Michal Hlavinka <mhlavink@redhat.com> - 1.0.28-9
- fix CVE-2018-13139 - stack-based buffer overflow in sndfile-deinterleave utility (#1598482)
* Mon Feb 22 2021 Michal Hlavinka <mhlavink@redhat.com> - 1.0.31-3
- add opus-devel BR to satisfy configure requirements check (#1931251)
* Mon Oct 15 2018 Michal Hlavinka <mhlavink@redhat.com> - 1.0.28-8
- fix coverity scan found issues (#1602592)
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 1.0.31-2
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Wed Jan 27 2021 Michal Hlavinka <mhlavink@redhat.com> - 1.0.31-1
- updated to 1.0.31
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.28-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.28-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.28-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.28-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.28-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.28-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Mar 07 2018 Michal Hlavinka <mhlavink@redhat.com> - 1.0.28-8
- add gcc buildrequire
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.28-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild