rpms/soundtouch
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Security fix for CVE-2018-1000223 (rhbz#1609193, rhbz#1609194)

Browse Source
This commit is contained in:
Hans de Goede 2018-08-14 15:42:49 +02:00
parent 126f56cedd
commit 0ff860f45e
6 changed files with 272 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
0001-Replaced-illegal-number-of-channel-assertions-with-r.patch Normal file
View File

@ -0,0 +1,128 @@
From 107f2c5d201a4dfea1b7f15c5957ff2ac9e5f260 Mon Sep 17 00:00:00 2001
From: oparviainen <oparviai@iki.fi>
Date: Sun, 12 Aug 2018 20:00:56 +0300
Subject: [PATCH] Replaced illegal-number-of-channel assertions with run-time
exception
---
include/FIFOSamplePipe.h | 12 ++++++++++++
include/STTypes.h | 3 +++
source/SoundTouch/FIFOSampleBuffer.cpp | 3 ++-
source/SoundTouch/RateTransposer.cpp | 5 ++---
source/SoundTouch/SoundTouch.cpp | 8 ++------
source/SoundTouch/TDStretch.cpp | 5 ++---
6 files changed, 23 insertions(+), 13 deletions(-)
diff --git a/include/FIFOSamplePipe.h b/include/FIFOSamplePipe.h
index 4ec9275..b08f836 100644
--- a/include/FIFOSamplePipe.h
+++ b/include/FIFOSamplePipe.h
@@ -51,6 +51,18 @@ namespace soundtouch
/// Abstract base class for FIFO (first-in-first-out) sample processing classes.
class FIFOSamplePipe
{
+protected:
+
+ bool verifyNumberOfChannels(int nChannels) const
+ {
+ if ((nChannels > 0) && (nChannels <= SOUNDTOUCH_MAX_CHANNELS))
+ {
+ return true;
+ }
+ ST_THROW_RT_ERROR("Error: Illegal number of channels");
+ return false;
+ }
+
public:
// virtual default destructor
virtual ~FIFOSamplePipe() {}
diff --git a/include/STTypes.h b/include/STTypes.h
index 03e7e07..862505e 100644
--- a/include/STTypes.h
+++ b/include/STTypes.h
@@ -56,6 +56,9 @@ typedef unsigned long ulong;
namespace soundtouch
{
+ /// Max allowed number of channels
+ #define SOUNDTOUCH_MAX_CHANNELS 16
+
/// Activate these undef's to overrule the possible sampletype
/// setting inherited from some other header file:
//#undef SOUNDTOUCH_INTEGER_SAMPLES
diff --git a/source/SoundTouch/FIFOSampleBuffer.cpp b/source/SoundTouch/FIFOSampleBuffer.cpp
index f0d5e42..706e869 100644
--- a/source/SoundTouch/FIFOSampleBuffer.cpp
+++ b/source/SoundTouch/FIFOSampleBuffer.cpp
@@ -73,7 +73,8 @@ void FIFOSampleBuffer::setChannels(int numChannels)
{
uint usedBytes;
- assert(numChannels > 0);
+ if (!verifyNumberOfChannels(numChannels)) return;
+
usedBytes = channels * samplesInBuffer;
channels = (uint)numChannels;
samplesInBuffer = usedBytes / channels;
diff --git a/source/SoundTouch/RateTransposer.cpp b/source/SoundTouch/RateTransposer.cpp
index 8b66be3..d115a4c 100644
--- a/source/SoundTouch/RateTransposer.cpp
+++ b/source/SoundTouch/RateTransposer.cpp
@@ -179,11 +179,10 @@ void RateTransposer::processSamples(const SAMPLETYPE *src, uint nSamples)
// Sets the number of channels, 1 = mono, 2 = stereo
void RateTransposer::setChannels(int nChannels)
{
- assert(nChannels > 0);
+ if (!verifyNumberOfChannels(nChannels) ||
+ (pTransposer->numChannels == nChannels)) return;
- if (pTransposer->numChannels == nChannels) return;
pTransposer->setChannels(nChannels);
-
inputBuffer.setChannels(nChannels);
midBuffer.setChannels(nChannels);
outputBuffer.setChannels(nChannels);
diff --git a/source/SoundTouch/SoundTouch.cpp b/source/SoundTouch/SoundTouch.cpp
index 7b6756b..06bdd56 100644
--- a/source/SoundTouch/SoundTouch.cpp
+++ b/source/SoundTouch/SoundTouch.cpp
@@ -139,18 +139,14 @@ uint SoundTouch::getVersionId()
// Sets the number of channels, 1 = mono, 2 = stereo
void SoundTouch::setChannels(uint numChannels)
{
- /*if (numChannels != 1 && numChannels != 2)
- {
- //ST_THROW_RT_ERROR("Illegal number of channels");
- return;
- }*/
+ if (!verifyNumberOfChannels(numChannels)) return;
+
channels = numChannels;
pRateTransposer->setChannels((int)numChannels);
pTDStretch->setChannels((int)numChannels);
}
-
// Sets new rate control value. Normal rate = 1.0, smaller values
// represent slower rate, larger faster rates.
void SoundTouch::setRate(double newRate)
diff --git a/source/SoundTouch/TDStretch.cpp b/source/SoundTouch/TDStretch.cpp
index 149cdb9..be2dc88 100644
--- a/source/SoundTouch/TDStretch.cpp
+++ b/source/SoundTouch/TDStretch.cpp
@@ -588,9 +588,8 @@ void TDStretch::setTempo(double newTempo)
// Sets the number of channels, 1 = mono, 2 = stereo
void TDStretch::setChannels(int numChannels)
{
- assert(numChannels > 0);
- if (channels == numChannels) return;
-// assert(numChannels == 1 || numChannels == 2);
+ if (!verifyNumberOfChannels(numChannels) ||
+ (channels == numChannels)) return;
channels = numChannels;
inputBuffer.setChannels(channels);
--
2.18.0

40
0002-Added-minimum-size-check-for-WAV-header-block-lengh-.patch Normal file
View File

@ -0,0 +1,40 @@
From 9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e Mon Sep 17 00:00:00 2001
From: oparviainen <oparviai@iki.fi>
Date: Sun, 12 Aug 2018 20:24:37 +0300
Subject: [PATCH] Added minimum size check for WAV header block lengh values
---
source/SoundStretch/WavFile.cpp | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
index 7e7ade2..68818c9 100644
--- a/source/SoundStretch/WavFile.cpp
+++ b/source/SoundStretch/WavFile.cpp
@@ -530,7 +530,11 @@ int WavInFile::readHeaderBlock()
// read length of the format field
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
// swap byte order if necessary
- _swap32(nLen); // int format_len;
+ _swap32(nLen);
+
+ // verify that header length isn't smaller than expected
+ if (nLen < sizeof(header.format) - 8) return -1;
+
header.format.format_len = nLen;
// calculate how much length differs from expected
@@ -572,6 +576,10 @@ int WavInFile::readHeaderBlock()
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
// swap byte order if necessary
_swap32(nLen); // int fact_len;
+
+ // verify that fact length isn't smaller than expected
+ if (nLen < sizeof(header.fact) - 8) return -1;
+
header.fact.fact_len = nLen;
// calculate how much length differs from expected
--
2.18.0

58
0003-Fixed-WavFile-header-fact-not-too-small-check.patch Normal file
View File

@ -0,0 +1,58 @@
From e0240689056e4182fffdc2a16aa6e3425a15e275 Mon Sep 17 00:00:00 2001
From: oparviainen <oparviai@iki.fi>
Date: Mon, 13 Aug 2018 19:16:16 +0300
Subject: [PATCH 3/4] Fixed WavFile header/fact not-too-small check
---
source/SoundStretch/WavFile.cpp | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
index 4af7a4c..3421bca 100644
--- a/source/SoundStretch/WavFile.cpp
+++ b/source/SoundStretch/WavFile.cpp
@@ -518,13 +518,13 @@ int WavInFile::readHeaderBlock()
// swap byte order if necessary
_swap32(nLen);
- // verify that header length isn't smaller than expected
- if (nLen < sizeof(header.format) - 8) return -1;
+ // calculate how much length differs from expected
+ nDump = nLen - ((int)sizeof(header.format) - 8);
- header.format.format_len = nLen;
+ // verify that header length isn't smaller than expected structure
+ if (nDump < 0) return -1;
- // calculate how much length differs from expected
- nDump = nLen - ((int)sizeof(header.format) - 8);
+ header.format.format_len = nLen;
// if format_len is larger than expected, read only as much data as we've space for
if (nDump > 0)
@@ -561,16 +561,16 @@ int WavInFile::readHeaderBlock()
// read length of the fact field
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
// swap byte order if necessary
- _swap32(nLen); // int fact_len;
-
- // verify that fact length isn't smaller than expected
- if (nLen < sizeof(header.fact) - 8) return -1;
-
- header.fact.fact_len = nLen;
+ _swap32(nLen);
// calculate how much length differs from expected
nDump = nLen - ((int)sizeof(header.fact) - 8);
+ // verify that fact length isn't smaller than expected structure
+ if (nDump < 0) return -1;
+
+ header.fact.fact_len = nLen;
+
// if format_len is larger than expected, read only as much data as we've space for
if (nDump > 0)
{
--
2.18.0

34
0004-Improved-WavFile-header-fact-not-too-small-check.patch Normal file
View File

@ -0,0 +1,34 @@
From 46531e5b92dd80dd9a7947463d6224fc7cb21967 Mon Sep 17 00:00:00 2001
From: olli <oparviai@iki.fi>
Date: Mon, 13 Aug 2018 19:42:58 +0300
Subject: [PATCH 4/4] Improved WavFile header/fact not-too-small check
---
source/SoundStretch/WavFile.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp
index 3421bca..9d90b8a 100644
--- a/source/SoundStretch/WavFile.cpp
+++ b/source/SoundStretch/WavFile.cpp
@@ -522,7 +522,7 @@ int WavInFile::readHeaderBlock()
nDump = nLen - ((int)sizeof(header.format) - 8);
// verify that header length isn't smaller than expected structure
- if (nDump < 0) return -1;
+ if ((nLen < 0) || (nDump < 0)) return -1;
header.format.format_len = nLen;
@@ -567,7 +567,7 @@ int WavInFile::readHeaderBlock()
nDump = nLen - ((int)sizeof(header.fact) - 8);
// verify that fact length isn't smaller than expected structure
- if (nDump < 0) return -1;
+ if ((nLen < 0) || (nDump < 0)) return -1;
header.fact.fact_len = nLen;
--
2.18.0

12
soundtouch-1.4.0-x86_64-asm-broken.patch
View File

@ -1,12 +0,0 @@
diff -up soundtouch/include/STTypes.h~ soundtouch/include/STTypes.h
--- soundtouch/include/STTypes.h~ 2009-01-25 17:32:53.000000000 +0100
+++ soundtouch/include/STTypes.h 2009-02-14 22:22:37.000000000 +0100
@@ -87,7 +87,7 @@ namespace soundtouch
#endif
- #if (WIN32 || __i386__ || __x86_64__)
+ #if (WIN32 || __i386__)
/// Define this to allow X86-specific assembler/intrinsic optimizations.
/// Notice that library contains also usual C++ versions of each of these
/// these routines, so if you're having difficulties getting the optimized

23
soundtouch.spec
View File

@ -1,13 +1,16 @@
Name: soundtouch
Version: 2.0.0
Release: 4%{?dist}
Release: 5%{?dist}
Summary: Audio Processing library for changing Tempo, Pitch and Playback Rates
License: LGPLv2+
Group: System Environment/Libraries
URL: http://www.surina.net/soundtouch/
Source0: http://www.surina.net/soundtouch/%{name}-%{version}.tar.gz
Patch0: soundtouch-1.4.0-x86_64-asm-broken.patch
Patch1: cve-2017-92xx.patch
Patch0: cve-2017-92xx.patch
Patch1: 0001-Replaced-illegal-number-of-channel-assertions-with-r.patch
Patch2: 0002-Added-minimum-size-check-for-WAV-header-block-lengh-.patch
Patch3: 0003-Fixed-WavFile-header-fact-not-too-small-check.patch
Patch4: 0004-Improved-WavFile-header-fact-not-too-small-check.patch
BuildRequires: gcc-c++
BuildRequires: autoconf automake libtool
@ -34,15 +37,11 @@ Libraries, include files, etc you can use to develop soundtouch applications.
%prep
%setup -q -n %{name}
%autosetup -p1 -n %{name}
# Remove -O3 because we have our default optimizations.
sed -i 's|-O3||' source/SoundTouch/Makefile.*
sed -i 's|-O3||' source/SoundStretch/Makefile.*
autoreconf -iv
#why not in x86_64 !?
#patch0 -p1
%patch1 -p1
# set correct version for .so build
%define ltversion %(echo %{version} | tr '.' ':')
sed -i 's/-rpath $(libdir)/-rpath $(libdir) -version-number %{ltversion}/' \
@ -60,7 +59,7 @@ make V=1 %{?_smp_mflags}
%install
make install DESTDIR=%{buildroot}
%make_install
rm %{buildroot}%{_libdir}/*.la
# remove redundant installed docs
@ -78,9 +77,8 @@ ln -s soundtouch.pc %{buildroot}%{_libdir}/pkgconfig/soundtouch-1.0.pc
#echo '#define FLOAT_SAMPLES 1' \
# > %{buildroot}%{_includedir}/soundtouch/soundtouch_config.h
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%ldconfig_scriptlets
%files
@ -97,6 +95,9 @@ ln -s soundtouch.pc %{buildroot}%{_libdir}/pkgconfig/soundtouch-1.0.pc
%changelog
* Tue Aug 14 2018 Hans de Goede <hdegoede@redhat.com> - 2.0.0-5
- Security fix for CVE-2018-1000223 (rhbz#1609193, rhbz#1609194)
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild