From 0ff860f45e908250eb516e7e10c90a99cc7e2915 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Tue, 14 Aug 2018 15:42:49 +0200 Subject: [PATCH] Security fix for CVE-2018-1000223 (rhbz#1609193, rhbz#1609194) --- ...-number-of-channel-assertions-with-r.patch | 128 ++++++++++++++++++ ...ze-check-for-WAV-header-block-lengh-.patch | 40 ++++++ ...File-header-fact-not-too-small-check.patch | 58 ++++++++ ...File-header-fact-not-too-small-check.patch | 34 +++++ soundtouch-1.4.0-x86_64-asm-broken.patch | 12 -- soundtouch.spec | 23 ++-- 6 files changed, 272 insertions(+), 23 deletions(-) create mode 100644 0001-Replaced-illegal-number-of-channel-assertions-with-r.patch create mode 100644 0002-Added-minimum-size-check-for-WAV-header-block-lengh-.patch create mode 100644 0003-Fixed-WavFile-header-fact-not-too-small-check.patch create mode 100644 0004-Improved-WavFile-header-fact-not-too-small-check.patch delete mode 100644 soundtouch-1.4.0-x86_64-asm-broken.patch diff --git a/0001-Replaced-illegal-number-of-channel-assertions-with-r.patch b/0001-Replaced-illegal-number-of-channel-assertions-with-r.patch new file mode 100644 index 0000000..4ca62eb --- /dev/null +++ b/0001-Replaced-illegal-number-of-channel-assertions-with-r.patch @@ -0,0 +1,128 @@ +From 107f2c5d201a4dfea1b7f15c5957ff2ac9e5f260 Mon Sep 17 00:00:00 2001 +From: oparviainen +Date: Sun, 12 Aug 2018 20:00:56 +0300 +Subject: [PATCH] Replaced illegal-number-of-channel assertions with run-time + exception + +--- + include/FIFOSamplePipe.h | 12 ++++++++++++ + include/STTypes.h | 3 +++ + source/SoundTouch/FIFOSampleBuffer.cpp | 3 ++- + source/SoundTouch/RateTransposer.cpp | 5 ++--- + source/SoundTouch/SoundTouch.cpp | 8 ++------ + source/SoundTouch/TDStretch.cpp | 5 ++--- + 6 files changed, 23 insertions(+), 13 deletions(-) + +diff --git a/include/FIFOSamplePipe.h b/include/FIFOSamplePipe.h +index 4ec9275..b08f836 100644 +--- a/include/FIFOSamplePipe.h ++++ b/include/FIFOSamplePipe.h +@@ -51,6 +51,18 @@ namespace soundtouch + /// Abstract base class for FIFO (first-in-first-out) sample processing classes. + class FIFOSamplePipe + { ++protected: ++ ++ bool verifyNumberOfChannels(int nChannels) const ++ { ++ if ((nChannels > 0) && (nChannels <= SOUNDTOUCH_MAX_CHANNELS)) ++ { ++ return true; ++ } ++ ST_THROW_RT_ERROR("Error: Illegal number of channels"); ++ return false; ++ } ++ + public: + // virtual default destructor + virtual ~FIFOSamplePipe() {} +diff --git a/include/STTypes.h b/include/STTypes.h +index 03e7e07..862505e 100644 +--- a/include/STTypes.h ++++ b/include/STTypes.h +@@ -56,6 +56,9 @@ typedef unsigned long ulong; + + namespace soundtouch + { ++ /// Max allowed number of channels ++ #define SOUNDTOUCH_MAX_CHANNELS 16 ++ + /// Activate these undef's to overrule the possible sampletype + /// setting inherited from some other header file: + //#undef SOUNDTOUCH_INTEGER_SAMPLES +diff --git a/source/SoundTouch/FIFOSampleBuffer.cpp b/source/SoundTouch/FIFOSampleBuffer.cpp +index f0d5e42..706e869 100644 +--- a/source/SoundTouch/FIFOSampleBuffer.cpp ++++ b/source/SoundTouch/FIFOSampleBuffer.cpp +@@ -73,7 +73,8 @@ void FIFOSampleBuffer::setChannels(int numChannels) + { + uint usedBytes; + +- assert(numChannels > 0); ++ if (!verifyNumberOfChannels(numChannels)) return; ++ + usedBytes = channels * samplesInBuffer; + channels = (uint)numChannels; + samplesInBuffer = usedBytes / channels; +diff --git a/source/SoundTouch/RateTransposer.cpp b/source/SoundTouch/RateTransposer.cpp +index 8b66be3..d115a4c 100644 +--- a/source/SoundTouch/RateTransposer.cpp ++++ b/source/SoundTouch/RateTransposer.cpp +@@ -179,11 +179,10 @@ void RateTransposer::processSamples(const SAMPLETYPE *src, uint nSamples) + // Sets the number of channels, 1 = mono, 2 = stereo + void RateTransposer::setChannels(int nChannels) + { +- assert(nChannels > 0); ++ if (!verifyNumberOfChannels(nChannels) || ++ (pTransposer->numChannels == nChannels)) return; + +- if (pTransposer->numChannels == nChannels) return; + pTransposer->setChannels(nChannels); +- + inputBuffer.setChannels(nChannels); + midBuffer.setChannels(nChannels); + outputBuffer.setChannels(nChannels); +diff --git a/source/SoundTouch/SoundTouch.cpp b/source/SoundTouch/SoundTouch.cpp +index 7b6756b..06bdd56 100644 +--- a/source/SoundTouch/SoundTouch.cpp ++++ b/source/SoundTouch/SoundTouch.cpp +@@ -139,18 +139,14 @@ uint SoundTouch::getVersionId() + // Sets the number of channels, 1 = mono, 2 = stereo + void SoundTouch::setChannels(uint numChannels) + { +- /*if (numChannels != 1 && numChannels != 2) +- { +- //ST_THROW_RT_ERROR("Illegal number of channels"); +- return; +- }*/ ++ if (!verifyNumberOfChannels(numChannels)) return; ++ + channels = numChannels; + pRateTransposer->setChannels((int)numChannels); + pTDStretch->setChannels((int)numChannels); + } + + +- + // Sets new rate control value. Normal rate = 1.0, smaller values + // represent slower rate, larger faster rates. + void SoundTouch::setRate(double newRate) +diff --git a/source/SoundTouch/TDStretch.cpp b/source/SoundTouch/TDStretch.cpp +index 149cdb9..be2dc88 100644 +--- a/source/SoundTouch/TDStretch.cpp ++++ b/source/SoundTouch/TDStretch.cpp +@@ -588,9 +588,8 @@ void TDStretch::setTempo(double newTempo) + // Sets the number of channels, 1 = mono, 2 = stereo + void TDStretch::setChannels(int numChannels) + { +- assert(numChannels > 0); +- if (channels == numChannels) return; +-// assert(numChannels == 1 || numChannels == 2); ++ if (!verifyNumberOfChannels(numChannels) || ++ (channels == numChannels)) return; + + channels = numChannels; + inputBuffer.setChannels(channels); +-- +2.18.0 + diff --git a/0002-Added-minimum-size-check-for-WAV-header-block-lengh-.patch b/0002-Added-minimum-size-check-for-WAV-header-block-lengh-.patch new file mode 100644 index 0000000..ea69438 --- /dev/null +++ b/0002-Added-minimum-size-check-for-WAV-header-block-lengh-.patch @@ -0,0 +1,40 @@ +From 9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e Mon Sep 17 00:00:00 2001 +From: oparviainen +Date: Sun, 12 Aug 2018 20:24:37 +0300 +Subject: [PATCH] Added minimum size check for WAV header block lengh values + +--- + source/SoundStretch/WavFile.cpp | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp +index 7e7ade2..68818c9 100644 +--- a/source/SoundStretch/WavFile.cpp ++++ b/source/SoundStretch/WavFile.cpp +@@ -530,7 +530,11 @@ int WavInFile::readHeaderBlock() + // read length of the format field + if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; + // swap byte order if necessary +- _swap32(nLen); // int format_len; ++ _swap32(nLen); ++ ++ // verify that header length isn't smaller than expected ++ if (nLen < sizeof(header.format) - 8) return -1; ++ + header.format.format_len = nLen; + + // calculate how much length differs from expected +@@ -572,6 +576,10 @@ int WavInFile::readHeaderBlock() + if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; + // swap byte order if necessary + _swap32(nLen); // int fact_len; ++ ++ // verify that fact length isn't smaller than expected ++ if (nLen < sizeof(header.fact) - 8) return -1; ++ + header.fact.fact_len = nLen; + + // calculate how much length differs from expected +-- +2.18.0 + diff --git a/0003-Fixed-WavFile-header-fact-not-too-small-check.patch b/0003-Fixed-WavFile-header-fact-not-too-small-check.patch new file mode 100644 index 0000000..4f4d60f --- /dev/null +++ b/0003-Fixed-WavFile-header-fact-not-too-small-check.patch @@ -0,0 +1,58 @@ +From e0240689056e4182fffdc2a16aa6e3425a15e275 Mon Sep 17 00:00:00 2001 +From: oparviainen +Date: Mon, 13 Aug 2018 19:16:16 +0300 +Subject: [PATCH 3/4] Fixed WavFile header/fact not-too-small check + +--- + source/SoundStretch/WavFile.cpp | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp +index 4af7a4c..3421bca 100644 +--- a/source/SoundStretch/WavFile.cpp ++++ b/source/SoundStretch/WavFile.cpp +@@ -518,13 +518,13 @@ int WavInFile::readHeaderBlock() + // swap byte order if necessary + _swap32(nLen); + +- // verify that header length isn't smaller than expected +- if (nLen < sizeof(header.format) - 8) return -1; ++ // calculate how much length differs from expected ++ nDump = nLen - ((int)sizeof(header.format) - 8); + +- header.format.format_len = nLen; ++ // verify that header length isn't smaller than expected structure ++ if (nDump < 0) return -1; + +- // calculate how much length differs from expected +- nDump = nLen - ((int)sizeof(header.format) - 8); ++ header.format.format_len = nLen; + + // if format_len is larger than expected, read only as much data as we've space for + if (nDump > 0) +@@ -561,16 +561,16 @@ int WavInFile::readHeaderBlock() + // read length of the fact field + if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; + // swap byte order if necessary +- _swap32(nLen); // int fact_len; +- +- // verify that fact length isn't smaller than expected +- if (nLen < sizeof(header.fact) - 8) return -1; +- +- header.fact.fact_len = nLen; ++ _swap32(nLen); + + // calculate how much length differs from expected + nDump = nLen - ((int)sizeof(header.fact) - 8); + ++ // verify that fact length isn't smaller than expected structure ++ if (nDump < 0) return -1; ++ ++ header.fact.fact_len = nLen; ++ + // if format_len is larger than expected, read only as much data as we've space for + if (nDump > 0) + { +-- +2.18.0 + diff --git a/0004-Improved-WavFile-header-fact-not-too-small-check.patch b/0004-Improved-WavFile-header-fact-not-too-small-check.patch new file mode 100644 index 0000000..23ece2c --- /dev/null +++ b/0004-Improved-WavFile-header-fact-not-too-small-check.patch @@ -0,0 +1,34 @@ +From 46531e5b92dd80dd9a7947463d6224fc7cb21967 Mon Sep 17 00:00:00 2001 +From: olli +Date: Mon, 13 Aug 2018 19:42:58 +0300 +Subject: [PATCH 4/4] Improved WavFile header/fact not-too-small check + +--- + source/SoundStretch/WavFile.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp +index 3421bca..9d90b8a 100644 +--- a/source/SoundStretch/WavFile.cpp ++++ b/source/SoundStretch/WavFile.cpp +@@ -522,7 +522,7 @@ int WavInFile::readHeaderBlock() + nDump = nLen - ((int)sizeof(header.format) - 8); + + // verify that header length isn't smaller than expected structure +- if (nDump < 0) return -1; ++ if ((nLen < 0) || (nDump < 0)) return -1; + + header.format.format_len = nLen; + +@@ -567,7 +567,7 @@ int WavInFile::readHeaderBlock() + nDump = nLen - ((int)sizeof(header.fact) - 8); + + // verify that fact length isn't smaller than expected structure +- if (nDump < 0) return -1; ++ if ((nLen < 0) || (nDump < 0)) return -1; + + header.fact.fact_len = nLen; + +-- +2.18.0 + diff --git a/soundtouch-1.4.0-x86_64-asm-broken.patch b/soundtouch-1.4.0-x86_64-asm-broken.patch deleted file mode 100644 index 4c777d6..0000000 --- a/soundtouch-1.4.0-x86_64-asm-broken.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up soundtouch/include/STTypes.h~ soundtouch/include/STTypes.h ---- soundtouch/include/STTypes.h~ 2009-01-25 17:32:53.000000000 +0100 -+++ soundtouch/include/STTypes.h 2009-02-14 22:22:37.000000000 +0100 -@@ -87,7 +87,7 @@ namespace soundtouch - - #endif - -- #if (WIN32 || __i386__ || __x86_64__) -+ #if (WIN32 || __i386__) - /// Define this to allow X86-specific assembler/intrinsic optimizations. - /// Notice that library contains also usual C++ versions of each of these - /// these routines, so if you're having difficulties getting the optimized diff --git a/soundtouch.spec b/soundtouch.spec index 4b73ab4..40d4d59 100644 --- a/soundtouch.spec +++ b/soundtouch.spec @@ -1,13 +1,16 @@ Name: soundtouch Version: 2.0.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Audio Processing library for changing Tempo, Pitch and Playback Rates License: LGPLv2+ Group: System Environment/Libraries URL: http://www.surina.net/soundtouch/ Source0: http://www.surina.net/soundtouch/%{name}-%{version}.tar.gz -Patch0: soundtouch-1.4.0-x86_64-asm-broken.patch -Patch1: cve-2017-92xx.patch +Patch0: cve-2017-92xx.patch +Patch1: 0001-Replaced-illegal-number-of-channel-assertions-with-r.patch +Patch2: 0002-Added-minimum-size-check-for-WAV-header-block-lengh-.patch +Patch3: 0003-Fixed-WavFile-header-fact-not-too-small-check.patch +Patch4: 0004-Improved-WavFile-header-fact-not-too-small-check.patch BuildRequires: gcc-c++ BuildRequires: autoconf automake libtool @@ -34,15 +37,11 @@ Libraries, include files, etc you can use to develop soundtouch applications. %prep -%setup -q -n %{name} +%autosetup -p1 -n %{name} # Remove -O3 because we have our default optimizations. sed -i 's|-O3||' source/SoundTouch/Makefile.* sed -i 's|-O3||' source/SoundStretch/Makefile.* autoreconf -iv -#why not in x86_64 !? -#patch0 -p1 -%patch1 -p1 - # set correct version for .so build %define ltversion %(echo %{version} | tr '.' ':') sed -i 's/-rpath $(libdir)/-rpath $(libdir) -version-number %{ltversion}/' \ @@ -60,7 +59,7 @@ make V=1 %{?_smp_mflags} %install -make install DESTDIR=%{buildroot} +%make_install rm %{buildroot}%{_libdir}/*.la # remove redundant installed docs @@ -78,9 +77,8 @@ ln -s soundtouch.pc %{buildroot}%{_libdir}/pkgconfig/soundtouch-1.0.pc #echo '#define FLOAT_SAMPLES 1' \ # > %{buildroot}%{_includedir}/soundtouch/soundtouch_config.h -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig +%ldconfig_scriptlets %files @@ -97,6 +95,9 @@ ln -s soundtouch.pc %{buildroot}%{_libdir}/pkgconfig/soundtouch-1.0.pc %changelog +* Tue Aug 14 2018 Hans de Goede - 2.0.0-5 +- Security fix for CVE-2018-1000223 (rhbz#1609193, rhbz#1609194) + * Sat Jul 14 2018 Fedora Release Engineering - 2.0.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild