3
5
Fork 0
mirror of git://git.savannah.gnu.org/guix.git synced 2023-12-14 03:33:07 +01:00
guix/gnu/packages/patches/audiofile-Fix-multiply-overflow-sfconvert.patch
Hartmut Goebel a8e149434e
gnu: Add audiofile.
Patches should fix all CVEs reported by `guix lint`:
CVE-2015-7747; CVE-2017-6827, CVE-2017-6828, CVE-2017-6829,
CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833,
CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837,
CVE-2017-6838, CVE-2017-6839; CVE-2018-13440; CVE-2018-17095

Since the patches do not reference to CVEs, it's a bit hard to tell which
patch actually closes which CVE.  Debian reports all these to be closed by
the patches below and NixPkgs provides references.

* gnu/packages/audio.scm (audiofile): New variable.
* gnu/packages/patches/audiofile-fix-datatypes-in-tests.patch,
  gnu/packages/patches/audiofile-fix-sign-conversion.patch,
  gnu/packages/patches/audiofile-CVE-2015-7747.patch,
  gnu/packages/patches/audiofile-CVE-2018-13440.patch,
  gnu/packages/patches/audiofile-CVE-2018-17095.patch,
  gnu/packages/patches/audiofile-Check-the-number-of-coefficients.patch,
  gnu/packages/patches/audiofile-Fail-on-error-in-parseFormat.patch,
  gnu/packages/patches/audiofile-Fix-index-overflow-in-IMA.cpp.patch,
  gnu/packages/patches/audiofile-Fix-multiply-overflow-sfconvert.patch,
  gnu/packages/patches/audiofile-Fix-overflow-in-MSADPCM-decodeSam.patch,
  gnu/packages/patches/audiofile-division-by-zero-BlockCodec-runPull.patch,
  gnu/packages/patches/audiofile-hurd.patch,
  gnu/packages/patches/audiofile-signature-of-multiplyCheckOverflow.patch:
  New files.
* gnu/local.mk: Add them.
2019-12-26 16:44:53 +01:00

66 lines
1.9 KiB
Diff

From: Antonio Larrosa <larrosa@kde.org>
Date: Mon, 6 Mar 2017 13:54:52 +0100
Subject: Check for multiplication overflow in sfconvert
Checks that a multiplication doesn't overflow when
calculating the buffer size, and if it overflows,
reduce the buffer size instead of failing.
This fixes the 00192-audiofile-signintoverflow-sfconvert case
in #41
---
sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
1 file changed, 32 insertions(+), 2 deletions(-)
diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
index 80a1bc4..970a3e4 100644
--- a/sfcommands/sfconvert.c
+++ b/sfcommands/sfconvert.c
@@ -45,6 +45,33 @@ void printusage (void);
void usageerror (void);
bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
+int firstBitSet(int x)
+{
+ int position=0;
+ while (x!=0)
+ {
+ x>>=1;
+ ++position;
+ }
+ return position;
+}
+
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
+int multiplyCheckOverflow(int a, int b, int *result)
+{
+#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
+ return __builtin_mul_overflow(a, b, result);
+#else
+ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
+ return true;
+ *result = a * b;
+ return false;
+#endif
+}
+
int main (int argc, char **argv)
{
if (argc == 2)
@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
{
int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
- const int kBufferFrameCount = 65536;
- void *buffer = malloc(kBufferFrameCount * frameSize);
+ int kBufferFrameCount = 65536;
+ int bufferSize;
+ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
+ kBufferFrameCount /= 2;
+ void *buffer = malloc(bufferSize);
AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
AFframecount totalFramesWritten = 0;