Package: libsndfile / 1.0.28-6

Metadata

Package Version Patches format
libsndfile 1.0.28-6 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2017 8365.patch | (download)

src/common.h | 1 1 + 0 - 0 !
src/flac.c | 13 13 + 0 - 0 !
src/sndfile.c | 1 1 + 0 - 0 !
3 files changed, 15 insertions(+)

 fixing buffer read/write overruns in flac-code

CVE 2017 8363.patch | (download)

src/flac.c | 13 4 + 9 - 0 !
1 file changed, 4 insertions(+), 9 deletions(-)

 fixing another memory leak in flac code

CVE 2017 8362.patch | (download)

src/flac.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 fixed yet another buffer read overflow in flac code

CVE 2017 6892.patch | (download)

src/aiff.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix for cve-2017-6892

CVE 2019 3832.patch | (download)

src/wav.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix for cve-2019-3832

binheader heapoverflow.patch | (download)

src/common.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 fix heap buffer overflows when writing strings in binheader

fix_rf64_arm.patch | (download)

src/rf64.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 fix rf64 on armel/armhf archs

fix_typos.patch | (download)

doc/bugs.html | 2 1 + 1 - 0 !
programs/sndfile-convert.c | 2 1 + 1 - 0 !
src/ogg.c | 2 1 + 1 - 0 !
src/wavlike.c | 2 1 + 1 - 0 !
4 files changed, 4 insertions(+), 4 deletions(-)

 fixed spelling errors

a ulaw fix multiple buffer overflows 432.patch | (download)

src/alaw.c | 9 7 + 2 - 0 !
src/ulaw.c | 9 7 + 2 - 0 !
2 files changed, 14 insertions(+), 4 deletions(-)

 a/ulaw: fix multiple buffer overflows (#432)

i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
properly, leading to buffer underflow. INT_MIN is a special value
since - INT_MIN cannot be represented as int.

In this case round - INT_MIN to INT_MAX and proceed as usual.

f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
properly, leading to null pointer dereference.

In this case, arbitrarily set the buffer value to 0.

This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
fixes #344 (CVE-2017-17456 and CVE-2017-17457).

double64_init Check psf sf.channels against upper bo.patch | (download)

src/double64.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 double64_init: check psf->sf.channels against upper bound

This prevents division by zero later in the code.

While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.

CVE-2017-14634

Closes: https://github.com/erikd/libsndfile/issues/318
Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>

src wav.c Fix heap read overflow.patch | (download)

src/wav.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 src/wav.c: fix heap read overflow

This is CVE-2018-19758.

Closes: https://github.com/erikd/libsndfile/issues/435

Check MAX_CHANNELS in sndfile deinterleave.patch | (download)

programs/sndfile-deinterleave.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 check max_channels in sndfile-deinterleave

Allocated buffer has space for only 16 channels. Verify that input file
meets this limit.

Fixes #397