summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Hugo Lefeuvre [Mon, 24 Dec 2018 05:43:48 +0000 (06:43 +0100)]
a/ulaw: fix multiple buffer overflows (#432)
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
properly, leading to buffer underflow. INT_MIN is a special value
since - INT_MIN cannot be represented as int.
In this case round - INT_MIN to INT_MAX and proceed as usual.
f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
properly, leading to null pointer dereference.
In this case, arbitrarily set the buffer value to 0.
This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
fixes #344 (CVE-2017-17456 and CVE-2017-17457).
Change-Id: Iffa8edfd10cd51514374bbe4b236dfc8509e1222
Erik de Castro Lopo [Wed, 12 Apr 2017 10:19:34 +0000 (20:19 +1000)]
src/flac.c: Fix another memory leak
When the FLAC decoder was passed a malformed file, the associated
`FLAC__StreamDecoder` object was not getting released.
Change-Id: I81216cb4ea9c69e79f8dcedc0ad2b81c6e0a2d7d
Closes: https://github.com/erikd/libsndfile/issues/233
Erik de Castro Lopo [Wed, 12 Apr 2017 09:45:30 +0000 (19:45 +1000)]
FLAC: Fix a buffer read overrun
Buffer read overrun occurs when reading a FLAC file that switches
from 2 channels to one channel mid-stream. Only option is to
abort the read.
Change-Id: I56004d7e40f9d9a2ab8b4119e420d663e0e8326a
Closes: https://github.com/erikd/libsndfile/issues/230
Erik de Castro Lopo [Wed, 12 Apr 2017 09:10:40 +0000 (19:10 +1000)]
src/flac.c: Fix a memory leak
The pflac->rbuffer pointer array was being allocated in two
places, but only one of them (the one that was kept) was checking
to ensure the pointers were NULL before allocation.
Leak was found by fuzzing the sndfile-resample binary compiled
with ASAN.
Change-Id: Ie5bafb97aeefc38afbb13f3ac668ccbc34da986c
Youngjae Shin [Thu, 18 Jan 2018 07:05:19 +0000 (16:05 +0900)]
disable %check section
Change-Id: Ia9cf61d9fe11b794ce9bc1d3917c06aa37916faa
Seungbae Shin [Mon, 18 Dec 2017 04:58:59 +0000 (13:58 +0900)]
Merge branch 'tizen_4.0' into tizen
Change-Id: I82a768890c15e9bc304f7ce915ce84ff6b01a933
Erik de Castro Lopo [Sun, 16 Jul 2017 01:58:17 +0000 (11:58 +1000)]
src/*.c: New format specifiers for psf_binheader_writef
There was a long standing problem where the compiler was not able to
check format speficiers for `psf_binheader_writef`. This is a standard
problem with using non-standard format specifiers with stdargs.
This solution wraps all non-format parameters pass to that functions
with a macro which performs an explicit type cast. The second step is
to have a Python program make sure these macro wrappers match the
format specifiers.
Change-Id: I8bc65d9671c98d11f87e07979372877f4e9ff048
Closes: https://github.com/erikd/libsndfile/issues/241
Jörn Heusipp [Wed, 14 Jun 2017 10:25:40 +0000 (12:25 +0200)]
src/common.c: Fix heap buffer overflows when writing strings in binheader
Fixes the following problems:
1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
big switch statement by an amount (16 bytes) which is enough for all cases
where only a single value gets added. Cases 's', 'S', 'p' however
additionally write an arbitrary length block of data and again enlarge the
buffer to the required amount. However, the required space calculation does
not take into account the size of the length field which gets output before
the data.
3. Buffer size requirement calculation in case 'S' does not account for the
padding byte ("size += (size & 1) ;" happens after the calculation which
uses "size").
4. Case 'S' can overrun the header buffer by 1 byte when no padding is
involved
("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
the buffer is only guaranteed to have "size" space available).
5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
beyond the space which is guaranteed to be allocated in the header buffer.
6. Case 's' can overrun the provided source string by 1 byte if padding is
involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
plus optionally another 1 which is padding and not guaranteed to be
readable via the source string pointer).
Change-Id: I3decd7a80a46b927b3cd2c975826b888ab5175e9
Closes: https://github.com/erikd/libsndfile/issues/292
Erik de Castro Lopo [Sat, 20 May 2017 09:56:42 +0000 (19:56 +1000)]
src/sd2.c: Fix a psf_binheader_writef usage bug
Unfortunately this bug cannot be found by the compiler and the tests
didn't find it either. It was found during work to improve the type
safety of calls to psf_binheader_writef.
Change-Id: I3621cfd4c564cc00401ca8303c76fe40b451f1c3
Erik de Castro Lopo [Tue, 18 Apr 2017 10:07:03 +0000 (20:07 +1000)]
RF64 tweaks
* Comments.
* Improve the `rf64_long_file_downgrade_test` test.
Change-Id: I53f2562db1bd450b8e449aa7a6a87e9febfeaaad
Erik de Castro Lopo [Sun, 16 Apr 2017 00:44:28 +0000 (10:44 +1000)]
RF64: Fix an RF64_AUTO_DOWNGRADE bug
Also add a test for this. The test is disabled by default because it
needs to write a 4 Gig file.
Change-Id: If9a18f4f6147e08cfa6f7f35ff66131434f0db20
Closes: https://github.com/erikd/libsndfile/issues/238
Erik de Castro Lopo [Sun, 16 Apr 2017 07:54:17 +0000 (17:54 +1000)]
src/rf64.c: Fix varargs related bug
C's <stargs.h> functionality isn't type checked so that passing an
`sf_count_t` (64 bits) by mistake in place of a `unit32_t` can cause
errors. This would be fine if it was an error on every architecture
and platform, but its not. This particular problem only manifested
on armhf and some other Arm architectures. It was not an issue on
32 bit x86.
I have now fixed variants of this same bug several times.
Change-Id: Ie0024ce14affeb6034071aa80c339da915f8b7e1
Closes: https://github.com/erikd/libsndfile/issues/229
Fabian Greffrath [Thu, 28 Sep 2017 10:15:04 +0000 (12:15 +0200)]
double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code.
While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.
CVE-2017-14634
Change-Id: Ifee1ff6c9af452f38725f4b599eae4ac069b93b5
Closes: https://github.com/erikd/libsndfile/issues/318
Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
Fabian Greffrath [Thu, 28 Sep 2017 10:15:04 +0000 (12:15 +0200)]
double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code.
While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.
CVE-2017-14634
Change-Id: Ifee1ff6c9af452f38725f4b599eae4ac069b93b5
Closes: https://github.com/erikd/libsndfile/issues/318
Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
Seungbae Shin [Mon, 26 Jun 2017 08:49:36 +0000 (17:49 +0900)]
Disable unused GSM610 / G72X
Change-Id: Ic625333d83c9f226da66d807b314e76670459519
Seungbae Shin [Wed, 22 Jun 2016 06:08:50 +0000 (15:08 +0900)]
Disable unused ALAC(Apple Lossless Audio Codec) / CAF(Core Audio Format)
Change-Id: Iad288d072e30572f79fef1c6b3d86b602238a54a
Erik de Castro Lopo [Tue, 23 May 2017 10:15:24 +0000 (20:15 +1000)]
src/aiff.c: Fix a buffer read overflow
Secunia Advisory SA76717.
Found by: Laurent Delosieres, Secunia Research at Flexera Software
https://github.com/erikd/libsndfile/commit/
f833c53cb596e9e1792949f762e0b33661822748
Change-Id: I3faddf7f078acf539f58b65ba593e4f8ecfdb13d
Seungbae Shin [Wed, 16 Mar 2016 13:09:47 +0000 (22:09 +0900)]
Apply Tizen patches
1. Remove FLAC dependancy
2. use dlopen for vorbis encoder to load so when actual needed, this will reduce runtime memory consumption
Change-Id: Id3c81f7e65c2fcd6784970b817d81f50eb0ca2d6
Seungbae Shin [Thu, 15 Jun 2017 08:28:03 +0000 (17:28 +0900)]
Fix build error
1. Add python to BuildRequire
2. Add autogen generated test files
Change-Id: I6ae51fbdd9064bc16ff247d2fd4c21fe47a1b742
Seungbae Shin [Thu, 15 Jun 2017 08:04:44 +0000 (17:04 +0900)]
Sync with upstream
Change-Id: I14d5d1e0538483b3d6bff9d3ce35adca1348e78f
Seungbae Shin [Fri, 16 Jun 2017 06:51:04 +0000 (15:51 +0900)]
Merge branch 'upstream' into tizen
Change-Id: I0adafdc190adb3e5f56887d1f83967eb2efd36b9
Seungbae Shin [Thu, 15 Jun 2017 03:30:39 +0000 (12:30 +0900)]
Imported Upstream version 1.0.28
Change-Id: Id92ab7f7f5dc6513db5650da4eda1e4f392bc54f
Seungbae Shin [Wed, 31 May 2017 13:28:19 +0000 (22:28 +0900)]
Fix CVE defect
- Related CVE defects
https://nvd.nist.gov/vuln/detail/CVE-2017-7586
- Fixed by applying following upstream patch.
https://github.com/erikd/libsndfile/commit/
f457b7b5ecfe91697ed01cfc825772c4d8de1236
Change-Id: I5d95a79e6d6353fd57d9953d1824a1fa9545a492
Seungbae Shin [Wed, 31 May 2017 12:13:46 +0000 (21:13 +0900)]
Fix CVE defects
- Related CVE defects
https://nvd.nist.gov/vuln/detail/CVE-2017-7585
https://nvd.nist.gov/vuln/detail/CVE-2017-7741
https://nvd.nist.gov/vuln/detail/CVE-2017-7742
- Fixed by applying following upstream patch.
https://github.com/erikd/libsndfile/commit/
60b234301adf258786d8b90be5c1d437fc8799e0
Change-Id: I44d9943eafb9885fb255adc632028aac3a00bf43
Jeongho Mok [Wed, 22 Mar 2017 07:55:18 +0000 (16:55 +0900)]
Use license macro in spec
Change-Id: Ie4070a4133383bc52bc748ae28ccf2a36ce40fa5
Seungbae Shin [Fri, 12 Aug 2016 12:46:52 +0000 (21:46 +0900)]
Fix a seek regression in 1.0.26.
https://github.com/erikd/libsndfile/commit/
f29c0dc2091febb2df6198c38b1664c30c3ea77d
Change-Id: I3db5517f49ac93d1390838625805b76532781ae5
Seungbae Shin [Mon, 2 May 2016 08:32:17 +0000 (17:32 +0900)]
use dlopen for vorbis encoder to load so when actual needed, this will reduce runtime memory consumption
Change-Id: I7b3b6b82cafde364b752812523221ce430ae0526
Seungbae Shin [Fri, 29 Apr 2016 09:38:05 +0000 (18:38 +0900)]
Disable vorbis encoder
Change-Id: Ib6c62b16525c929d1329b9dbe447c420a56ef86b
Seungbae Shin [Wed, 16 Mar 2016 13:09:47 +0000 (22:09 +0900)]
Remove FLAC dependancy
Change-Id: Id867eefde74690c28f350983cc870d44d28cd36e
Seungbae Shin [Wed, 16 Mar 2016 12:46:30 +0000 (21:46 +0900)]
sync with upstream
Change-Id: I4bf9c5dc1f6ffc8de6bd35ba8c3c936d8079c744
Seungbae Shin [Fri, 18 Mar 2016 02:52:57 +0000 (11:52 +0900)]
Merge remote-tracking branch 'remotes/origin/upstream' into tizen
Change-Id: I258d58f7d02f8d0c9da99204a82e283d234406ec
Seungbae Shin [Wed, 16 Mar 2016 11:18:18 +0000 (20:18 +0900)]
Imported Upstream version 1.0.26
Change-Id: I94b0a35e0ffccabf1b50b62e8f0223e4b617e6f3
Seungbae Shin [Thu, 16 Jul 2015 08:33:11 +0000 (17:33 +0900)]
Enable ogg with flac disable
Change-Id: Ic80c209ea2396952fd175c44568a5fc78bfb2b73
Alexandru Cornea [Mon, 1 Jul 2013 16:19:49 +0000 (19:19 +0300)]
resetting manifest requested domain to floor
Anas Nashif [Tue, 19 Mar 2013 02:28:01 +0000 (19:28 -0700)]
Fixed package groups
Anas Nashif [Wed, 7 Nov 2012 23:52:50 +0000 (15:52 -0800)]
remove patches
Anas Nashif [Wed, 7 Nov 2012 23:52:03 +0000 (15:52 -0800)]
ocloexec
Anas Nashif [Wed, 7 Nov 2012 23:51:40 +0000 (15:51 -0800)]
paf zero division
Anas Nashif [Wed, 7 Nov 2012 23:51:10 +0000 (15:51 -0800)]
example fix
Anas Nashif [Wed, 7 Nov 2012 23:49:46 +0000 (15:49 -0800)]
Imported Upstream version 1.0.25
Anas Nashif [Wed, 7 Nov 2012 23:49:46 +0000 (15:49 -0800)]
add packaging