Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1631188990227720"
MIME-Version: 1.0
Date: Thu, 9 Sep 2021 12:03:10 +0000
From: "Nia Alarie" <nia@netbsd.org>
Subject: CVS commit: pkgsrc/audio/libsndfile
To: pkgsrc-changes@NetBSD.org
Reply-To: nia@netbsd.org
Message-Id: <20210909120310.33E49FA97@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1631188990227720
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	nia
Date:		Thu Sep  9 12:03:10 UTC 2021

Modified Files:
	pkgsrc/audio/libsndfile: Makefile distinfo
Added Files:
	pkgsrc/audio/libsndfile/patches: patch-CVE-2021-3246
	    patch-src_wavlike.c

Log Message:
libsndfile: apply patch for CVE-2021-3246


To generate a diff of this commit:
cvs rdiff -u -r1.86 -r1.87 pkgsrc/audio/libsndfile/Makefile
cvs rdiff -u -r1.49 -r1.50 pkgsrc/audio/libsndfile/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/audio/libsndfile/patches/patch-CVE-2021-3246 \
    pkgsrc/audio/libsndfile/patches/patch-src_wavlike.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1631188990227720
Content-Disposition: inline
Content-Length: 4398
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/audio/libsndfile/Makefile
diff -u pkgsrc/audio/libsndfile/Makefile:1.86 pkgsrc/audio/libsndfile/Makefile:1.87
--- pkgsrc/audio/libsndfile/Makefile:1.86	Sun Jan 24 14:50:25 2021
+++ pkgsrc/audio/libsndfile/Makefile	Thu Sep  9 12:03:09 2021
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.86 2021/01/24 14:50:25 nia Exp $
+# $NetBSD: Makefile,v 1.87 2021/09/09 12:03:09 nia Exp $
 
 DISTNAME=	libsndfile-1.0.31
+PKGREVISION=	1
 CATEGORIES=	audio
 MASTER_SITES=	${MASTER_SITE_GITHUB:=libsndfile/}
 GITHUB_PROJECT=	libsndfile

Index: pkgsrc/audio/libsndfile/distinfo
diff -u pkgsrc/audio/libsndfile/distinfo:1.49 pkgsrc/audio/libsndfile/distinfo:1.50
--- pkgsrc/audio/libsndfile/distinfo:1.49	Sun Jan 24 14:50:25 2021
+++ pkgsrc/audio/libsndfile/distinfo	Thu Sep  9 12:03:09 2021
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.49 2021/01/24 14:50:25 nia Exp $
+$NetBSD: distinfo,v 1.50 2021/09/09 12:03:09 nia Exp $
 
 SHA1 (libsndfile-1.0.31.tar.bz2) = f16a88e7223baef7c4497536dc1b55b56811debc
 RMD160 (libsndfile-1.0.31.tar.bz2) = ae3fc5bbcb10a034f3edc1240acacd9f1ec349a7
 SHA512 (libsndfile-1.0.31.tar.bz2) = 62202092e5cac6346fd3c0a977380e9bf888fc59d08c9c9707dc254a8ef6ed6356da2ab0430bb970c7b06ba5bb1dafa5d7b0fe13898834c1fe4acb16f409f0e1
 Size (libsndfile-1.0.31.tar.bz2) = 875335 bytes
+SHA1 (patch-CVE-2021-3246) = 08620e24b8a41afd7c164781bf6088028ffc97ed
+SHA1 (patch-src_wavlike.c) = b2524c62d8dad9959ff7a50c412b0e85bf433f47

Added files:

Index: pkgsrc/audio/libsndfile/patches/patch-CVE-2021-3246
diff -u /dev/null pkgsrc/audio/libsndfile/patches/patch-CVE-2021-3246:1.1
--- /dev/null	Thu Sep  9 12:03:10 2021
+++ pkgsrc/audio/libsndfile/patches/patch-CVE-2021-3246	Thu Sep  9 12:03:10 2021
@@ -0,0 +1,31 @@
+$NetBSD: patch-CVE-2021-3246,v 1.1 2021/09/09 12:03:10 nia Exp $
+
+[PATCH] ms_adpcm: Fix and extend size checks
+
+'blockalign' is the size of a block, and each block contains 7 samples
+per channel as part of the preamble, so check against 'samplesperblock'
+rather than 'blockalign'. Also add an additional check that the block
+is big enough to hold the samples it claims to hold.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
+https://github.com/libsndfile/libsndfile/pull/713
+
+--- src/ms_adpcm.c.orig	2021-01-23 16:12:45.000000000 +0000
++++ src/ms_adpcm.c
+@@ -128,8 +128,14 @@ wavlike_msadpcm_init	(SF_PRIVATE *psf, i
+ 	if (psf->file.mode == SFM_WRITE)
+ 		samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
+ 
+-	if (blockalign < 7 * psf->sf.channels)
+-	{	psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
++	/* There's 7 samples per channel in the preamble of each block */
++	if (samplesperblock < 7 * psf->sf.channels)
++	{	psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
++		return SFE_INTERNAL ;
++		} ;
++
++	if (2 * blockalign < samplesperblock * psf->sf.channels)
++	{	psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
+ 		return SFE_INTERNAL ;
+ 		} ;
+ 
Index: pkgsrc/audio/libsndfile/patches/patch-src_wavlike.c
diff -u /dev/null pkgsrc/audio/libsndfile/patches/patch-src_wavlike.c:1.1
--- /dev/null	Thu Sep  9 12:03:10 2021
+++ pkgsrc/audio/libsndfile/patches/patch-src_wavlike.c	Thu Sep  9 12:03:10 2021
@@ -0,0 +1,26 @@
+$NetBSD: patch-src_wavlike.c,v 1.1 2021/09/09 12:03:10 nia Exp $
+
+[PATCH] wavlike: Fix incorrect size check
+
+The SF_CART_INFO_16K struct has an additional 4 byte field to hold
+the size of 'tag_text' which the file header doesn't, so don't
+include it as part of the check when looking for the max length.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
+https://github.com/libsndfile/libsndfile/pull/713
+
+--- src/wavlike.c.orig	2021-01-23 16:12:45.000000000 +0000
++++ src/wavlike.c
+@@ -830,7 +830,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
+ 		return 0 ;
+ 		} ;
+ 
+-	if (chunksize >= sizeof (SF_CART_INFO_16K))
++	/*
++	**	SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
++	**	of the chunk, so don't include it in the size check.
++	*/
++	if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
+ 	{	psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
+ 		psf_binheader_readf (psf, "j", chunksize) ;
+ 		return 0 ;


--_----------=_1631188990227720--