amaharaneko/guix-mirrors
1
1
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2025-10-02 02:15:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

gnu: Add audiofile.

Browse source 
Patches should fix all CVEs reported by `guix lint`:
CVE-2015-7747; CVE-2017-6827, CVE-2017-6828, CVE-2017-6829,
CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833,
CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837,
CVE-2017-6838, CVE-2017-6839; CVE-2018-13440; CVE-2018-17095

Since the patches do not reference to CVEs, it's a bit hard to tell which
patch actually closes which CVE.  Debian reports all these to be closed by
the patches below and NixPkgs provides references.

* gnu/packages/audio.scm (audiofile): New variable.
* gnu/packages/patches/audiofile-fix-datatypes-in-tests.patch,
  gnu/packages/patches/audiofile-fix-sign-conversion.patch,
  gnu/packages/patches/audiofile-CVE-2015-7747.patch,
  gnu/packages/patches/audiofile-CVE-2018-13440.patch,
  gnu/packages/patches/audiofile-CVE-2018-17095.patch,
  gnu/packages/patches/audiofile-Check-the-number-of-coefficients.patch,
  gnu/packages/patches/audiofile-Fail-on-error-in-parseFormat.patch,
  gnu/packages/patches/audiofile-Fix-index-overflow-in-IMA.cpp.patch,
  gnu/packages/patches/audiofile-Fix-multiply-overflow-sfconvert.patch,
  gnu/packages/patches/audiofile-Fix-overflow-in-MSADPCM-decodeSam.patch,
  gnu/packages/patches/audiofile-division-by-zero-BlockCodec-runPull.patch,
  gnu/packages/patches/audiofile-hurd.patch,
  gnu/packages/patches/audiofile-signature-of-multiplyCheckOverflow.patch:
  New files.
* gnu/local.mk: Add them.
This commit is contained in:
Hartmut Goebel 2019-12-07 13:22:04 +01:00
parent 9d25a4548c
commit a8e149434e
No known key found for this signature in database
GPG key ID: 634A8DFFD3F631DF
15 changed files with 1070 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

36
gnu/packages/patches/audiofile-Fail-on-error-in-parseFormat.patch Normal file
View file

@ -0,0 +1,36 @@
From: Antonio Larrosa <larrosa@kde.org>
Date: Mon, 6 Mar 2017 18:59:26 +0100
Subject: Actually fail when error occurs in parseFormat
When there's an unsupported number of bits per sample or an invalid
number of samples per block, don't only print an error message using
the error handler, but actually stop parsing the file.
This fixes #35 (also reported at
https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
)
---
libaudiofile/WAVE.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
index 0fc48e8..d04b796 100644
--- a/libaudiofile/WAVE.cpp
+++ b/libaudiofile/WAVE.cpp
@@ -332,6 +332,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
{
_af_error(AF_BAD_NOT_IMPLEMENTED,
"IMA ADPCM compression supports only 4 bits per sample");
+ return AF_FAIL;
}
int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
@@ -339,6 +340,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
{
_af_error(AF_BAD_CODEC_CONFIG,
"Invalid samples per block for IMA ADPCM compression");
+ return AF_FAIL;
}
track->f.sampleWidth = 16;