=== modified file 'debian/changelog' --- debian/changelog 2017-03-18 18:10:25 +0000 +++ debian/changelog 2017-03-18 18:30:37 +0000 @@ -1,3 +1,20 @@ +audiofile (0.3.6-2ubuntu0.14.04.2) trusty-security; urgency=high + + * SECURITY UPDATE: multiple vulnerabilities (LP: #1674005) + - Apply patches from Debian 0.3.6-4: + + 04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch + + 05_Always-check-the-number-of-coefficients.patch + + 06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch + + 07_Check-for-multiplication-overflow-in-sfconvert.patch + + 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch + + 09_Actually-fail-when-error-occurs-in-parseFormat.patch + + 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch + - CVE-2017-6829, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, + CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, + CVE-2017-6838, CVE-2017-6839, CVE-2017-6827, CVE-2017-6828 + + -- Jeremy Bicha Thu, 16 Mar 2017 21:43:45 +0100 + audiofile (0.3.6-2ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: buffer overflow when changing both sample format and === added file 'debian/patches/04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch' --- debian/patches/04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch 1970-01-01 00:00:00 +0000 +++ debian/patches/04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch 2017-03-18 18:23:46 +0000 @@ -0,0 +1,33 @@ +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 18:02:31 +0100 +Subject: clamp index values to fix index overflow in IMA.cpp + +This fixes #33 +(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981 +and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/) +--- + libaudiofile/modules/IMA.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp +index 7476d44..df4aad6 100644 +--- a/libaudiofile/modules/IMA.cpp ++++ b/libaudiofile/modules/IMA.cpp +@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded) + if (encoded[1] & 0x80) + m_adpcmState[c].previousValue -= 0x10000; + +- m_adpcmState[c].index = encoded[2]; ++ m_adpcmState[c].index = clamp(encoded[2], 0, 88); + + *decoded++ = m_adpcmState[c].previousValue; + +@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded) + predictor -= 0x10000; + + state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16); +- state.index = encoded[1] & 0x7f; ++ state.index = clamp(encoded[1] & 0x7f, 0, 88); + encoded += 2; + + for (int n=0; n +Date: Mon, 6 Mar 2017 12:51:22 +0100 +Subject: Always check the number of coefficients + +When building the library with NDEBUG, asserts are eliminated +so it's better to always check that the number of coefficients +is inside the array range. + +This fixes the 00191-audiofile-indexoob issue in #41 +--- + libaudiofile/WAVE.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp +index 9dd8511..0fc48e8 100644 +--- a/libaudiofile/WAVE.cpp ++++ b/libaudiofile/WAVE.cpp +@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + + /* numCoefficients should be at least 7. */ + assert(numCoefficients >= 7 && numCoefficients <= 255); ++ if (numCoefficients < 7 || numCoefficients > 255) ++ { ++ _af_error(AF_BAD_HEADER, ++ "Bad number of coefficients"); ++ return AF_FAIL; ++ } + + m_msadpcmNumCoefficients = numCoefficients; + === added file 'debian/patches/06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch' --- debian/patches/06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch 1970-01-01 00:00:00 +0000 +++ debian/patches/06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch 2017-03-18 18:23:46 +0000 @@ -0,0 +1,116 @@ +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 13:43:53 +0100 +Subject: Check for multiplication overflow in MSADPCM decodeSample + +Check for multiplication overflow (using __builtin_mul_overflow +if available) in MSADPCM.cpp decodeSample and return an empty +decoded block if an error occurs. + +This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41 +--- + libaudiofile/modules/BlockCodec.cpp | 5 ++-- + libaudiofile/modules/MSADPCM.cpp | 47 +++++++++++++++++++++++++++++++++---- + 2 files changed, 46 insertions(+), 6 deletions(-) + +diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp +index 45925e8..4731be1 100644 +--- a/libaudiofile/modules/BlockCodec.cpp ++++ b/libaudiofile/modules/BlockCodec.cpp +@@ -52,8 +52,9 @@ void BlockCodec::runPull() + // Decompress into m_outChunk. + for (int i=0; i(m_inChunk->buffer) + i * m_bytesPerPacket, +- static_cast(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount); ++ if (decodeBlock(static_cast(m_inChunk->buffer) + i * m_bytesPerPacket, ++ static_cast(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0) ++ break; + + framesRead += m_framesPerPacket; + } +diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp +index 8ea3c85..ef9c38c 100644 +--- a/libaudiofile/modules/MSADPCM.cpp ++++ b/libaudiofile/modules/MSADPCM.cpp +@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] = + 768, 614, 512, 409, 307, 230, 230, 230 + }; + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ ++ + // Compute a linear PCM value from the given differential coded value. + static int16_t decodeSample(ms_adpcm_state &state, +- uint8_t code, const int16_t *coefficient) ++ uint8_t code, const int16_t *coefficient, bool *ok=NULL) + { + int linearSample = (state.sample1 * coefficient[0] + + state.sample2 * coefficient[1]) >> 8; ++ int delta; + + linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta; + + linearSample = clamp(linearSample, MIN_INT16, MAX_INT16); + +- int delta = (state.delta * adaptationTable[code]) >> 8; ++ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta)) ++ { ++ if (ok) *ok=false; ++ _af_error(AF_BAD_COMPRESSION, "Error decoding sample"); ++ return 0; ++ } ++ delta >>= 8; + if (delta < 16) + delta = 16; + + state.delta = delta; + state.sample2 = state.sample1; + state.sample1 = linearSample; ++ if (ok) *ok=true; + + return static_cast(linearSample); + } +@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded) + { + uint8_t code; + int16_t newSample; ++ bool ok; + + code = *encoded >> 4; +- newSample = decodeSample(*state[0], code, coefficient[0]); ++ newSample = decodeSample(*state[0], code, coefficient[0], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + code = *encoded & 0x0f; +- newSample = decodeSample(*state[1], code, coefficient[1]); ++ newSample = decodeSample(*state[1], code, coefficient[1], &ok); ++ if (!ok) return 0; + *decoded++ = newSample; + + encoded++; === added file 'debian/patches/07_Check-for-multiplication-overflow-in-sfconvert.patch' --- debian/patches/07_Check-for-multiplication-overflow-in-sfconvert.patch 1970-01-01 00:00:00 +0000 +++ debian/patches/07_Check-for-multiplication-overflow-in-sfconvert.patch 2017-03-18 18:23:46 +0000 @@ -0,0 +1,66 @@ +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 13:54:52 +0100 +Subject: Check for multiplication overflow in sfconvert + +Checks that a multiplication doesn't overflow when +calculating the buffer size, and if it overflows, +reduce the buffer size instead of failing. + +This fixes the 00192-audiofile-signintoverflow-sfconvert case +in #41 +--- + sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c +index 80a1bc4..970a3e4 100644 +--- a/sfcommands/sfconvert.c ++++ b/sfcommands/sfconvert.c +@@ -45,6 +45,33 @@ void printusage (void); + void usageerror (void); + bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid); + ++int firstBitSet(int x) ++{ ++ int position=0; ++ while (x!=0) ++ { ++ x>>=1; ++ ++position; ++ } ++ return position; ++} ++ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++int multiplyCheckOverflow(int a, int b, int *result) ++{ ++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits ++ return true; ++ *result = a * b; ++ return false; ++#endif ++} ++ + int main (int argc, char **argv) + { + if (argc == 2) +@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid) + { + int frameSize = afGetVirtualFrameSize(infile, trackid, 1); + +- const int kBufferFrameCount = 65536; +- void *buffer = malloc(kBufferFrameCount * frameSize); ++ int kBufferFrameCount = 65536; ++ int bufferSize; ++ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize)) ++ kBufferFrameCount /= 2; ++ void *buffer = malloc(bufferSize); + + AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK); + AFframecount totalFramesWritten = 0; === added file 'debian/patches/08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch' --- debian/patches/08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch 1970-01-01 00:00:00 +0000 +++ debian/patches/08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch 2017-03-18 18:23:46 +0000 @@ -0,0 +1,35 @@ +From: Antonio Larrosa +Date: Fri, 10 Mar 2017 15:40:02 +0100 +Subject: Fix signature of multiplyCheckOverflow. It returns a bool, not an int + +--- + libaudiofile/modules/MSADPCM.cpp | 2 +- + sfcommands/sfconvert.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp +index ef9c38c..d8c9553 100644 +--- a/libaudiofile/modules/MSADPCM.cpp ++++ b/libaudiofile/modules/MSADPCM.cpp +@@ -116,7 +116,7 @@ int firstBitSet(int x) + #define __has_builtin(x) 0 + #endif + +-int multiplyCheckOverflow(int a, int b, int *result) ++bool multiplyCheckOverflow(int a, int b, int *result) + { + #if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) + return __builtin_mul_overflow(a, b, result); +diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c +index 970a3e4..367f7a5 100644 +--- a/sfcommands/sfconvert.c ++++ b/sfcommands/sfconvert.c +@@ -60,7 +60,7 @@ int firstBitSet(int x) + #define __has_builtin(x) 0 + #endif + +-int multiplyCheckOverflow(int a, int b, int *result) ++bool multiplyCheckOverflow(int a, int b, int *result) + { + #if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow)) + return __builtin_mul_overflow(a, b, result); === added file 'debian/patches/09_Actually-fail-when-error-occurs-in-parseFormat.patch' --- debian/patches/09_Actually-fail-when-error-occurs-in-parseFormat.patch 1970-01-01 00:00:00 +0000 +++ debian/patches/09_Actually-fail-when-error-occurs-in-parseFormat.patch 2017-03-18 18:23:46 +0000 @@ -0,0 +1,36 @@ +From: Antonio Larrosa +Date: Mon, 6 Mar 2017 18:59:26 +0100 +Subject: Actually fail when error occurs in parseFormat + +When there's an unsupported number of bits per sample or an invalid +number of samples per block, don't only print an error message using +the error handler, but actually stop parsing the file. + +This fixes #35 (also reported at +https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and +https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/ +) +--- + libaudiofile/WAVE.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp +index 0fc48e8..d04b796 100644 +--- a/libaudiofile/WAVE.cpp ++++ b/libaudiofile/WAVE.cpp +@@ -332,6 +332,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_NOT_IMPLEMENTED, + "IMA ADPCM compression supports only 4 bits per sample"); ++ return AF_FAIL; + } + + int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount; +@@ -339,6 +340,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size) + { + _af_error(AF_BAD_CODEC_CONFIG, + "Invalid samples per block for IMA ADPCM compression"); ++ return AF_FAIL; + } + + track->f.sampleWidth = 16; === added file 'debian/patches/10_Check-for-division-by-zero-in-BlockCodec-runPull.patch' --- debian/patches/10_Check-for-division-by-zero-in-BlockCodec-runPull.patch 1970-01-01 00:00:00 +0000 +++ debian/patches/10_Check-for-division-by-zero-in-BlockCodec-runPull.patch 2017-03-18 18:23:46 +0000 @@ -0,0 +1,21 @@ +From: Antonio Larrosa +Date: Thu, 9 Mar 2017 10:21:18 +0100 +Subject: Check for division by zero in BlockCodec::runPull + +--- + libaudiofile/modules/BlockCodec.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp +index 4731be1..eb2fb4d 100644 +--- a/libaudiofile/modules/BlockCodec.cpp ++++ b/libaudiofile/modules/BlockCodec.cpp +@@ -47,7 +47,7 @@ void BlockCodec::runPull() + + // Read the compressed data. + ssize_t bytesRead = read(m_inChunk->buffer, m_bytesPerPacket * blockCount); +- int blocksRead = bytesRead >= 0 ? bytesRead / m_bytesPerPacket : 0; ++ int blocksRead = (bytesRead >= 0 && m_bytesPerPacket > 0) ? bytesRead / m_bytesPerPacket : 0; + + // Decompress into m_outChunk. + for (int i=0; i