From 225d6927a5a1ea8b52d6d8d05fb75271b3db8180 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Mon, 6 Jan 2025 16:59:01 +0800
Subject: [PATCH] Fix CVE-2019-8354,CVE-2019-8355,CVE-2019-8356,CVE-2019-8357
 and CVE-2019-13590

---
 CVE-2019-13590.patch | 13 ++++++++
 CVE-2019-8354.patch  | 11 +++++++
 CVE-2019-8355.patch  | 46 ++++++++++++++++++++++++++++
 CVE-2019-8356.patch  | 73 ++++++++++++++++++++++++++++++++++++++++++++
 CVE-2019-8357.patch  | 12 ++++++++
 sox.spec             | 10 +++++-
 6 files changed, 164 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-13590.patch
 create mode 100644 CVE-2019-8354.patch
 create mode 100644 CVE-2019-8355.patch
 create mode 100644 CVE-2019-8356.patch
 create mode 100644 CVE-2019-8357.patch

diff --git a/CVE-2019-13590.patch b/CVE-2019-13590.patch
new file mode 100644
index 0000000..d2706a7
--- /dev/null
+++ b/CVE-2019-13590.patch
@@ -0,0 +1,13 @@
+--- a/src/sox-fmt.c
++++ b/src/sox-fmt.c
+@@ -46,7 +46,9 @@
+       lsx_readdw(ft, &comments_bytes))
+     return SOX_EOF;
+ 
+-  if (((headers_bytes + 4) & 7) || headers_bytes < FIXED_HDR + comments_bytes ||
++  if (((headers_bytes + 4) & 7) ||
++      comments_bytes > 0x40000000 || /* max 1 GB */
++      headers_bytes < FIXED_HDR + comments_bytes ||
+       (num_channels > 65535)) /* Reserve top 16 bits */ {
+     lsx_fail_errno(ft, SOX_EHDR, "invalid sox file format header");
+     return SOX_EOF;
diff --git a/CVE-2019-8354.patch b/CVE-2019-8354.patch
new file mode 100644
index 0000000..7387741
--- /dev/null
+++ b/CVE-2019-8354.patch
@@ -0,0 +1,11 @@
+--- a/src/effects_i_dsp.c
++++ b/src/effects_i_dsp.c
+@@ -357,7 +357,7 @@
+     double scale, sox_bool dc_norm)
+ {
+   int i, m = num_taps - 1;
+-  double * h = malloc(num_taps * sizeof(*h)), sum = 0;
++  double * h = calloc(num_taps, sizeof(*h)), sum = 0;
+   double mult = scale / lsx_bessel_I_0(beta), mult1 = 1 / (.5 * m + rho);
+   assert(Fc >= 0 && Fc <= 1);
+   lsx_debug("make_lpf(n=%i Fc=%.7g β=%g ρ=%g dc-norm=%i scale=%g)", num_taps, Fc, beta, rho, dc_norm, scale);
diff --git a/CVE-2019-8355.patch b/CVE-2019-8355.patch
new file mode 100644
index 0000000..141aaec
--- /dev/null
+++ b/CVE-2019-8355.patch
@@ -0,0 +1,46 @@
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -95,7 +95,7 @@
+ 
+ libsox_la_CFLAGS = @WARN_CFLAGS@
+ libsox_la_LDFLAGS = @APP_LDFLAGS@ -version-info @SHLIB_VERSION@ \
+-  -export-symbols-regex '^(sox_.*|lsx_(check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|flush|error|eof|fail_errno|filelength|find_(enum_(text|value)|file_extension)|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|realloc|rewind|seeki|sigfigs3p?|strcasecmp|tell|unreadb|write(b|_b_buf|buf|s)))$$'
++  -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc.*|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$'
+ 
+ if HAVE_WIN32_LTDL
+   libsox_la_SOURCES += win32-ltdl.c win32-ltdl.h
+--- a/src/xmalloc.c
++++ b/src/xmalloc.c
+@@ -41,3 +41,13 @@
+ 
+   return ptr;
+ }
++
++void *lsx_realloc_array(void *p, size_t n, size_t size)
++{
++  if (n > (size_t)-1 / size) {
++    lsx_fail("malloc size overflow");
++    exit(2);
++  }
++
++  return lsx_realloc(p, n * size);
++}
+--- a/src/xmalloc.h
++++ b/src/xmalloc.h
+@@ -23,12 +23,14 @@
+ #include <stddef.h>
+ #include <string.h>
+ 
++LSX_RETURN_VALID void *lsx_realloc_array(void *p, size_t n, size_t size);
++
+ #define lsx_malloc(size) lsx_realloc(NULL, (size))
+ #define lsx_calloc(n,s) (((n)*(s))? memset(lsx_malloc((n)*(s)),0,(n)*(s)) : NULL)
+ #define lsx_Calloc(v,n)  v = lsx_calloc(n,sizeof(*(v)))
+ #define lsx_strdup(p) ((p)? strcpy((char *)lsx_malloc(strlen(p) + 1), p) : NULL)
+ #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL)
+-#define lsx_valloc(v,n)  v = lsx_malloc((n)*sizeof(*(v)))
+-#define lsx_revalloc(v,n)  v = lsx_realloc(v, (n)*sizeof(*(v)))
++#define lsx_valloc(v,n)  v = lsx_realloc_array(NULL, n, sizeof(*(v)))
++#define lsx_revalloc(v,n)  v = lsx_realloc_array(v, n, sizeof(*(v)))
+ 
+ #endif
diff --git a/CVE-2019-8356.patch b/CVE-2019-8356.patch
new file mode 100644
index 0000000..52d4fc9
--- /dev/null
+++ b/CVE-2019-8356.patch
@@ -0,0 +1,73 @@
+--- a/src/fft4g.c
++++ b/src/fft4g.c
+@@ -322,6 +322,9 @@
+ 
+ void cdft(int n, int isgn, double *a, int *ip, double *w)
+ {
++    if (n > FFT4G_MAX_SIZE)
++        return;
++
+     if (n > (ip[0] << 2)) {
+         makewt(n >> 2, ip, w);
+     }
+@@ -344,6 +347,9 @@
+     int nw, nc;
+     double xi;
+     
++    if (n > FFT4G_MAX_SIZE)
++        return;
++
+     nw = ip[0];
+     if (n > (nw << 2)) {
+         nw = n >> 2;
+@@ -384,6 +390,9 @@
+     int j, nw, nc;
+     double xr;
+     
++    if (n > FFT4G_MAX_SIZE)
++        return;
++
+     nw = ip[0];
+     if (n > (nw << 2)) {
+         nw = n >> 2;
+@@ -435,6 +444,9 @@
+     int j, nw, nc;
+     double xr;
+     
++    if (n > FFT4G_MAX_SIZE)
++        return;
++
+     nw = ip[0];
+     if (n > (nw << 2)) {
+         nw = n >> 2;
+@@ -486,6 +498,9 @@
+     int j, k, l, m, mh, nw, nc;
+     double xr, xi, yr, yi;
+     
++    if (n > FFT4G_MAX_SIZE)
++        return;
++
+     nw = ip[0];
+     if (n > (nw << 3)) {
+         nw = n >> 3;
+@@ -576,6 +591,9 @@
+     int j, k, l, m, mh, nw, nc;
+     double xr, xi, yr, yi;
+     
++    if (n > FFT4G_MAX_SIZE)
++        return;
++
+     nw = ip[0];
+     if (n > (nw << 3)) {
+         nw = n >> 3;
+--- a/src/fft4g.h
++++ b/src/fft4g.h
+@@ -13,6 +13,8 @@
+  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+  */
+ 
++#define FFT4G_MAX_SIZE 262144
++
+ void lsx_cdft(int, int, double *, int *, double *);
+ void lsx_rdft(int, int, double *, int *, double *);
+ void lsx_ddct(int, int, double *, int *, double *);
diff --git a/CVE-2019-8357.patch b/CVE-2019-8357.patch
new file mode 100644
index 0000000..6f0bf72
--- /dev/null
+++ b/CVE-2019-8357.patch
@@ -0,0 +1,12 @@
+--- a/src/effects_i_dsp.c
++++ b/src/effects_i_dsp.c
+@@ -362,6 +362,9 @@
+   assert(Fc >= 0 && Fc <= 1);
+   lsx_debug("make_lpf(n=%i Fc=%.7g β=%g ρ=%g dc-norm=%i scale=%g)", num_taps, Fc, beta, rho, dc_norm, scale);
+ 
++  if (!h)
++    return NULL;
++
+   for (i = 0; i <= m / 2; ++i) {
+     double z = i - .5 * m, x = z * M_PI, y = z * mult1;
+     h[i] = x? sin(Fc * x) / x : Fc;
diff --git a/sox.spec b/sox.spec
index 191b905..0875777 100644
--- a/sox.spec
+++ b/sox.spec
@@ -1,6 +1,6 @@
 Name: sox
 Version: 14.4.2.0
-Release: 30
+Release: 31
 Summary: A general purpose sound file conversion tool
 License: GPLv2+ and LGPLv2+ and MIT
 URL: http://sox.sourceforge.net/
@@ -30,6 +30,11 @@ Patch1011: CVE-2021-3643.patch
 Patch1012: CVE-2022-31650.patch
 Patch1013: CVE-2022-31651.patch
 Patch1014: CVE-2021-40426.patch
+Patch1015: CVE-2019-8354.patch
+Patch1016: CVE-2019-8355.patch
+Patch1017: CVE-2019-8356.patch
+Patch1018: CVE-2019-8357.patch
+Patch1019: CVE-2019-13590.patch
 
 # Tests:
 Patch9000: sox-14.4.2-installcheck_fix.patch
@@ -131,6 +136,9 @@ mv $libsox_so.orig $libsox_so
 %{_mandir}/man3/*
 
 %changelog
+* Mon Jan 06 2025 yaoxin <1024769339@qq.com> - 14.4.2.0-31
+- Fix CVE-2019-8354,CVE-2019-8355,CVE-2019-8356,CVE-2019-8357 and CVE-2019-13590
+
 * Sun Dec 24 2023 liningjie <liningjie@xfusion.com> - 14.4.2.0-30
 - DESC: apply CVE-2021-40426.patch
 
-- 
Gitee