From e8c89fb65e60b807bdeeb45c3d85ce2ddecc304a Mon Sep 17 00:00:00 2001 From: small_leek Date: Fri, 27 Nov 2020 16:03:43 +0800 Subject: [PATCH] Synchronize patches of master branch to SP1 --- CVE-2018-19841.patch | 29 +++++++++++++++ ...mory-leak-on-opening-corrupted-files.patch | 21 +++++++++++ wavpack-CVE-2019-11498.patch | 36 +++++++++++++++++++ wavpack.spec | 20 +++++++++-- 4 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 CVE-2018-19841.patch create mode 100644 fix-memory-leak-on-opening-corrupted-files.patch create mode 100644 wavpack-CVE-2019-11498.patch diff --git a/CVE-2018-19841.patch b/CVE-2018-19841.patch new file mode 100644 index 0000000..6872ed9 --- /dev/null +++ b/CVE-2018-19841.patch @@ -0,0 +1,29 @@ +From bba5389dc598a92bdf2b297c3ea34620b6679b5b Mon Sep 17 00:00:00 2001 +From: David Bryant +Date: Thu, 29 Nov 2018 21:53:51 -0800 +Subject: [PATCH] issue #54: fix potential out-of-bounds heap read + +--- + src/open_utils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/open_utils.c b/src/open_utils.c +index 80051fc..4fe0d67 100644 +--- a/src/open_utils.c ++++ b/src/open_utils.c +@@ -1258,13 +1258,13 @@ int WavpackVerifySingleBlock (unsigned char *buffer, int verify_checksum) + #endif + + if (meta_bc == 4) { +- if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff) || *dp++ != ((csum >> 16) & 0xff) || *dp++ != ((csum >> 24) & 0xff)) ++ if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff) || dp[2] != ((csum >> 16) & 0xff) || dp[3] != ((csum >> 24) & 0xff)) + return FALSE; + } + else { + csum ^= csum >> 16; + +- if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff)) ++ if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff)) + return FALSE; + } + diff --git a/fix-memory-leak-on-opening-corrupted-files.patch b/fix-memory-leak-on-opening-corrupted-files.patch new file mode 100644 index 0000000..2f95ee2 --- /dev/null +++ b/fix-memory-leak-on-opening-corrupted-files.patch @@ -0,0 +1,21 @@ +commit cba2f967ebcc7e15d0f33e4219a1e04e2a6fc41e +Author: David Bryant +Date: Sun Dec 8 12:06:19 2019 -0800 + + fix possible memory leak on opening corrupted files + +diff --git a/src/open_utils.c b/src/open_utils.c +index 170c6eb..dfb7cf6 100644 +--- a/src/open_utils.c ++++ b/src/open_utils.c +@@ -177,6 +177,11 @@ WavpackContext *WavpackOpenFileInputEx64 (WavpackStreamReader64 *reader, void *w + return WavpackCloseFile (wpc); + } + ++ if (!wps->wphdr.block_samples) { // free blockbuff if we're going to loop again ++ free (wps->blockbuff); ++ wps->blockbuff = NULL; ++ } ++ + wps->init_done = TRUE; + } diff --git a/wavpack-CVE-2019-11498.patch b/wavpack-CVE-2019-11498.patch new file mode 100644 index 0000000..e8a2708 --- /dev/null +++ b/wavpack-CVE-2019-11498.patch @@ -0,0 +1,36 @@ +From bc6cba3f552c44565f7f1e66dc1580189addb2b4 Mon Sep 17 00:00:00 2001 +From: David Bryant +Date: Tue, 5 Mar 2019 21:32:27 -0800 +Subject: [PATCH] issue #67: make sure sample rate is specified and non-zero in + DFF files + +--- + cli/dsdiff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/cli/dsdiff.c b/cli/dsdiff.c +index f357181..193adee 100644 +--- a/cli/dsdiff.c ++++ b/cli/dsdiff.c +@@ -171,7 +171,7 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + if (!strncmp (prop_chunk, "SND ", 4)) { + char *cptr = prop_chunk + 4, *eptr = prop_chunk + dff_chunk_header.ckDataSize; + uint16_t numChannels, chansSpecified, chanMask = 0; +- uint32_t sampleRate; ++ uint32_t sampleRate = 0; + + while (eptr - cptr >= sizeof (dff_chunk_header)) { + memcpy (&dff_chunk_header, cptr, sizeof (dff_chunk_header)); +@@ -263,6 +263,12 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa + free (prop_chunk); + } + else if (!strncmp (dff_chunk_header.ckID, "DSD ", 4)) { ++ ++ if (!config->num_channels || !config->sample_rate) { ++ error_line ("%s is not a valid .DFF file!", infilename); ++ return WAVPACK_SOFT_ERROR; ++ } ++ + total_samples = dff_chunk_header.ckDataSize / config->num_channels; + break; + } diff --git a/wavpack.spec b/wavpack.spec index f34d4dc..fc285b0 100644 --- a/wavpack.spec +++ b/wavpack.spec @@ -1,6 +1,6 @@ Name: wavpack Version: 5.1.0 -Release: 10 +Release: 12 Summary: Hybrid Lossless Wavefile Compressor License: BSD Url: http://www.wavpack.com/ @@ -10,7 +10,11 @@ Patch0001: wavpack-0002-issue-28-do-not-overwrite-heap-on-corrupt-DSDIFF-fi Patch0002: wavpack-0003-issue-28-fix-buffer-overflows-and-bad-allocs-on-corr.patch Patch0003: wavpack-0004-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch Patch0004: wavpack-0005-issue-30-issue-31-issue-32-no-multiple-format-chunks.patch - +# fix potential out-of-bounds heapo read +Patch0005: wavpack-CVE-2019-11498.patch +# make sure sample rate is specified and non-zero in DFF files +Patch0006: CVE-2018-19841.patch +Patch0007: fix-memory-leak-on-opening-corrupted-files.patch Patch6000: CVE-2018-19840.patch BuildRequires: autoconf automake libtool @@ -37,7 +41,7 @@ Buildarch: noarch Help document for the wavpack package. %prep -%autosetup -p1 +%autosetup -n %{name}-%{version} -p1 %build autoreconf -ivf @@ -69,5 +73,15 @@ autoreconf -ivf %{_mandir}/man1/*.1* %changelog +* Sat May 14 2020 lutianxiong - 5.1.0-12 +- Type:bugfix +- ID:NA +- SUG:NA +- Fix memory leak on opening corrupted files + +* Sat Mar 14 2020 wangzhishun - 5.1.0-11 +- Make sure sample rate is specified and non-zero in DFF files +- Fix potential out-of-bounds heap read + * Fri Oct 25 2019 Lijin Yang - 5.1.0-10 - Package init -- Gitee