Add upstream fixes for CVE-2019-14464, CVE-2019-14496 and CVE-2019-14497.

These fixes address the following issues: - Heap-based buffer overflow in XMFile::read() - Stack-based buffer overflow in LoaderXM::load() - Heap-based buffer overflow in ModuleEditor::convertInstrument()
2019-11-17 19:01:53 +00:00 · 2019-11-17 19:01:53 +00:00 · 8277591f9a
commit 8277591f9a
parent d77560544e
4 changed files with 137 additions and 2 deletions
--- a/audio/milkytracker/Makefile
+++ b/audio/milkytracker/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.22 2019/07/12 20:43:36 sthen Exp $
+# $OpenBSD: Makefile,v 1.23 2019/11/17 19:01:53 fcambus Exp $

 COMMENT =	Fasttracker II inspired MOD tracker

@ -7,7 +7,7 @@ GH_PROJECT =	MilkyTracker
 GH_TAGNAME =	v1.02.00

 PKGNAME =	${DISTNAME:L}
-REVISION =	3
+REVISION =	4

 CATEGORIES =	audio

--- a/audio/milkytracker/patches/patch-src_milkyplay_LoaderS3M_cpp
+++ b/audio/milkytracker/patches/patch-src_milkyplay_LoaderS3M_cpp
@ -0,0 +1,24 @@
+$OpenBSD: patch-src_milkyplay_LoaderS3M_cpp,v 1.1 2019/11/17 19:01:53 fcambus Exp $
+
+Fix for CVE-2019-14464.
+
+- Heap-based buffer overflow in XMFile::read()
+
+Upstream commit fd607a3439fcdd0992e5efded3c16fc79c804e34.
+
+Index: src/milkyplay/LoaderS3M.cpp
+--- src/milkyplay/LoaderS3M.cpp.orig
+++ src/milkyplay/LoaderS3M.cpp
+@@ -340,7 +340,11 @@ mp_sint32 LoaderS3M::load(XMFileBase& f, XModule* modu
+ 		return MP_OUT_OF_MEMORY;
+ 	
+ 	header->insnum = f.readWord(); // number of instruments
+-	header->patnum = f.readWord(); // number of patterns	
+	if (header->insnum > MP_MAXINS)
+		return MP_LOADER_FAILED;
+	header->patnum = f.readWord(); // number of patterns
+	if (header->patnum > 256)
+		return MP_LOADER_FAILED;
+ 	
+ 	mp_sint32 flags = f.readWord(); // st3 flags	
+ 
--- a/audio/milkytracker/patches/patch-src_milkyplay_LoaderXM_cpp
+++ b/audio/milkytracker/patches/patch-src_milkyplay_LoaderXM_cpp
@ -0,0 +1,90 @@
+$OpenBSD: patch-src_milkyplay_LoaderXM_cpp,v 1.1 2019/11/17 19:01:53 fcambus Exp $
+
+Fixes for CVE-2019-14496 and CVE-2019-14497.
+
+- Stack-based buffer overflow in LoaderXM::load()
+- Heap-based buffer overflow in ModuleEditor::convertInstrument()
+
+Upstream commit ea7772a3fae0a9dd0a322e8fec441d15843703b7.
+
+Index: src/milkyplay/LoaderXM.cpp
+--- src/milkyplay/LoaderXM.cpp.orig
+++ src/milkyplay/LoaderXM.cpp
+@@ -63,8 +63,8 @@ const char* LoaderXM::identifyModule(const mp_ubyte* b
+ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ {
+ 	mp_ubyte insData[230];		
+-	mp_sint32 smpReloc[96];
+-	mp_ubyte nbu[96];
+	mp_sint32 smpReloc[MP_MAXINSSAMPS];
+	mp_ubyte nbu[MP_MAXINSSAMPS];
+ 	mp_uint32 fileSize = 0;
+ 			
+ 	module->cleanUp();
+@@ -117,6 +117,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* modul
+ 	memcpy(header->ord, hdrBuff+16, 256);
+ 	if(header->ordnum > MP_MAXORDERS)
+ 		header->ordnum = MP_MAXORDERS;
+	if(header->insnum > MP_MAXINS)
+		return MP_LOADER_FAILED;
+ 
+ 	delete[] hdrBuff;
+ 	
+@@ -143,7 +145,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* modul
+ 			f.read(&instr[y].type,1,1);
+ 			mp_uword numSamples = 0;
+ 			f.readWords(&numSamples,1);
+-			if(numSamples > 96)
+			if(numSamples > MP_MAXINSSAMPS)
+ 				return MP_LOADER_FAILED;
+ 			instr[y].samp = numSamples;
+ 
+@@ -169,8 +171,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* modul
+ 			if (instr[y].samp) {
+ 				mp_ubyte* insDataPtr = insData;
+ 				
+-				memcpy(nbu, insDataPtr, 96);
+-				insDataPtr+=96;
+				memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
+				insDataPtr+=MP_MAXINSSAMPS;
+ 				
+ 				TEnvelope venv;
+ 				TEnvelope penv;
+@@ -285,7 +287,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* modul
+ 
+ 				instr[y].samp = g;
+ 
+-				for (sc = 0; sc < 96; sc++) {
+				for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
+ 					if (smpReloc[nbu[sc]] == -1)
+ 						instr[y].snum[sc] = -1;
+ 					else
+@@ -491,6 +493,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* modul
+ 				f.read(&instr[y].type,1,1);
+ 				f.readWords(&instr[y].samp,1);
+ 			}
+			if (instr[y].samp > MP_MAXINSSAMPS)
+				return MP_LOADER_FAILED;
+ 
+ 			//printf("%i, %i\n", instr[y].size, instr[y].samp);
+ 
+@@ -532,8 +536,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* modul
+ 				
+ 				//f.read(&nbu,1,96);
+ 				
+-				memcpy(nbu, insDataPtr, 96);
+-				insDataPtr+=96;
+				memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
+				insDataPtr+=MP_MAXINSSAMPS;
+ 				
+ 				TEnvelope venv;
+ 				TEnvelope penv;
+@@ -650,7 +654,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* modul
+ 
+ 				instr[y].samp = g;
+ 
+-				for (sc = 0; sc < 96; sc++) {					
+				for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {					
+ 					if (smpReloc[nbu[sc]] == -1)
+ 						instr[y].snum[sc] = -1;
+ 					else
--- a/audio/milkytracker/patches/patch-src_milkyplay_XModule_h
+++ b/audio/milkytracker/patches/patch-src_milkyplay_XModule_h
@ -0,0 +1,21 @@
+$OpenBSD: patch-src_milkyplay_XModule_h,v 1.1 2019/11/17 19:01:53 fcambus Exp $
+
+Fixes for CVE-2019-14496 and CVE-2019-14497.
+
+- Stack-based buffer overflow in LoaderXM::load()
+- Heap-based buffer overflow in ModuleEditor::convertInstrument()
+
+Upstream commit ea7772a3fae0a9dd0a322e8fec441d15843703b7.
+
+Index: src/milkyplay/XModule.h
+--- src/milkyplay/XModule.h.orig
+++ src/milkyplay/XModule.h
+@@ -40,6 +40,8 @@
+ 
+ #define MP_MAXTEXT 32
+ #define MP_MAXORDERS 256
+#define MP_MAXINS 255
+#define MP_MAXINSSAMPS 96
+ 
+ struct TXMHeader 
+ {