Security fixes for:

CVE-2015-6749 (aiff_open buffer overflow) CVE-2014-9638 (division by zero) CVE-2014-9639 (channel integer overflow) Also fix a crash on raw file close. Via Jason Unovitch/FreeBSD
2015-09-10 21:03:12 +00:00 · 2015-09-10 21:03:12 +00:00 · dd13343d8b
commit dd13343d8b
parent 92ee6cf5f9
3 changed files with 120 additions and 2 deletions
--- a/audio/vorbis-tools/Makefile
+++ b/audio/vorbis-tools/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.48 2013/03/21 08:45:13 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.49 2015/09/10 21:03:12 naddy Exp $

 COMMENT=	play, encode, and manage Ogg Vorbis files

 DISTNAME=	vorbis-tools-1.4.0
-REVISION=	0
+REVISION=	1
 CATEGORIES=    	audio
 HOMEPAGE=	http://www.vorbis.com/

--- a/audio/vorbis-tools/patches/patch-oggenc_audio_c
+++ b/audio/vorbis-tools/patches/patch-oggenc_audio_c
@ -0,0 +1,92 @@
+$OpenBSD: patch-oggenc_audio_c,v 1.3 2015/09/10 21:03:12 naddy Exp $
+
+CVE-2015-6749 (aiff_open buffer overflow)
+https://trac.xiph.org/attachment/ticket/2212/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch
+
+CVE-2014-9638 (division by zero)
+CVE-2014-9639 (channel integer overflow)
+http://pkgs.fedoraproject.org/cgit/vorbis-tools.git/tree/vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch
+
+--- oggenc/audio.c.orig	Wed Mar 24 09:27:14 2010
+++ oggenc/audio.c	Thu Sep 10 22:48:38 2015
+@@ -13,6 +13,7 @@
+ #include <config.h>
+ #endif
+ 
+#include <limits.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -245,12 +246,13 @@ static int aiff_permute_matrix[6][6] = 
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+     int aifc; /* AIFC or AIFF? */
+-    unsigned int len;
+-    unsigned char *buffer;
+    unsigned int len, readlen;
+    unsigned char buffer[22];
+     unsigned char buf2[8];
+     aiff_fmt format;
+     aifffile *aiff = malloc(sizeof(aifffile));
+     int i;
+    long channels;
+ 
+     if(buf[11]=='C')
+         aifc=1;
+@@ -269,19 +271,25 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char
+         return 0; /* Weird common chunk */
+     }
+ 
+-    buffer = alloca(len);
+-
+-    if(fread(buffer,1,len,in) < len)
+    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
+    if(fread(buffer,1,readlen,in) < readlen ||
+       (len > readlen && !seek_forward(in, len-readlen)))
+     {
+         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
+         return 0;
+     }
+ 
+-    format.channels = READ_U16_BE(buffer);
+    format.channels = channels = READ_U16_BE(buffer);
+     format.totalframes = READ_U32_BE(buffer+2);
+     format.samplesize = READ_U16_BE(buffer+6);
+     format.rate = (int)read_IEEE80(buffer+8);
+ 
+    if(channels <= 0L || SHRT_MAX < channels)
+    {
+         fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n"));
+         return 0;
+    }
+
+     aiff->bigendian = 1;
+ 
+     if(aifc)
+@@ -412,6 +420,7 @@ int wav_open(FILE *in, oe_enc_opt *opt, unsigned char 
+     wav_fmt format;
+     wavfile *wav = malloc(sizeof(wavfile));
+     int i;
+    long channels;
+ 
+     /* Ok. At this point, we know we have a WAV file. Now we have to detect
+      * whether we support the subtype, and we have to find the actual data
+@@ -449,11 +458,17 @@ int wav_open(FILE *in, oe_enc_opt *opt, unsigned char 
+     }
+ 
+     format.format =      READ_U16_LE(buf);
+-    format.channels =    READ_U16_LE(buf+2);
+    format.channels = channels = READ_U16_LE(buf+2);
+     format.samplerate =  READ_U32_LE(buf+4);
+     format.bytespersec = READ_U32_LE(buf+8);
+     format.align =       READ_U16_LE(buf+12);
+     format.samplesize =  READ_U16_LE(buf+14);
+
+    if(channels <= 0L || SHRT_MAX < channels)
+    {
+        fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n"));
+        return 0;
+    }
+ 
+     if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */
+     {
--- a/audio/vorbis-tools/patches/patch-oggenc_oggenc_c
+++ b/audio/vorbis-tools/patches/patch-oggenc_oggenc_c
@ -0,0 +1,26 @@
+$OpenBSD: patch-oggenc_oggenc_c,v 1.1 2015/09/10 21:03:12 naddy Exp $
+
+Fix crash on raw file close.
+https://trac.xiph.org/changeset/19117
+
+--- oggenc/oggenc.c.orig	Fri Mar 26 08:07:07 2010
+++ oggenc/oggenc.c	Thu Sep 10 22:48:38 2015
+@@ -97,6 +97,8 @@ int main(int argc, char **argv)
+               .3,-1,
+               0,0,0.f,
+               0, 0, 0, 0, 0};
+    input_format raw_format = {NULL, 0, raw_open, wav_close, "raw",
+      N_("RAW file reader")};
+ 
+     int i;
+ 
+@@ -239,9 +241,6 @@ int main(int argc, char **argv)
+ 
+         if(opt.rawmode)
+         {
+-            input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", 
+-                N_("RAW file reader")};
+-
+             enc_opts.rate=opt.raw_samplerate;
+             enc_opts.channels=opt.raw_channels;
+             enc_opts.samplesize=opt.raw_samplesize;