Project import/wavpack - Diff d6f4fc874f...3455911b81

... ... --- a/.abf.yml
... ... +++ b/.abf.yml
... ... @@ -1,4 +1,2 @@
1
removed_sources:
2
  wavpack-4.60.1.tar.bz2: 003c65cb4e29c55011cf8e7b10d69120df5e7f30
3 1
sources:
4
  wavpack-4.80.0.tar.bz2: 83036db97b22f0585da81d113321ea8a989b2134
2
  wavpack-5.1.0.tar.bz2: ed96443e3fc915128e1002a0f9f2c7ae9bcdc09b
view file @ 3455911b81
... ... --- /dev/null
... ... +++ b/wavpack-5.1.0-CVE-2018-6767.patch
... ... @@ -0,0 +1,102 @@
1
diff -rupN wavpack-5.1.0.old/cli/riff.c wavpack-5.1.0/cli/riff.c
2
--- wavpack-5.1.0.old/cli/riff.c	2017-01-09 22:43:55.000000000 +0100
3
+++ wavpack-5.1.0/cli/riff.c	2018-03-03 19:07:58.380466751 +0100
4
@@ -42,6 +42,7 @@ typedef struct {
5
 
6
 #pragma pack(pop)
7
 
8
+#define CS64ChunkFormat "4D"
9
 #define DS64ChunkFormat "DDDL"
10
 
11
 #define WAVPACK_NO_ERROR    0
12
@@ -101,13 +102,13 @@ int ParseRiffHeaderConfig (FILE *infile,
13
 
14
         if (!strncmp (chunk_header.ckID, "ds64", 4)) {
15
             if (chunk_header.ckSize < sizeof (DS64Chunk) ||
16
-                !DoReadFile (infile, &ds64_chunk, chunk_header.ckSize, &bcount) ||
17
-                bcount != chunk_header.ckSize) {
18
+				!DoReadFile (infile, &ds64_chunk, sizeof (DS64Chunk), &bcount) ||
19
+				bcount != sizeof (DS64Chunk)) {
20
                     error_line ("%s is not a valid .WAV file!", infilename);
21
                     return WAVPACK_SOFT_ERROR;
22
             }
23
             else if (!(config->qmode & QMODE_NO_STORE_WRAPPER) &&
24
-                !WavpackAddWrapper (wpc, &ds64_chunk, chunk_header.ckSize)) {
25
+				!WavpackAddWrapper (wpc, &ds64_chunk, sizeof (DS64Chunk))) {
26
                     error_line ("%s", WavpackGetErrorMessage (wpc));
27
                     return WAVPACK_SOFT_ERROR;
28
             }
29
@@ -315,10 +316,11 @@ int ParseRiffHeaderConfig (FILE *infile,
30
 
31
 int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples, int qmode)
32
 {
33
-    int do_rf64 = 0, write_junk = 1;
34
+	int do_rf64 = 0, write_junk = 1, table_length = 0;
35
     ChunkHeader ds64hdr, datahdr, fmthdr;
36
     RiffChunkHeader riffhdr;
37
     DS64Chunk ds64_chunk;
38
+	CS64Chunk cs64_chunk;
39
     JunkChunk junkchunk;
40
     WaveHeader wavhdr;
41
     uint32_t bcount;
42
@@ -380,6 +382,7 @@ int WriteRiffHeader (FILE *outfile, Wavp
43
     strncpy (riffhdr.formType, "WAVE", sizeof (riffhdr.formType));
44
     total_riff_bytes = sizeof (riffhdr) + wavhdrsize + sizeof (datahdr) + ((total_data_bytes + 1) & ~(int64_t)1);
45
     if (do_rf64) total_riff_bytes += sizeof (ds64hdr) + sizeof (ds64_chunk);
46
+	total_riff_bytes += table_length * sizeof (CS64Chunk);
47
     if (write_junk) total_riff_bytes += sizeof (junkchunk);
48
     strncpy (fmthdr.ckID, "fmt ", sizeof (fmthdr.ckID));
49
     strncpy (datahdr.ckID, "data", sizeof (datahdr.ckID));
50
@@ -394,11 +397,12 @@ int WriteRiffHeader (FILE *outfile, Wavp
51
 
52
     if (do_rf64) {
53
         strncpy (ds64hdr.ckID, "ds64", sizeof (ds64hdr.ckID));
54
-        ds64hdr.ckSize = sizeof (ds64_chunk);
55
+		ds64hdr.ckSize = sizeof (ds64_chunk) + (table_length * sizeof (CS64Chunk));
56
         CLEAR (ds64_chunk);
57
         ds64_chunk.riffSize64 = total_riff_bytes;
58
         ds64_chunk.dataSize64 = total_data_bytes;
59
         ds64_chunk.sampleCount64 = total_samples;
60
+		ds64_chunk.tableLength = table_length;
61
         riffhdr.ckSize = (uint32_t) -1;
62
         datahdr.ckSize = (uint32_t) -1;
63
         WavpackNativeToLittleEndian (&ds64hdr, ChunkHeaderFormat);
64
@@ -409,6 +413,14 @@ int WriteRiffHeader (FILE *outfile, Wavp
65
         datahdr.ckSize = (uint32_t) total_data_bytes;
66
     }
67
 
68
+    // this "table" is just a dummy placeholder for testing (normally not written)
69
+
70
+    if (table_length) {
71
+        strncpy (cs64_chunk.ckID, "dmmy", sizeof (cs64_chunk.ckID));
72
+        cs64_chunk.chunkSize64 = 12345678;
73
+        WavpackNativeToLittleEndian (&cs64_chunk, CS64ChunkFormat);
74
+    }
75
+    
76
     // write the RIFF chunks up to just before the data starts
77
 
78
     WavpackNativeToLittleEndian (&riffhdr, ChunkHeaderFormat);
79
@@ -418,8 +430,21 @@ int WriteRiffHeader (FILE *outfile, Wavp
80
 
81
     if (!DoWriteFile (outfile, &riffhdr, sizeof (riffhdr), &bcount) || bcount != sizeof (riffhdr) ||
82
         (do_rf64 && (!DoWriteFile (outfile, &ds64hdr, sizeof (ds64hdr), &bcount) || bcount != sizeof (ds64hdr))) ||
83
-        (do_rf64 && (!DoWriteFile (outfile, &ds64_chunk, sizeof (ds64_chunk), &bcount) || bcount != sizeof (ds64_chunk))) ||
84
-        (write_junk && (!DoWriteFile (outfile, &junkchunk, sizeof (junkchunk), &bcount) || bcount != sizeof (junkchunk))) ||
85
+        (do_rf64 && (!DoWriteFile (outfile, &ds64_chunk, sizeof (ds64_chunk), &bcount) || bcount != sizeof (ds64_chunk)))) {
86
+            error_line ("can't write .WAV data, disk probably full!");
87
+            return FALSE;
88
+    }
89
+
90
+    // again, this is normally not written except for testing
91
+
92
+    while (table_length--)
93
+        if (!DoWriteFile (outfile, &cs64_chunk, sizeof (cs64_chunk), &bcount) || bcount != sizeof (cs64_chunk)) {
94
+            error_line ("can't write .WAV data, disk probably full!");
95
+            return FALSE;
96
+        }
97
+
98
+
99
+    if ((write_junk && (!DoWriteFile (outfile, &junkchunk, sizeof (junkchunk), &bcount) || bcount != sizeof (junkchunk))) ||
100
         !DoWriteFile (outfile, &fmthdr, sizeof (fmthdr), &bcount) || bcount != sizeof (fmthdr) ||
101
         !DoWriteFile (outfile, &wavhdr, wavhdrsize, &bcount) || bcount != wavhdrsize ||
102
         !DoWriteFile (outfile, &datahdr, sizeof (datahdr), &bcount) || bcount != sizeof (datahdr)) {
view file @ 3455911b81
... ... --- /dev/null
... ... +++ b/wavpack-5.1.0-CVE-2018-7253.patch
... ... @@ -0,0 +1,22 @@
1
diff -rupN wavpack-5.1.0.old/cli/dsdiff.c wavpack-5.1.0/cli/dsdiff.c
2
--- wavpack-5.1.0.old/cli/dsdiff.c	2016-12-23 02:22:05.000000000 +0100
3
+++ wavpack-5.1.0/cli/dsdiff.c	2018-03-03 19:11:38.713239138 +0100
4
@@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infil
5
                 error_line ("dsdiff file version = 0x%08x", version);
6
         }
7
         else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
8
-            char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
9
+			char *prop_chunk;
10
+
11
+            if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) {
12
+                error_line ("%s is not a valid .DFF file!", infilename);
13
+                return WAVPACK_SOFT_ERROR;
14
+            }
15
+
16
+            if (debug_logging_mode)
17
+                error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
18
+
19
+			prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
20
 
21
             if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) ||
22
                 bcount != dff_chunk_header.ckDataSize) {
view file @ 3455911b81
... ... --- /dev/null
... ... +++ b/wavpack-5.1.0-CVE-2018-7254.patch
... ... @@ -0,0 +1,55 @@
1
diff -rupN wavpack-5.1.0.old/cli/caff.c wavpack-5.1.0/cli/caff.c
2
--- wavpack-5.1.0.old/cli/caff.c	2016-12-06 04:22:23.000000000 +0100
3
+++ wavpack-5.1.0/cli/caff.c	2018-03-03 19:16:26.596608711 +0100
4
@@ -89,8 +89,8 @@ typedef struct
5
 
6
 #define CAFChannelDescriptionFormat "LLLLL"
7
 
8
-static const char TMH_full [] = { 1,2,3,13,9,10,5,6,12,14,15,16,17,9,4,18,7,8,19,20,21 };
9
-static const char TMH_std [] = { 1,2,3,11,8,9,5,6,10,12,13,14,15,7,4,16 };
10
+static const char TMH_full [] = { 1,2,3,13,9,10,5,6,12,14,15,16,17,9,4,18,7,8,19,20,21,0 };
11
+static const char TMH_std [] = { 1,2,3,11,8,9,5,6,10,12,13,14,15,7,4,16,0 };
12
 
13
 static struct {
14
     uint32_t mChannelLayoutTag;     // Core Audio layout, 100 - 146 in high word, num channels in low word
15
@@ -274,10 +274,19 @@ int ParseCaffHeaderConfig (FILE *infile,
16
             }
17
         }
18
         else if (!strncmp (caf_chunk_header.mChunkType, "chan", 4)) {
19
-            CAFChannelLayout *caf_channel_layout = malloc ((size_t) caf_chunk_header.mChunkSize);
20
+            CAFChannelLayout *caf_channel_layout;
21
 
22
-            if (caf_chunk_header.mChunkSize < sizeof (CAFChannelLayout) ||
23
-                !DoReadFile (infile, caf_channel_layout, (uint32_t) caf_chunk_header.mChunkSize, &bcount) ||
24
+			 if (caf_chunk_header.mChunkSize < sizeof (CAFChannelLayout) || caf_chunk_header.mChunkSize > 1024) {
25
+				 error_line ("this .CAF file has an invalid 'chan' chunk!");
26
+				 return WAVPACK_SOFT_ERROR;
27
+			 }
28
+
29
+            if (debug_logging_mode)
30
+                error_line ("'chan' chunk is %d bytes", (int) caf_chunk_header.mChunkSize);
31
+
32
+            caf_channel_layout = malloc ((size_t) caf_chunk_header.mChunkSize);
33
+
34
+            if (!DoReadFile (infile, caf_channel_layout, (uint32_t) caf_chunk_header.mChunkSize, &bcount) ||
35
                 bcount != caf_chunk_header.mChunkSize) {
36
                     error_line ("%s is not a valid .CAF file!", infilename);
37
                     free (caf_channel_layout);
38
@@ -495,8 +504,15 @@ int ParseCaffHeaderConfig (FILE *infile,
39
         }
40
         else {          // just copy unknown chunks to output file
41
 
42
-            int bytes_to_copy = (uint32_t) caf_chunk_header.mChunkSize;
43
-            char *buff = malloc (bytes_to_copy);
44
+			uint32_t bytes_to_copy = (uint32_t) caf_chunk_header.mChunkSize;
45
+            char *buff;
46
+
47
+            if (caf_chunk_header.mChunkSize < 0 || caf_chunk_header.mChunkSize > 1048576) {
48
+                error_line ("%s is not a valid .CAF file!", infilename);
49
+                return WAVPACK_SOFT_ERROR;
50
+            }
51
+
52
+            buff = malloc (bytes_to_copy);
53
 
54
             if (debug_logging_mode)
55
                 error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
... ... --- a/wavpack.spec
... ... +++ b/wavpack.spec
... ... @@ -1,15 +1,18 @@
1
%define major 1
2
%define libname %mklibname %{name} %{major}
3
%define devname %mklibname %{name} -d
1
%define	major 1
2
%define	libname %mklibname %{name} %{major}
3
%define	devname %mklibname %{name} -d
4 4
5 5
Summary:	Lossless Audio compressor
6 6
Name:		wavpack
7
Version:	4.80.0
7
Version:	5.1.0
8 8
Release:	2
9 9
License:	BSD
10 10
Group:		Sound
11 11
Url:		http://www.wavpack.com/
12 12
Source0:	http://www.wavpack.com/%{name}-%{version}.tar.bz2
13
Patch1:		%{name}-5.1.0-CVE-2018-6767.patch
14
Patch2:		%{name}-5.1.0-CVE-2018-7253.patch
15
Patch3:		%{name}-5.1.0-CVE-2018-7254.patch
13 16
BuildRequires:	pkgconfig(ncurses)
14 17
15 18
%description
... ... @@ -40,6 +43,7 @@ compression!
43 43
%{_bindir}/wavpack
44 44
%{_bindir}/wvunpack
45 45
%{_bindir}/wvgain
46
%{_bindir}/wvtag
46 47
%{_mandir}/man1/*1*
47 48
48 49
#----------------------------------------------------------------------------
... ... @@ -72,6 +76,7 @@ this means never having to choose between lossless and lossy
76 76
compression!
77 77
78 78
%files -n %{libname}
79
%doc COPYING
79 80
%{_libdir}/libwavpack.so.%{major}*
80 81
81 82
#----------------------------------------------------------------------------
... ... @@ -107,20 +112,23 @@ this means never having to choose between lossless and lossy
112 112
compression!
113 113
114 114
%files -n %{devname}
115
%doc doc/*.txt
115
%doc doc/*.pdf
116 116
%{_libdir}/libwavpack.so
117 117
%{_libdir}/pkgconfig/%{name}.pc
118
%{_includedir}/wavpack
118
%{_includedir}/%{name}
119 119
120 120
#----------------------------------------------------------------------------
121 121
122 122
%prep
123 123
%setup -q
124
%apply_patches
125
124 126
125 127
%build
126
%configure2_5x --disable-static
128
%configure2_5x \
129
	--disable-static
127 130
%make
128 131
132
129 133
%install
130 134
%makeinstall_std
131