| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 09_Actually-fail-when-error-occurs-in-parseFormat.patch | Actually fail when error occurs in parseFormat When there's an unsupported number of bits per sample or an invalid number of samples per block, don't only print an error message using the error handler, but actually stop parsing the file. This fixes #35 (also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/ ) |
Antonio Larrosa <larrosa@kde.org> | no | 2017-03-06 | ||
| 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch | Check for division by zero in BlockCodec::runPull | Antonio Larrosa <larrosa@kde.org> | no | 2017-03-09 | ||
| 11_CVE-2018-13440.patch | [PATCH] ModuleState: handle compress/decompress init failure When the unit initcompress or initdecompress function fails, m_fileModule is NULL. Return AF_FAIL in that case instead of causing NULL pointer dereferences later. Fixes #49 |
Wim Taymans <wtaymans@redhat.com> | no | 2018-09-27 | ||
| 12_CVE-2018-17095.patch | [PATCH] SimpleModule: set output chunk framecount after pull After pulling the data, set the output chunk to the amount of frames we pulled so that the next module in the chain has the correct frame count. Fixes #50 and #51 |
Wim Taymans <wtaymans@redhat.com> | no | 2018-09-27 | ||
| 13-Fix-CVE-2022-24599.patch | Fix CVE-2022-24599 Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer with a user declared string. Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0' for printf Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1. Before under valgrind: libtool --mode=execute valgrind --track-origins=yes ./sfinfo heapleak_poc.aiff Duration -inf seconds ==896222== Invalid read of size 1 ==896222== at 0x4846794: strlen (vg_replace_strmem.c:494) ==896222== by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435) ==896222== by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459) ==896222== by 0x49DE986: __printf_chk (printf_chk.c:33) ==896222== by 0x10985C: printf (stdio2.h:86) ==896222== by 0x10985C: printfileinfo (printinfo.c:134) ==896222== by 0x10930A: main (sfinfo.c:113) ==896222== Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd ==896222== at 0x48407B4: malloc (vg_replace_malloc.c:381) ==896222== by 0x109825: copyrightstring (printinfo.c:163) ==896222== by 0x109825: printfileinfo (printinfo.c:131) ==896222== by 0x10930A: main (sfinfo.c:113) ==896222== Copyright C After: Duration -inf seconds Copyright C |
=?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> | yes | debian upstream | 2023-11-11 | |
| 14-Partial-fix-of-CVE-2019-13147.patch | Partial fix of CVE-2019-13147 This fix the symptom do not allow to allocate negative memory: ==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes ==129695==AddressSanitizer's allocator is terminating the process instead of returning 0 ==129695==If you don't like this behavior set allocator_may_return_null=1 ==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0) #0 0x7f48c8503c02 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02) #1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595) #2 0x7f48c8509342 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342) #3 0x7f48c8441e46 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46) #4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a) #5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327 #6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248 #7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79) If negative bail out |
=?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> | yes | debian upstream | 2023-11-11 | |
| 15-Partial-fix-of-CVE-2019-13147.patch | Partial fix of CVE-2019-13147 This is the fix of the POC. Do not allow too many channel Now it fail with: Audio File Library: invalid file with 1633771873 channels [error 15] Could not open file 'poc' for reading. |
=?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> | yes | debian upstream | 2023-11-11 | |
| 02_hurd.patch | Remove usage of PATH_MAX in tests to fix FTBFS on Hurd. jcowgill: Removed Changelog changes | Pino Toscano <toscano.pino@tiscali.it> | yes | debian upstream | backport, https://github.com/mpruett/audiofile/commit/34c261034f1193a783196618f0052112e00fbcfe | |
| 03_CVE-2015-7747.patch | fix buffer overflow when changing both sample format and number of channels | no | debian | https://github.com/mpruett/audiofile/pull/25 | ||
| 04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch | clamp index values to fix index overflow in IMA.cpp This fixes #33 (also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981 and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/) |
Antonio Larrosa <larrosa@kde.org> | no | 2017-03-06 | ||
| 05_Always-check-the-number-of-coefficients.patch | Always check the number of coefficients When building the library with NDEBUG, asserts are eliminated so it's better to always check that the number of coefficients is inside the array range. This fixes the 00191-audiofile-indexoob issue in #41 |
Antonio Larrosa <larrosa@kde.org> | no | 2017-03-06 | ||
| 06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch | Check for multiplication overflow in MSADPCM decodeSample Check for multiplication overflow (using __builtin_mul_overflow if available) in MSADPCM.cpp decodeSample and return an empty decoded block if an error occurs. This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41 |
Antonio Larrosa <larrosa@kde.org> | no | 2017-03-06 | ||
| 07_Check-for-multiplication-overflow-in-sfconvert.patch | Check for multiplication overflow in sfconvert Checks that a multiplication doesn't overflow when calculating the buffer size, and if it overflows, reduce the buffer size instead of failing. This fixes the 00192-audiofile-signintoverflow-sfconvert case in #41 |
Antonio Larrosa <larrosa@kde.org> | no | 2017-03-06 | ||
| 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch | Fix signature of multiplyCheckOverflow. It returns a bool, not an int | Antonio Larrosa <larrosa@kde.org> | no | 2017-03-10 | ||
| 01_gcc6.patch | Fix FTBFS with GCC 6 | Michael Schwendt <mschwendt@fedoraproject.org> | no | debian | vendor, https://github.com/mpruett/audiofile/pull/27 |