Debian Patches
Status for libsndfile/1.2.2-2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fix_typos.patch | fixed spelling errors discovered by lintian |
IOhannes m zmoelnig <umlaeute@debian.org> | yes | 2016-10-05 | ||
| CVE-2022-33065/CVE-2022-33065-7.patch | [PATCH 11/17] mat4/mat5: fix int overflow when calculating blockwidth Pre-cast the components of the blockwidth calculation to sf_count_t to avoid overflowing integers during calculation. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-11 | ||
| CVE-2022-33065/CVE-2022-33065-13.patch | [PATCH 17/17] ima_adpcm: fix int overflow in ima_reader_init() When calculating sf.frames, pre-cast samplesperblock to sf_count_t, to provide the calculation with enough numeric space to avoid overflows. Other changes in this commit are syntactic, and only to satisfy the git pre-commit syntax checker. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-17 | ||
| 0039-src-ogg-better-error-checking-for-vorbis.-Fixes-1035.patch | [PATCH 39/41] src/ogg: better error checking for vorbis. Fixes #1035 | Arthur Taylor <art@ified.ca> | no | 2024-11-15 | ||
| CVE-2022-33065/CVE-2022-33065-1.patch | [PATCH 05/17] mat4/mat5: fix int overflow in dataend calculation The clang sanitizer warns of a possible signed integer overflow when calculating the `dataend` value in `mat4_read_header()`. ``` src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' ``` Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of `dataend` before performing the calculation, to avoid the issue. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-10 | ||
| CVE-2022-33065/CVE-2022-33065-2.patch | [PATCH 06/17] au: avoid int overflow while calculating data_end At several points in au_read_header(), we calculate the functional end of the data segment by adding the (int)au_fmt.dataoffset and the (int)au_fmt.datasize. This can overflow the implicit int_32 return value and cause undefined behavior. Instead, precalculate the value and assign it to a 64-bit (sf_count_t)data_end variable. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-11 | ||
| CVE-2022-33065/CVE-2022-33065-3.patch | [PATCH 07/17] avr: fix int overflow in avr_read_header() Pre-cast hdr.frames to sf_count_t, to provide the calculation with enough numeric space to avoid an int-overflow. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-11 | ||
| CVE-2022-33065/CVE-2022-33065-4.patch | [PATCH 08/17] sds: fix int overflow warning in sample calculations The sds_*byte_read() functions compose their uint_32 sample buffers by shifting 7bit samples into a 32bit wide buffer, and adding them together. Because the 7bit samples are stored in 32bit ints, code fuzzers become concerned that the addition operation can overflow and cause undefined behavior. Instead, bitwise-OR the bytes together - which should accomplish the same arithmetic operation, without risking an int-overflow. Do the same for the 3byte and 4byte read functions. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-11 | ||
| CVE-2022-33065/CVE-2022-33065-5.patch | [PATCH 09/17] aiff: fix int overflow when counting header elements aiff_read_basc_chunk() tries to count the AIFF header size by keeping track of the bytes returned by psf_binheader_readf(). Though improbable, it is technically possible for these added bytes to exceed the int-sized `count` accumulator. Use a 64-bit sf_count_t type for `count`, to ensure that it always has enough numeric space. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-11 | ||
| CVE-2022-33065/CVE-2022-33065-6.patch | [PATCH 10/17] ircam: fix int overflow in ircam_read_header() When reading the IRCAM header, it is possible for the calculated blockwidth to exceed the bounds of a signed int32. Use a 64bit sf_count_t to store the blockwidth. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-11 | ||
| CVE-2022-33065/CVE-2022-33065-8.patch | [PATCH 12/17] common: fix int overflow in psf_binheader_readf() The psf_binheader_readf() function attempts to count and return the number of bytes traversed in the header. During this accumulation, it is possible to overflow the int-sized byte_count variable. Avoid this overflow by checking that the accumulated bytes do not exceed INT_MAX and throwing an error if they do. This implies that files with multi-gigabyte headers threaten to produce this error, but I imagine those files don't really exist - and this error is better than the undefined behavior which would have resulted previously. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-16 | ||
| CVE-2022-33065/CVE-2022-33065-9.patch | [PATCH 13/17] nms_adpcm: fix int overflow in signal estimate It is possible (though functionally incorrect) for the signal estimate calculation in nms_adpcm_update() to overflow the int value of s_e, resulting in undefined behavior. Since adpcm state signal values are never practically larger than 16 bits, use smaller numeric sizes throughout the file to avoid the overflow. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-19 | ||
| CVE-2022-33065/CVE-2022-33065-10.patch | [PATCH 14/17] nms_adpcm: fix int overflow in sf.frames calc When calculating sf.frames from the blocks_total PNMS variable, it is theoretically possible to overflow the blocks_total int boundaries, leading to undefined behavior. Cast blocks_total to a long-sized sf_count_t before the calculation, to provide it with enough numeric space and because that is the final typing regardless. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-17 | ||
| CVE-2022-33065/CVE-2022-33065-11.patch | [PATCH 15/17] pcm: fix int overflow in pcm_init() Cast the int-sized bytewidth variable to a long-sized sf_count_t type prior to calculating the blockwidth, to provide the calculation with enough numeric space and sf_count_t is the final typing regardless. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-17 | ||
| CVE-2022-33065/CVE-2022-33065-12.patch | [PATCH 16/17] rf64: fix int overflow in rf64_read_header() When checking for mismatches between the filelength and riff_size, it is possible to overflow the temporary riff_size value used in the comparison by adding a static offset; which is probably fine, but it is offensive to overflow fuzzers. Since filelength is always a positive value, simply move the offset to the other side of the comparison operator as a negative value, avoid the possibility of an overflow. |
Alex Stewart <alex.stewart@ni.com> | no | 2023-10-17 |