From a4d9a95c5673b2e2666d63f7f972f49f9e2bbc45 Mon Sep 17 00:00:00 2001 From: openKylinBot Date: Mon, 25 Apr 2022 22:03:04 +0800 Subject: [PATCH] Import Debian changes 1.0.28-ok1 libsndfile (1.0.28-ok1) yangtze; urgency=medium * Build for openKylin. --- debian/README.source | 7 + debian/changelog | 5 + debian/control | 74 +++++ debian/copyright | 307 ++++++++++++++++++ debian/examples/Makefile | 13 + debian/libsndfile1-dev.doc-base | 9 + debian/libsndfile1-dev.docs | 3 + debian/libsndfile1-dev.examples | 5 + debian/libsndfile1-dev.install | 5 + debian/libsndfile1.install | 1 + debian/libsndfile1.symbols | 42 +++ debian/patches/CVE-2017-6892.patch | 21 ++ debian/patches/CVE-2017-8362.patch | 49 +++ debian/patches/CVE-2017-8363.patch | 51 +++ debian/patches/CVE-2017-8365.patch | 63 ++++ debian/patches/CVE-2019-3832.patch | 21 ++ ...MAX_CHANNELS-in-sndfile-deinterleave.patch | 30 ++ ...aw-fix-multiple-buffer-overflows-432.patch | 90 +++++ debian/patches/binheader-heapoverflow.patch | 34 ++ ...eck-psf-sf.channels-against-upper-bo.patch | 34 ++ debian/patches/fix_rf64_arm.patch | 49 +++ debian/patches/fix_typos.patch | 67 ++++ debian/patches/series | 12 + .../src-wav.c-Fix-heap-read-overflow.patch | 29 ++ debian/rules | 18 + debian/salsa-ci.yml | 4 + debian/sndfile-programs.install | 11 + debian/source/format | 1 + debian/upstream/metadata | 4 + debian/watch | 3 + 30 files changed, 1062 insertions(+) create mode 100644 debian/README.source create mode 100644 debian/changelog create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/examples/Makefile create mode 100644 debian/libsndfile1-dev.doc-base create mode 100644 debian/libsndfile1-dev.docs create mode 100644 debian/libsndfile1-dev.examples create mode 100644 debian/libsndfile1-dev.install create mode 100644 debian/libsndfile1.install create mode 100644 debian/libsndfile1.symbols create mode 100644 debian/patches/CVE-2017-6892.patch create mode 100644 debian/patches/CVE-2017-8362.patch create mode 100644 debian/patches/CVE-2017-8363.patch create mode 100644 debian/patches/CVE-2017-8365.patch create mode 100644 debian/patches/CVE-2019-3832.patch create mode 100644 debian/patches/Check-MAX_CHANNELS-in-sndfile-deinterleave.patch create mode 100644 debian/patches/a-ulaw-fix-multiple-buffer-overflows-432.patch create mode 100644 debian/patches/binheader-heapoverflow.patch create mode 100644 debian/patches/double64_init-Check-psf-sf.channels-against-upper-bo.patch create mode 100644 debian/patches/fix_rf64_arm.patch create mode 100644 debian/patches/fix_typos.patch create mode 100644 debian/patches/series create mode 100644 debian/patches/src-wav.c-Fix-heap-read-overflow.patch create mode 100755 debian/rules create mode 100644 debian/salsa-ci.yml create mode 100644 debian/sndfile-programs.install create mode 100644 debian/source/format create mode 100644 debian/upstream/metadata create mode 100644 debian/watch diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..6df8fbf --- /dev/null +++ b/debian/README.source @@ -0,0 +1,7 @@ +The Debian version of libsndfile has a couple of small patches applied which +have not yet been pushed upstream. + +On a Debian system you can read about how to apply the debian patches here: + + /usr/share/doc/quilt/README.source + diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..b3f8057 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +libsndfile (1.0.28-ok1) yangtze; urgency=medium + + * Build for openKylin. + + -- openKylinBot Mon, 25 Apr 2022 22:03:04 +0800 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..97eebff --- /dev/null +++ b/debian/control @@ -0,0 +1,74 @@ +Source: libsndfile +Section: devel +Priority: optional +Maintainer: Debian Multimedia Maintainers +Uploaders: + IOhannes m zmölnig (Debian/GNU) , +Build-Depends: + debhelper-compat (= 12), + pkg-config, + libvorbis-dev (>= 1.2.3), + libflac-dev (>= 1.1.4-0), + libasound2-dev [linux-any], +Rules-Requires-Root: no +Homepage: http://www.mega-nerd.com/libsndfile/ +Vcs-Git: https://salsa.debian.org/multimedia-team/libsndfile.git +Vcs-Browser: https://salsa.debian.org/multimedia-team/libsndfile +Standards-Version: 4.5.0 + +Package: libsndfile1-dev +Section: libdevel +Architecture: any +Depends: + ${misc:Depends}, + libsndfile1 (= ${binary:Version}), + pkg-config, + libvorbis-dev (>= 1.2.3), + libflac-dev (>= 1.1.4-0), +Conflicts: libsndfile-dev, + libsndfile0-dev +Replaces: libsndfile-dev +Provides: libsndfile-dev +Description: Development files for libsndfile; a library for reading/writing audio files + libsndfile is a library of C routines for reading and writing files containing + sampled audio data. + . + This is the development version of libsndfile. You will need this only if you + intend to compile programs that use this library. + +Package: libsndfile1 +Section: libs +Architecture: any +Multi-Arch: same +Pre-Depends: ${misc:Pre-Depends} +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Description: Library for reading/writing audio files + libsndfile is a library of C routines for reading and writing files containing + sampled audio data. + . + Various versions of WAV (integer, floating point, GSM, and compressed formats); + Microsoft PCM, A-law and u-law formats; AIFF, AIFC and RIFX; various AU/SND + formats (Sun/NeXT, Dec AU, G721 and G723 ADPCM); RAW header-less PCM files; + Amiga IFF/8SVX/16SV PCM files; Ensoniq PARIS (.PAF); Apple's Core Audio Format + (CAF) and others. + +Package: sndfile-programs +Section: utils +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: sndfile-tools +Description: Sample programs that use libsndfile + This package contains simple programs which use libsndfile for operating on + sound files. + . + Programs include: + - sndfile-cmp : compare the audio data of two files + - sndfile-concat : concatenate two or more files + - sndfile-convert : convert between sound file formats + - sndfile-info : print information about files + - sndfile-metadata-get/set : get and set file metadata + - sndfile-play : play a sound file diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..7f4293c --- /dev/null +++ b/debian/copyright @@ -0,0 +1,307 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: libsndfile +Upstream-Contact: Erik de Castro Lopo +Source: https://github.com/erikd/libsndfile/ + +Files: * +Copyright: 1999-2017 Erik de Castro Lopo +License: LGPL-2.1+ + +Files: src/* +Copyright: 1999-2017 Erik de Castro Lopo +License: LGPL-2.1+ + +Files: src/GSM610/* +Copyright: 1992, Jutta Degener and Carsten Bormann, Technische Universität Berlin +License: gsm + Any use of this software is permitted provided that this notice is not + removed and that neither the authors nor the Technische Universitaet Berlin + are deemed to have made any representations as to the suitability of this + software for any purpose nor are held responsible for any defects of + this software. THERE IS ABSOLUTELY NO WARRANTY FOR THIS SOFTWARE. + . + As a matter of courtesy, the authors request to be informed about uses + this software has found, about bugs in this software, and about any + improvements that may be of general interest. + +Files: src/ALAC/* +Copyright: 2011, Apple Inc. + 2012-2015, Erik de Castro Lopo +License: Apache-2.0 + +Files: src/ALAC/shift.h +Copyright: 2014, Erik de Castro Lopo +License: LGPL-2.1+ + +Files: src/G72x/* +Copyright: Sun Microsystems, Inc. +License: sun + This source code is a product of Sun Microsystems, Inc. and is provided + for unrestricted use. Users may copy or modify this source code without + charge. + . + SUN SOURCE CODE IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING + THE WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR + PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. + . + Sun source code is provided with no support and without any obligation on + the part of Sun Microsystems, Inc. to assist in its use, correction, + modification or enhancement. + . + SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE + INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY THIS SOFTWARE + OR ANY PART THEREOF. + . + In no event will Sun Microsystems, Inc. be liable for any lost revenue + or profits or other special, indirect and consequential damages, even if + Sun has been advised of the possibility of such damages. + . + Sun Microsystems, Inc. + 2550 Garcia Avenue + Mountain View, California 94043 + +Files: src/G72x/g72x_test.c +Copyright: 1999-2014, Erik de Castro Lopo +License: GPL-2+ + +Files: src/*ima_oki* +Copyright: 2007, + 2007-2014, Erik de Castro Lopo +License: LGPL-2+ + +Files: src/aiff.c + src/wav.c + src/wavlike.c +Copyright: 1999-2016, Erik de Castro Lopo + 2004-2005, David Viens +License: LGPL-2.1+ + +Files: src/*.py +Copyright: 2003-2017, Erik de Castro Lopo +License: BSD-3-clause + +Files: src/sndfile.hh +Copyright: 2005-2012, Erik de Castro Lopo +License: BSD-3-clause + +Files: src/ogg_vorbis.c +Copyright: 2002-2005, Michael Smith + 2002-2016, Erik de Castro Lopo + 2007, John ffitch +License: BSD-3-clause and LGPL-2.1+ + +Files: src/ogg.c +Copyright: 2002-2016, Erik de Castro Lopo + 2007, John ffitch +License: LGPL-2.1+ + +Files: src/flac.c +Copyright: 2004, Tobias Gehrig + 2004-2017, Erik de Castro Lopo +License: LGPL-2.1+ + +Files: src/cart.c +Copyright: 2006, Paul Davis + 2006-2013, Erik de Castro Lopo + 2012, Chris Roberts +License: LGPL-2.1+ + +Files: src/chunk.c +Copyright: 2008-2016, Erik de Castro Lopo + 2012, IOhannes m zmoelnig, IEM +License: LGPL-2.1+ + +Files: src/sd2.c +Copyright: 2001-2016, Erik de Castro Lopo + 2004, Paavo Jumppanen +License: LGPL-2.1+ + +Files: src/broadcast.c +Copyright: 2006, Paul Davis + 2006-2016, Erik de Castro Lopo +License: LGPL-2.1+ + +Files: src/wve.c +Copyright: 2002-2016, Erik de Castro Lopo + 2007, Reuben Thomas +License: LGPL-2.1+ + +Files: src/file_io.c +Copyright: 2002-2014, Erik de Castro Lopo + 2003, Ross Bencina +License: LGPL-2.1+ + +Files: src/rf64.c +Copyright: 2008-2017, Erik de Castro Lopo + 2009, Uli Franke +License: LGPL-2.1+ + +Files: programs/* +Copyright: 1999-2016, Erik de Castro Lopo +License: BSD-3-clause + +Files: programs/common.c + programs/sndfile-metadata-*.c +Copyright: 1999-2016, Erik de Castro Lopo + 2008-2010, George Blood Audio +License: BSD-3-clause + +Files: programs/sndfile-cmp.c +Copyright: 2008, Conrad Parker + 2008-2016, Erik de Castro Lopo +License: BSD-3-clause + +Files: programs/sndfile-play-beos.cpp +Copyright: 2001, Marcus Overhagen +License: GPL-2+ + +Files: examples/* +Copyright: 1999-2016, Erik de Castro Lopo +License: BSD-3-clause + +Files: examples/sndfilehandle.cc +Copyright: 2007-2011, Erik de Castro Lopo +License: GPL-2+ + +Files: Octave/sndfile_load.m + Octave/sndfile_play.m + Octave/sndfile_save.m +Copyright: 2002-2011, Erik de Castro Lopo +License: GPL-2+ + +Files: tests/* +Copyright: 1999-2017 Erik de Castro Lopo +License: GPL-2+ + +Files: tests/*.sh.in +Copyright: 2008-2016, Erik de Castro Lopo +License: BSD-3-clause + +Files: regtest/* +Copyright: 2005-2011, Erik de Castro Lopo +License: GPL-2+ + +Files: Scripts/android-configure.sh +Copyright: 2013-2016, Erik de Castro Lopo +License: BSD-3-clause + +Files: M4/stack_protect.m4 +Copyright: 2013, Xiph.org Foundation +License: BSD-3-clause + +Files: M4/ax_add_fortify_source.m4 +Copyright: 2017, David Seifert +License: FSFAP + Copying and distribution of this file, with or without modification, are + permitted in any medium without royalty provided the copyright notice + and this notice are preserved. This file is offered as-is, without any + warranty. + +Files: M4/extra_pkg.m4 +Copyright: 2004, Scott James Remnant . + 2008-2012, Erik de Castro Lopo +License: GPL-2+ + +Files: debian/* +Copyright: 2016-2017, Erik de Castro Lopo + 2016-2017, IOhannes m zmölnig +License: LGPL-2.1+ + + +License: LGPL-2.1+ + This package is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published + by the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the 'GNU Lesser General Public + License' along with this program. If not, see + . +Comment: + On Debian systems, the complete text of the GNU Lesser General Public License + (LGPL) version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1". + +License: LGPL-2+ + This package is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published + by the Free Software Foundation; either version 2 of the License. + . + This package is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the 'GNU Lesser General Public + License' along with this program. If not, see + . +Comment: + On Debian systems, the complete text of the GNU Lesser General Public License + (LGPL) version 2 can be found in "/usr/share/common-licenses/LGPL-2". + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2, or (at your option) any + later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program. If not, see . +Comment: + On Debian systems, the complete text of the GNU General Public License + (GPL) version 2 can be found in "/usr/share/common-licenses/GPL-2". + +License: BSD-3-clause + All rights reserved. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + 3. The name of the author may not be used to endorse or promote + products derived from this software without specific prior + written permission. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY + EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR + BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + THE POSSIBILITY OF SUCH DAMAGE. + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +Comment: + On Debian systems, the complete text of the Apache 2.0 License + can be found in /usr/share/common-licenses/Apache-2.0 file. diff --git a/debian/examples/Makefile b/debian/examples/Makefile new file mode 100644 index 0000000..82d9a97 --- /dev/null +++ b/debian/examples/Makefile @@ -0,0 +1,13 @@ +SRC=$(wildcard *.c) +APPS=$(SRC:%.c=%) +SNDLIBS=$(LIBS) $(shell pkg-config --cflags --libs sndfile) -lm + +.PHONY: default clean + +default: $(APPS) + +%: %.c + $(CC) -Icommon $(CPPFLAGS) $(CFLAGS) -o $@ $< $(SNDLIBS) + +clean: + rm -f $(APPS) diff --git a/debian/libsndfile1-dev.doc-base b/debian/libsndfile1-dev.doc-base new file mode 100644 index 0000000..25363d7 --- /dev/null +++ b/debian/libsndfile1-dev.doc-base @@ -0,0 +1,9 @@ +Document: libsndfile +Title: Debian libsndfile Manual +Author: Erik de Castro Lopo +Abstract: Programming manual and examples for the libsndfile library. +Section: Programming + +Format: HTML +Index: /usr/share/doc/libsndfile1-dev/html/index.html +Files: /usr/share/doc/libsndfile1-dev/html/*.html diff --git a/debian/libsndfile1-dev.docs b/debian/libsndfile1-dev.docs new file mode 100644 index 0000000..eb9b151 --- /dev/null +++ b/debian/libsndfile1-dev.docs @@ -0,0 +1,3 @@ +NEWS +README +AUTHORS diff --git a/debian/libsndfile1-dev.examples b/debian/libsndfile1-dev.examples new file mode 100644 index 0000000..12bd6a0 --- /dev/null +++ b/debian/libsndfile1-dev.examples @@ -0,0 +1,5 @@ +examples/*.c +debian/examples/Makefile +src/common.h +src/sfconfig.h +src/config.h diff --git a/debian/libsndfile1-dev.install b/debian/libsndfile1-dev.install new file mode 100644 index 0000000..3a268e4 --- /dev/null +++ b/debian/libsndfile1-dev.install @@ -0,0 +1,5 @@ +usr/include/* +usr/lib/*/lib*.a +usr/lib/*/lib*.so +usr/lib/*/pkgconfig/sndfile.pc +usr/share/doc/libsndfile/* usr/share/doc/libsndfile1-dev/html/ diff --git a/debian/libsndfile1.install b/debian/libsndfile1.install new file mode 100644 index 0000000..3ddde58 --- /dev/null +++ b/debian/libsndfile1.install @@ -0,0 +1 @@ +usr/lib/*/lib*.so.* diff --git a/debian/libsndfile1.symbols b/debian/libsndfile1.symbols new file mode 100644 index 0000000..99273af --- /dev/null +++ b/debian/libsndfile1.symbols @@ -0,0 +1,42 @@ +libsndfile.so.1 libsndfile1 (>= 1.0.20) + libsndfile.so.1.0@libsndfile.so.1.0 1.0.20 + sf_close@libsndfile.so.1.0 1.0.20 + sf_command@libsndfile.so.1.0 1.0.20 + sf_current_byterate@libsndfile.so.1.0 1.0.27 + sf_error@libsndfile.so.1.0 1.0.20 + sf_error_number@libsndfile.so.1.0 1.0.20 + sf_error_str@libsndfile.so.1.0 1.0.20 + sf_format_check@libsndfile.so.1.0 1.0.20 + sf_get_chunk_data@libsndfile.so.1.0 1.0.27 + sf_get_chunk_iterator@libsndfile.so.1.0 1.0.27 + sf_get_chunk_size@libsndfile.so.1.0 1.0.27 + sf_get_string@libsndfile.so.1.0 1.0.20 + sf_next_chunk_iterator@libsndfile.so.1.0 1.0.27 + sf_open@libsndfile.so.1.0 1.0.20 + sf_open_fd@libsndfile.so.1.0 1.0.20 + sf_open_virtual@libsndfile.so.1.0 1.0.20 + sf_perror@libsndfile.so.1.0 1.0.20 + sf_read_double@libsndfile.so.1.0 1.0.20 + sf_read_float@libsndfile.so.1.0 1.0.20 + sf_read_int@libsndfile.so.1.0 1.0.20 + sf_read_raw@libsndfile.so.1.0 1.0.20 + sf_read_short@libsndfile.so.1.0 1.0.20 + sf_readf_double@libsndfile.so.1.0 1.0.20 + sf_readf_float@libsndfile.so.1.0 1.0.20 + sf_readf_int@libsndfile.so.1.0 1.0.20 + sf_readf_short@libsndfile.so.1.0 1.0.20 + sf_seek@libsndfile.so.1.0 1.0.20 + sf_set_chunk@libsndfile.so.1.0 1.0.27 + sf_set_string@libsndfile.so.1.0 1.0.20 + sf_strerror@libsndfile.so.1.0 1.0.20 + sf_version_string@libsndfile.so.1.0 1.0.20 + sf_write_double@libsndfile.so.1.0 1.0.20 + sf_write_float@libsndfile.so.1.0 1.0.20 + sf_write_int@libsndfile.so.1.0 1.0.20 + sf_write_raw@libsndfile.so.1.0 1.0.20 + sf_write_short@libsndfile.so.1.0 1.0.20 + sf_write_sync@libsndfile.so.1.0 1.0.20 + sf_writef_double@libsndfile.so.1.0 1.0.20 + sf_writef_float@libsndfile.so.1.0 1.0.20 + sf_writef_int@libsndfile.so.1.0 1.0.20 + sf_writef_short@libsndfile.so.1.0 1.0.20 diff --git a/debian/patches/CVE-2017-6892.patch b/debian/patches/CVE-2017-6892.patch new file mode 100644 index 0000000..c784397 --- /dev/null +++ b/debian/patches/CVE-2017-6892.patch @@ -0,0 +1,21 @@ +From: Erik de Castro Lopez +Date: Tue, 20 Jun 2017 00:00:00 +0200 +Subject: Fix for CVE-2017-6892 + +Origin: https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748 +Applied-Upstream: https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748 +--- + src/aiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- libsndfile.orig/src/aiff.c ++++ libsndfile/src/aiff.c +@@ -1905,7 +1905,7 @@ + psf_binheader_readf (psf, "j", dword - bytesread) ; + + if (map_info->channel_map != NULL) +- { size_t chanmap_size = psf->sf.channels * sizeof (psf->channel_map [0]) ; ++ { size_t chanmap_size = SF_MIN (psf->sf.channels, layout_tag & 0xffff) * sizeof (psf->channel_map [0]) ; + + free (psf->channel_map) ; + diff --git a/debian/patches/CVE-2017-8362.patch b/debian/patches/CVE-2017-8362.patch new file mode 100644 index 0000000..e8c7970 --- /dev/null +++ b/debian/patches/CVE-2017-8362.patch @@ -0,0 +1,49 @@ +From: Erik de Castro Lopez +Date: Sun, 28 May 2017 00:00:00 +0200 +Subject: fixed yet another buffer read overflow in FLAC code + +Origin: upstream +Applied-Upstream: https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808 + +CVE-2017-8362 +Last-Update: 2017-05-28 +--- + src/flac.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/flac.c b/src/flac.c +index 5a4f8c2..e4f9aaa 100644 +--- a/src/flac.c ++++ b/src/flac.c +@@ -169,6 +169,14 @@ flac_buffer_copy (SF_PRIVATE *psf) + const int32_t* const *buffer = pflac->wbuffer ; + unsigned i = 0, j, offset, channels, len ; + ++ if (psf->sf.channels != (int) frame->header.channels) ++ { psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n" ++ "Nothing to do but to error out.\n" , ++ psf->sf.channels, frame->header.channels) ; ++ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; ++ return 0 ; ++ } ; ++ + /* + ** frame->header.blocksize is variable and we're using a constant blocksize + ** of FLAC__MAX_BLOCK_SIZE. +@@ -202,7 +210,6 @@ flac_buffer_copy (SF_PRIVATE *psf) + return 0 ; + } ; + +- + len = SF_MIN (pflac->len, frame->header.blocksize) ; + + if (pflac->remain % channels != 0) +@@ -436,7 +443,7 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_ + { case FLAC__METADATA_TYPE_STREAMINFO : + if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) + { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" +- "Nothing to be but to error out.\n" , ++ "Nothing to do but to error out.\n" , + psf->sf.channels, metadata->data.stream_info.channels) ; + psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; + return ; diff --git a/debian/patches/CVE-2017-8363.patch b/debian/patches/CVE-2017-8363.patch new file mode 100644 index 0000000..b9ec519 --- /dev/null +++ b/debian/patches/CVE-2017-8363.patch @@ -0,0 +1,51 @@ +From: Erik de Castro Lopez +Date: Sun, 28 May 2017 00:00:00 +0200 +Subject: fixing another memory leak in FLAC code + +Origin: upstream +Applied-Upstream: https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 & https://github.com/erikd/libsndfile/commit/5206a9b65e61598fde44d276c81b0585bc428562 +Last-Update: 2017-05-28 + +CVE-2017-8363 +--- + src/flac.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/src/flac.c b/src/flac.c +index aad7920..5a4f8c2 100644 +--- a/src/flac.c ++++ b/src/flac.c +@@ -430,8 +430,7 @@ sf_flac_meta_get_vorbiscomments (SF_PRIVATE *psf, const FLAC__StreamMetadata *me + static void + sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC__StreamMetadata *metadata, void *client_data) + { SF_PRIVATE *psf = (SF_PRIVATE*) client_data ; +- FLAC_PRIVATE* pflac = (FLAC_PRIVATE*) psf->codec_data ; +- int bitwidth = 0, i ; ++ int bitwidth = 0 ; + + switch (metadata->type) + { case FLAC__METADATA_TYPE_STREAMINFO : +@@ -481,12 +480,6 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_ + + if (bitwidth > 0) + psf_log_printf (psf, " Bit width : %d\n", bitwidth) ; +- +- +- for (i = 0 ; i < psf->sf.channels ; i++) +- pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (int32_t)) ; +- +- pflac->wbuffer = (const int32_t* const*) pflac->rbuffer ; + break ; + + case FLAC__METADATA_TYPE_VORBIS_COMMENT : +@@ -848,7 +841,9 @@ flac_read_header (SF_PRIVATE *psf) + + psf_log_printf (psf, "End\n") ; + +- if (psf->error == 0) ++ if (psf->error != 0) ++ FLAC__stream_decoder_delete (pflac->fsd) ; ++ else + { FLAC__uint64 position ; + + FLAC__stream_decoder_get_decode_position (pflac->fsd, &position) ; diff --git a/debian/patches/CVE-2017-8365.patch b/debian/patches/CVE-2017-8365.patch new file mode 100644 index 0000000..0f99ece --- /dev/null +++ b/debian/patches/CVE-2017-8365.patch @@ -0,0 +1,63 @@ +From: Erik de Castro Lopez +Date: Sun, 28 May 2017 00:00:00 +0200 +Subject: fixing buffer read/write overruns in FLAC-code + +Origin: upstream +Applied-Upstream: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 +Last-Update: 2017-05-28 + +CVE-2017-8365, CVE-2017-8363, CVE-2017-8361 +--- + src/common.h | 1 + + src/flac.c | 13 +++++++++++++ + src/sndfile.c | 1 + + 3 files changed, 15 insertions(+) + +diff --git a/src/common.h b/src/common.h +index 0bd810c..e2669b6 100644 +--- a/src/common.h ++++ b/src/common.h +@@ -725,6 +725,7 @@ enum + SFE_FLAC_INIT_DECODER, + SFE_FLAC_LOST_SYNC, + SFE_FLAC_BAD_SAMPLE_RATE, ++ SFE_FLAC_CHANNEL_COUNT_CHANGED, + SFE_FLAC_UNKOWN_ERROR, + + SFE_WVE_NOT_WVE, +diff --git a/src/flac.c b/src/flac.c +index 40629c7..aad7920 100644 +--- a/src/flac.c ++++ b/src/flac.c +@@ -435,6 +435,19 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_ + + switch (metadata->type) + { case FLAC__METADATA_TYPE_STREAMINFO : ++ if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) ++ { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" ++ "Nothing to be but to error out.\n" , ++ psf->sf.channels, metadata->data.stream_info.channels) ; ++ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; ++ return ; ++ } ; ++ ++ if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate) ++ { psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n" ++ "Carrying on as if nothing happened.", ++ psf->sf.samplerate, metadata->data.stream_info.sample_rate) ; ++ } ; + psf->sf.channels = metadata->data.stream_info.channels ; + psf->sf.samplerate = metadata->data.stream_info.sample_rate ; + psf->sf.frames = metadata->data.stream_info.total_samples ; +diff --git a/src/sndfile.c b/src/sndfile.c +index b76bfe9..1f57846 100644 +--- a/src/sndfile.c ++++ b/src/sndfile.c +@@ -245,6 +245,7 @@ ErrorStruct SndfileErrors [] = + { SFE_FLAC_INIT_DECODER , "Error : problem with initialization of the flac decoder." }, + { SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." }, + { SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." }, ++ { SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." }, + { SFE_FLAC_UNKOWN_ERROR , "Error : unknown error in flac decoder." }, + + { SFE_WVE_NOT_WVE , "Error : not a WVE file." }, diff --git a/debian/patches/CVE-2019-3832.patch b/debian/patches/CVE-2019-3832.patch new file mode 100644 index 0000000..ce7b92b --- /dev/null +++ b/debian/patches/CVE-2019-3832.patch @@ -0,0 +1,21 @@ +From: Emilio Pozuelo Monfort +Date: Tue, 5 Mar 2019 11:27 +0100 +Subject: Fix for CVE-2019-3832 + +Origin: https://github.com/erikd/libsndfile/pull/460 +Applied-Upstream: https://github.com/erikd/libsndfile/commit/7408c4c788ce047d4e652b60a04e7796bcd7267e +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libsndfile.orig/src/wav.c ++++ libsndfile/src/wav.c +@@ -1094,6 +1094,10 @@ + psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ + psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; + ++ /* Make sure we don't read past the loops array end. */ ++ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops)) ++ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ; ++ + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + diff --git a/debian/patches/Check-MAX_CHANNELS-in-sndfile-deinterleave.patch b/debian/patches/Check-MAX_CHANNELS-in-sndfile-deinterleave.patch new file mode 100644 index 0000000..bb32ee2 --- /dev/null +++ b/debian/patches/Check-MAX_CHANNELS-in-sndfile-deinterleave.patch @@ -0,0 +1,30 @@ +From: "Brett T. Warden" +Date: Tue, 28 Aug 2018 12:01:17 -0700 +Subject: Check MAX_CHANNELS in sndfile-deinterleave + +Allocated buffer has space for only 16 channels. Verify that input file +meets this limit. + +Fixes #397 +--- + programs/sndfile-deinterleave.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c +index e27593e..cb497e1 100644 +--- a/programs/sndfile-deinterleave.c ++++ b/programs/sndfile-deinterleave.c +@@ -89,6 +89,13 @@ main (int argc, char **argv) + exit (1) ; + } ; + ++ if (sfinfo.channels > MAX_CHANNELS) ++ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n", ++ argv [1], sfinfo.channels, MAX_CHANNELS) ; ++ exit (1) ; ++ } ; ++ ++ + state.channels = sfinfo.channels ; + sfinfo.channels = 1 ; + diff --git a/debian/patches/a-ulaw-fix-multiple-buffer-overflows-432.patch b/debian/patches/a-ulaw-fix-multiple-buffer-overflows-432.patch new file mode 100644 index 0000000..3d2f573 --- /dev/null +++ b/debian/patches/a-ulaw-fix-multiple-buffer-overflows-432.patch @@ -0,0 +1,90 @@ +From: Hugo Lefeuvre +Date: Mon, 24 Dec 2018 06:43:48 +0100 +Subject: a/ulaw: fix multiple buffer overflows (#432) + +i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN +properly, leading to buffer underflow. INT_MIN is a special value +since - INT_MIN cannot be represented as int. + +In this case round - INT_MIN to INT_MAX and proceed as usual. + +f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN +properly, leading to null pointer dereference. + +In this case, arbitrarily set the buffer value to 0. + +This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and +fixes #344 (CVE-2017-17456 and CVE-2017-17457). +--- + src/alaw.c | 9 +++++++-- + src/ulaw.c | 9 +++++++-- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/src/alaw.c b/src/alaw.c +index 063fd1a..4220224 100644 +--- a/src/alaw.c ++++ b/src/alaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include ++#include + + #include "sndfile.h" + #include "common.h" +@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2alaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; + else + buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; +@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; +diff --git a/src/ulaw.c b/src/ulaw.c +index e50b4cb..b6070ad 100644 +--- a/src/ulaw.c ++++ b/src/ulaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include ++#include + + #include "sndfile.h" + #include "common.h" +@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2ulaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; + else + buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; +@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; diff --git a/debian/patches/binheader-heapoverflow.patch b/debian/patches/binheader-heapoverflow.patch new file mode 100644 index 0000000..948fcfe --- /dev/null +++ b/debian/patches/binheader-heapoverflow.patch @@ -0,0 +1,34 @@ +From: =?utf-8?q?J=C3=B6rn_Heusipp?= +Date: Wed, 12 Jul 2017 00:00:00 +0200 +Subject: Fix heap buffer overflows when writing strings in binheader + +Origin: upstream +Applied-Upstream: cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 +--- + src/common.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/common.c b/src/common.c +index b9f3223..ecce9a7 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -675,15 +675,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + /* Write a C string (guaranteed to have a zero terminator). */ + strptr = va_arg (argptr, char *) ; + size = strlen (strptr) + 1 ; +- size += (size & 1) ; + +- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16)) ++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) + return count ; + + if (psf->rwf_endian == SF_ENDIAN_BIG) +- header_put_be_int (psf, size) ; ++ header_put_be_int (psf, size + (size & 1)) ; + else +- header_put_le_int (psf, size) ; ++ header_put_le_int (psf, size + (size & 1)) ; ++ size += (size & 1) ; + memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ; + psf->header.indx += size ; + psf->header.ptr [psf->header.indx - 1] = 0 ; diff --git a/debian/patches/double64_init-Check-psf-sf.channels-against-upper-bo.patch b/debian/patches/double64_init-Check-psf-sf.channels-against-upper-bo.patch new file mode 100644 index 0000000..2c4ca8e --- /dev/null +++ b/debian/patches/double64_init-Check-psf-sf.channels-against-upper-bo.patch @@ -0,0 +1,34 @@ +From: Fabian Greffrath +Date: Thu, 28 Sep 2017 12:15:04 +0200 +Subject: double64_init: Check psf->sf.channels against upper bound + +This prevents division by zero later in the code. + +While the trivial case to catch this (i.e. sf.channels < 1) has already +been covered, a crafted file may report a number of channels that is +so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets +miscalculated to zero (if this makes sense) in the determination of the +blockwidth. Since we only support a limited number of channels anyway, +make sure to check here as well. + +CVE-2017-14634 + +Closes: https://github.com/erikd/libsndfile/issues/318 +Signed-off-by: Erik de Castro Lopo +--- + src/double64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/double64.c b/src/double64.c +index b318ea8..78dfef7 100644 +--- a/src/double64.c ++++ b/src/double64.c +@@ -91,7 +91,7 @@ int + double64_init (SF_PRIVATE *psf) + { static int double64_caps ; + +- if (psf->sf.channels < 1) ++ if (psf->sf.channels < 1 || psf->sf.channels > SF_MAX_CHANNELS) + { psf_log_printf (psf, "double64_init : internal error : channels = %d\n", psf->sf.channels) ; + return SFE_INTERNAL ; + } ; diff --git a/debian/patches/fix_rf64_arm.patch b/debian/patches/fix_rf64_arm.patch new file mode 100644 index 0000000..d63ac77 --- /dev/null +++ b/debian/patches/fix_rf64_arm.patch @@ -0,0 +1,49 @@ +From: Erik de Castro Lopez +Date: Tue, 20 Jun 2017 00:00:00 +0200 +Subject: fix RF64 on armel/armhf archs + +Origin: upstream +Applied-Upstream: 9d470ee5577d3ccedb1c28c7e0a7295ba17feaf5 +Last-Update: 2017-06-20 +--- + src/rf64.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/rf64.c b/src/rf64.c +index c373bb0..60a3309 100644 +--- a/src/rf64.c ++++ b/src/rf64.c +@@ -339,6 +339,12 @@ rf64_read_header (SF_PRIVATE *psf, int *blockalign, int *framesperblock) + } ; + break ; + ++ case JUNK_MARKER : ++ case PAD_MARKER : ++ psf_log_printf (psf, "%M : %d\n", marker, chunk_size) ; ++ psf_binheader_readf (psf, "j", chunk_size) ; ++ break ; ++ + default : + if (chunk_size >= 0xffff0000) + { psf_log_printf (psf, "*** Unknown chunk marker (%X) at position %D with length %u. Exiting parser.\n", marker, psf_ftell (psf) - 8, chunk_size) ; +@@ -659,7 +665,7 @@ rf64_write_header (SF_PRIVATE *psf, int calc_length) + + if (wpriv->rf64_downgrade && psf->filelength < RIFF_DOWNGRADE_BYTES) + { psf_binheader_writef (psf, "etm8m", RIFF_MARKER, (psf->filelength < 8) ? 8 : psf->filelength - 8, WAVE_MARKER) ; +- psf_binheader_writef (psf, "m4884", JUNK_MARKER, 20, 0, 0, 0, 0) ; ++ psf_binheader_writef (psf, "m4z", JUNK_MARKER, 24, 24) ; + add_fact_chunk = 1 ; + } + else +@@ -735,9 +741,10 @@ rf64_write_header (SF_PRIVATE *psf, int calc_length) + + #endif + ++ /* Padding may be needed if string data sizes change. */ + pad_size = psf->dataoffset - 16 - psf->header.indx ; + if (pad_size >= 0) +- psf_binheader_writef (psf, "m4z", PAD_MARKER, pad_size, make_size_t (pad_size)) ; ++ psf_binheader_writef (psf, "m4z", PAD_MARKER, (unsigned int) pad_size, make_size_t (pad_size)) ; + + if (wpriv->rf64_downgrade && (psf->filelength < RIFF_DOWNGRADE_BYTES)) + psf_binheader_writef (psf, "tm8", data_MARKER, psf->datalength) ; diff --git a/debian/patches/fix_typos.patch b/debian/patches/fix_typos.patch new file mode 100644 index 0000000..9e7f22a --- /dev/null +++ b/debian/patches/fix_typos.patch @@ -0,0 +1,67 @@ +From: IOhannes m zmoelnig +Date: Wed, 5 Oct 2016 00:00:00 +0200 +Subject: fixed spelling errors + +Forwarded: yes +Last-Update: 2016-10-05 + +discovered by lintian +--- + doc/bugs.html | 2 +- + programs/sndfile-convert.c | 2 +- + src/ogg.c | 2 +- + src/wavlike.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/doc/bugs.html b/doc/bugs.html +index 3a441fe..addedb8 100644 +--- a/doc/bugs.html ++++ b/doc/bugs.html +@@ -31,7 +31,7 @@ +
    +
  • Compilation problems on new platforms. +
  • Errors being detected during the `make check' process. +-
  • Segmentation faults occuring inside libsndfile. ++
  • Segmentation faults occurring inside libsndfile. +
  • libsndfile hanging when opening a file. +
  • Supported sound file types being incorrectly read or written. +
  • Omissions, errors or spelling mistakes in the documentation. +diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c +index dff7f79..896838f 100644 +--- a/programs/sndfile-convert.c ++++ b/programs/sndfile-convert.c +@@ -317,7 +317,7 @@ main (int argc, char * argv []) + if ((sfinfo.format & SF_FORMAT_SUBMASK) == SF_FORMAT_GSM610 && sfinfo.samplerate != 8000) + { printf ( + "WARNING: GSM 6.10 data format only supports 8kHz sample rate. The converted\n" +- "ouput file will contain the input data converted to the GSM 6.10 data format\n" ++ "output file will contain the input data converted to the GSM 6.10 data format\n" + "but not re-sampled.\n" + ) ; + } ; +diff --git a/src/ogg.c b/src/ogg.c +index 0856f77..e01ebe1 100644 +--- a/src/ogg.c ++++ b/src/ogg.c +@@ -193,7 +193,7 @@ ogg_stream_classify (SF_PRIVATE *psf, OGG_PRIVATE* odata) + break ; + } ; + +- psf_log_printf (psf, "This Ogg bitstream contains some uknown data type.\n") ; ++ psf_log_printf (psf, "This Ogg bitstream contains some unknown data type.\n") ; + return SFE_UNIMPLEMENTED ; + } /* ogg_stream_classify */ + +diff --git a/src/wavlike.c b/src/wavlike.c +index 86ebf01..c053da3 100644 +--- a/src/wavlike.c ++++ b/src/wavlike.c +@@ -161,7 +161,7 @@ wavlike_read_fmt_chunk (SF_PRIVATE *psf, int fmtsize) + { psf_log_printf (psf, " Bit Width : 24\n") ; + + psf_log_printf (psf, "\n" +- " Ambiguous information in 'fmt ' chunk. Possibile file types:\n" ++ " Ambiguous information in 'fmt ' chunk. Possible file types:\n" + " 0) Invalid IEEE float file generated by Syntrillium's Cooledit!\n" + " 1) File generated by ALSA's arecord containing 24 bit samples in 32 bit containers.\n" + " 2) 24 bit file with incorrect Block Align value.\n" diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..5fb4b24 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,12 @@ +CVE-2017-8365.patch +CVE-2017-8363.patch +CVE-2017-8362.patch +CVE-2017-6892.patch +CVE-2019-3832.patch +binheader-heapoverflow.patch +fix_rf64_arm.patch +fix_typos.patch +a-ulaw-fix-multiple-buffer-overflows-432.patch +double64_init-Check-psf-sf.channels-against-upper-bo.patch +src-wav.c-Fix-heap-read-overflow.patch +Check-MAX_CHANNELS-in-sndfile-deinterleave.patch diff --git a/debian/patches/src-wav.c-Fix-heap-read-overflow.patch b/debian/patches/src-wav.c-Fix-heap-read-overflow.patch new file mode 100644 index 0000000..fc11846 --- /dev/null +++ b/debian/patches/src-wav.c-Fix-heap-read-overflow.patch @@ -0,0 +1,29 @@ +From: Erik de Castro Lopo +Date: Tue, 1 Jan 2019 20:11:46 +1100 +Subject: src/wav.c: Fix heap read overflow + +This is CVE-2018-19758. + +Closes: https://github.com/erikd/libsndfile/issues/435 +--- + src/wav.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- libsndfile.orig/src/wav.c ++++ libsndfile/src/wav.c +@@ -1,5 +1,5 @@ + /* +-** Copyright (C) 1999-2016 Erik de Castro Lopo ++** Copyright (C) 1999-2019 Erik de Castro Lopo + ** Copyright (C) 2004-2005 David Viens + ** + ** This program is free software; you can redistribute it and/or modify +@@ -1098,6 +1098,8 @@ + if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops)) + psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ; + ++ /* Loop count is signed 16 bit number so we limit it range to something sensible. */ ++ psf->instrument->loop_count &= 0x7fff ; + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..97f236c --- /dev/null +++ b/debian/rules @@ -0,0 +1,18 @@ +#!/usr/bin/make -f +# Copyright © 2017 IOhannes m zmölnig +# under the LGPL-2.1+ + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +DEB_BUILD_MAINT_OPTIONS = hardening=+all + +%: + dh $@ + +override_dh_strip: + dh_strip --dbgsym-migration='libsndfile1-dbg (<< 1.0.28-1~), sndfile-programs-dbg (<< 1.0.28-1~)' + +override_dh_clean: + dh_clean + -find man/ -type l -delete diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml new file mode 100644 index 0000000..33c3a64 --- /dev/null +++ b/debian/salsa-ci.yml @@ -0,0 +1,4 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml diff --git a/debian/sndfile-programs.install b/debian/sndfile-programs.install new file mode 100644 index 0000000..3ba95bd --- /dev/null +++ b/debian/sndfile-programs.install @@ -0,0 +1,11 @@ +usr/bin/sndfile-cmp +usr/bin/sndfile-concat +usr/bin/sndfile-convert +usr/bin/sndfile-deinterleave +usr/bin/sndfile-info +usr/bin/sndfile-interleave +usr/bin/sndfile-metadata-get +usr/bin/sndfile-metadata-set +usr/bin/sndfile-play +usr/bin/sndfile-salvage +usr/share/man/man1/* diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..1ddf853 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,4 @@ +Bug-Database: https://github.com/erikd/libsndfile/issues +Bug-Submit: https://github.com/erikd/libsndfile/issues/new +Repository: https://github.com/erikd/libsndfile.git +Repository-Browse: https://github.com/erikd/libsndfile diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..ac442a7 --- /dev/null +++ b/debian/watch @@ -0,0 +1,3 @@ +version=3 + +http://www.mega-nerd.com/libsndfile/files/ libsndfile-([\d\.]+)\.tar\.gz