Bug#987168: fluidsynth: diff for NMU version 2.1.7-1.1

[Sebastian Ramacher <sramacher@debian.org>]

On 2021-04-24 14:20:43 +0200, Reiner Herrmann wrote:
> Control: tags 987168 + patch
> Control: tags 987168 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for fluidsynth (versioned as 2.1.7-1.1) and
> uploaded it to DELAYED/3. Please feel free to tell me if I
> should delay it longer.

Please feel free to reschedule to DELAYED/0.

Cheers

> 
> Regards,
>   Reiner

> diff -Nru fluidsynth-2.1.7/debian/changelog fluidsynth-2.1.7/debian/changelog
> --- fluidsynth-2.1.7/debian/changelog	2021-02-09 21:43:23.000000000 +0100
> +++ fluidsynth-2.1.7/debian/changelog	2021-04-24 13:37:51.000000000 +0200
> @@ -1,3 +1,11 @@
> +fluidsynth (2.1.7-1.1) unstable; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Import patch that fixes use-after-free vulnerability. (CVE-2021-28421)
> +    (Closes: #987168)
> +
> + -- Reiner Herrmann <reiner@reiner-h.de>  Sat, 24 Apr 2021 13:37:51 +0200
> +
>  fluidsynth (2.1.7-1) unstable; urgency=medium
>  
>    * New upstream version 2.1.7
> diff -Nru fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch
> --- fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch	1970-01-01 01:00:00.000000000 +0100
> +++ fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch	2021-04-24 13:35:20.000000000 +0200
> @@ -0,0 +1,84 @@
> +From 005719628aef0bd48dc7b2f860c7e4ca16b81044 Mon Sep 17 00:00:00 2001
> +From: Tom M <tom.mbrt@googlemail.com>
> +Date: Mon, 15 Mar 2021 20:12:51 +0100
> +Subject: [PATCH] Invalid generators were not removed from zone list (#810)
> +Bug: https://github.com/FluidSynth/fluidsynth/issues/808
> +Bug-Debian: https://bugs.debian.org/987168
> +
> +fluid_list_remove() should receive the beginning of a list, so it can adjust the predecessor of the element to be removed. Otherwise the element would remain in the list, which in this case led to a use-after-free afterwards.
> +---
> + src/sfloader/fluid_sffile.c | 20 ++++++++++++--------
> + 1 file changed, 12 insertions(+), 8 deletions(-)
> +
> +diff --git a/src/sfloader/fluid_sffile.c b/src/sfloader/fluid_sffile.c
> +index 001a0a0a4..47ab98d97 100644
> +--- a/src/sfloader/fluid_sffile.c
> ++++ b/src/sfloader/fluid_sffile.c
> +@@ -1355,7 +1355,7 @@ static int load_pmod(SFData *sf, int size)
> +  * ------------------------------------------------------------------- */
> + static int load_pgen(SFData *sf, int size)
> + {
> +-    fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
> ++    fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
> +     SFZone *z;
> +     SFGen *g;
> +     SFGenAmount genval;
> +@@ -1369,7 +1369,7 @@ static int load_pgen(SFData *sf, int size)
> +         /* traverse through all presets */
> +         gzone = FALSE;
> +         discarded = FALSE;
> +-        p2 = ((SFPreset *)(p->data))->zone;
> ++        start_of_zone_list = p2 = ((SFPreset *)(p->data))->zone;
> + 
> +         if(p2)
> +         {
> +@@ -1516,11 +1516,13 @@ static int load_pgen(SFData *sf, int size)
> +                 }
> +                 else
> +                 {
> ++                    p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
> +                     /* previous global zone exists, discard */
> +                     FLUID_LOG(FLUID_WARN, "Preset '%s': Discarding invalid global zone",
> +                               ((SFPreset *)(p->data))->name);
> +-                    *hz = fluid_list_remove(*hz, p2->data);
> +-                    delete_zone((SFZone *)fluid_list_get(p2));
> ++                    fluid_list_remove(start_of_zone_list, z);
> ++                    delete_zone(z);
> ++                    continue;
> +                 }
> +             }
> + 
> +@@ -1864,7 +1866,7 @@ static int load_imod(SFData *sf, int size)
> + /* load instrument generators (see load_pgen for loading rules) */
> + static int load_igen(SFData *sf, int size)
> + {
> +-    fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
> ++    fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
> +     SFZone *z;
> +     SFGen *g;
> +     SFGenAmount genval;
> +@@ -1878,7 +1880,7 @@ static int load_igen(SFData *sf, int size)
> +         /* traverse through all instruments */
> +         gzone = FALSE;
> +         discarded = FALSE;
> +-        p2 = ((SFInst *)(p->data))->zone;
> ++        start_of_zone_list = p2 = ((SFInst *)(p->data))->zone;
> + 
> +         if(p2)
> +         {
> +@@ -2024,11 +2026,13 @@ static int load_igen(SFData *sf, int size)
> +                 }
> +                 else
> +                 {
> ++                    p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
> +                     /* previous global zone exists, discard */
> +                     FLUID_LOG(FLUID_WARN, "Instrument '%s': Discarding invalid global zone",
> +                               ((SFInst *)(p->data))->name);
> +-                    *hz = fluid_list_remove(*hz, p2->data);
> +-                    delete_zone((SFZone *)fluid_list_get(p2));
> ++                    fluid_list_remove(start_of_zone_list, z);
> ++                    delete_zone(z);
> ++                    continue;
> +                 }
> +             }
> + 
> diff -Nru fluidsynth-2.1.7/debian/patches/series fluidsynth-2.1.7/debian/patches/series
> --- fluidsynth-2.1.7/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
> +++ fluidsynth-2.1.7/debian/patches/series	2021-04-24 13:35:27.000000000 +0200
> @@ -0,0 +1 @@
> +CVE-2021-28421.patch




-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature