Bug#935460: stretch-pu: package sox/14.4.1-5+deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Attached debdiff fixes a number of bugs in sox. These have been in jessie
for a while already (Stretch and Jessie have the same base version as the
package was unmaintained for a while) and I've ran some of the POCs on
the Stretch build. Debdiff below.
Cheers,
Moritz
diff -Nru sox-14.4.1/debian/changelog sox-14.4.1/debian/changelog
--- sox-14.4.1/debian/changelog 2019-02-01 16:18:21.000000000 +0100
+++ sox-14.4.1/debian/changelog 2019-08-16 00:28:55.000000000 +0200
@@ -1,3 +1,16 @@
+sox (14.4.1-5+deb9u2) stretch; urgency=medium
+
+ * Sync up patches with 14.4.1-5+deb8u4 (sans some uncommented patches)
+ CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 (Closes: #927906)
+ CVE-2019-1010004 CVE-2017-18189 (Closes: #881121)
+ CVE-2017-15642 (Closes: #882144)
+ CVE-2017-15372 (Closes: #878808)
+ CVE-2017-15371 (Closes: #878809)
+ CVE-2017-15370 (Closes: #878810)
+ CVE-2017-11359 CVE-2017-11358 CVE-2017-11332 (Closes: #870328)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Fri, 16 Aug 2019 00:28:55 +0200
+
sox (14.4.1-5+deb9u1) stretch; urgency=medium
* Non-maintainer upload.
diff -Nru sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch
--- sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch 2019-05-10 01:08:00.000000000 +0200
@@ -0,0 +1,80 @@
+From ccedd08802f62ed896f69d778e6a106d00f9ab58 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Tue, 8 Dec 2015 22:52:41 +0000
+Subject: [PATCH 1/5] Clean up lsx_malloc() and friends
+
+---
+ src/Makefile.am | 2 +-
+ src/xmalloc.c | 30 +++++++++++++++++++++++++-----
+ src/xmalloc.h | 7 ++++---
+ 3 files changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/src/xmalloc.c b/src/xmalloc.c
+index 9bf15969..56fe6944 100644
+--- a/src/xmalloc.c
++++ b/src/xmalloc.c
+@@ -20,6 +20,16 @@
+ #include "sox_i.h"
+ #include <stdlib.h>
+
++static void *lsx_checkptr(void *ptr)
++{
++ if (!ptr) {
++ lsx_fail("out of memory");
++ exit(2);
++ }
++
++ return ptr;
++}
++
+ /* Resize an allocated memory area; abort if not possible.
+ *
+ * For malloc, `If the size of the space requested is zero, the behavior is
+@@ -34,10 +44,20 @@ void *lsx_realloc(void *ptr, size_t newsize)
+ return NULL;
+ }
+
+- if ((ptr = realloc(ptr, newsize)) == NULL) {
+- lsx_fail("out of memory");
+- exit(2);
+- }
++ return lsx_checkptr(realloc(ptr, newsize));
++}
+
+- return ptr;
++void *lsx_malloc(size_t size)
++{
++ return lsx_checkptr(malloc(size + !size));
++}
++
++void *lsx_calloc(size_t n, size_t size)
++{
++ return lsx_checkptr(calloc(n + !n, size + !size));
++}
++
++char *lsx_strdup(const char *s)
++{
++ return lsx_checkptr(strdup(s));
+ }
+diff --git a/src/xmalloc.h b/src/xmalloc.h
+index 9ee77f63..92ac64d9 100644
+--- a/src/xmalloc.h
++++ b/src/xmalloc.h
+@@ -23,10 +23,11 @@
+ #include <stddef.h>
+ #include <string.h>
+
+-#define lsx_malloc(size) lsx_realloc(NULL, (size))
+-#define lsx_calloc(n,s) (((n)*(s))? memset(lsx_malloc((n)*(s)),0,(n)*(s)) : NULL)
++LSX_RETURN_VALID void *lsx_malloc(size_t size);
++LSX_RETURN_VALID void *lsx_calloc(size_t n, size_t size);
++LSX_RETURN_VALID char *lsx_strdup(const char *s);
++
+ #define lsx_Calloc(v,n) v = lsx_calloc(n,sizeof(*(v)))
+-#define lsx_strdup(p) ((p)? strcpy((char *)lsx_malloc(strlen(p) + 1), p) : NULL)
+ #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL)
+ #define lsx_valloc(v,n) v = lsx_malloc((n)*sizeof(*(v)))
+ #define lsx_revalloc(v,n) v = lsx_realloc(v, (n)*sizeof(*(v)))
+--
+2.20.1
+
diff -Nru sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch
--- sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch 2019-05-10 01:08:00.000000000 +0200
@@ -0,0 +1,23 @@
+From f70911261a84333b077c29908e1242f69d7439eb Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 14:57:34 +0100
+Subject: [PATCH 2/5] fix possible buffer size overflow in lsx_make_lpf()
+ (CVE-2019-8354)
+
+The multiplication in the size argument malloc() might overflow,
+resulting in a small buffer being allocated. Use calloc() instead.
+---
+ src/effects_i_dsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/effects_i_dsp.c
++++ b/src/effects_i_dsp.c
+@@ -256,7 +256,7 @@
+ double * lsx_make_lpf(int num_taps, double Fc, double beta, double scale, sox_bool dc_norm)
+ {
+ int i, m = num_taps - 1;
+- double * h = malloc(num_taps * sizeof(*h)), sum = 0;
++ double * h = calloc(num_taps, sizeof(*h)), sum = 0;
+ double mult = scale / lsx_bessel_I_0(beta);
+ assert(Fc >= 0 && Fc <= 1);
+ lsx_debug("make_lpf(n=%i, Fc=%g beta=%g dc-norm=%i scale=%g)", num_taps, Fc, beta, dc_norm, scale);
diff -Nru sox-14.4.1/debian/patches/0003-fix-possible-overflow-in-lsx_-re-valloc-size-calcula.patch sox-14.4.1/debian/patches/0003-fix-possible-overflow-in-lsx_-re-valloc-size-calcula.patch
--- sox-14.4.1/debian/patches/0003-fix-possible-overflow-in-lsx_-re-valloc-size-calcula.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/0003-fix-possible-overflow-in-lsx_-re-valloc-size-calcula.patch 2019-05-10 01:08:00.000000000 +0200
@@ -0,0 +1,55 @@
+From f8587e2d50dad72d40453ac1191c539ee9e50381 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 17:39:45 +0100
+Subject: [PATCH 3/5] fix possible overflow in lsx_(re)valloc() size
+ calculation (CVE-2019-8355)
+
+---
+ src/Makefile.am | 2 +-
+ src/xmalloc.c | 10 ++++++++++
+ src/xmalloc.h | 5 +++--
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/src/xmalloc.c b/src/xmalloc.c
+index 56fe6944..72c9ea4d 100644
+--- a/src/xmalloc.c
++++ b/src/xmalloc.c
+@@ -57,6 +57,16 @@ void *lsx_calloc(size_t n, size_t size)
+ return lsx_checkptr(calloc(n + !n, size + !size));
+ }
+
++void *lsx_realloc_array(void *p, size_t n, size_t size)
++{
++ if (n > (size_t)-1 / size) {
++ lsx_fail("malloc size overflow");
++ exit(2);
++ }
++
++ return lsx_realloc(p, n * size);
++}
++
+ char *lsx_strdup(const char *s)
+ {
+ return lsx_checkptr(strdup(s));
+diff --git a/src/xmalloc.h b/src/xmalloc.h
+index 92ac64d9..21ff6630 100644
+--- a/src/xmalloc.h
++++ b/src/xmalloc.h
+@@ -25,11 +25,12 @@
+
+ LSX_RETURN_VALID void *lsx_malloc(size_t size);
+ LSX_RETURN_VALID void *lsx_calloc(size_t n, size_t size);
++LSX_RETURN_VALID void *lsx_realloc_array(void *p, size_t n, size_t size);
+ LSX_RETURN_VALID char *lsx_strdup(const char *s);
+
+ #define lsx_Calloc(v,n) v = lsx_calloc(n,sizeof(*(v)))
+ #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL)
+-#define lsx_valloc(v,n) v = lsx_malloc((n)*sizeof(*(v)))
+-#define lsx_revalloc(v,n) v = lsx_realloc(v, (n)*sizeof(*(v)))
++#define lsx_valloc(v,n) v = lsx_realloc_array(NULL, n, sizeof(*(v)))
++#define lsx_revalloc(v,n) v = lsx_realloc_array(v, n, sizeof(*(v)))
+
+ #endif
+--
+2.20.1
+
diff -Nru sox-14.4.1/debian/patches/0004-fft4g-bail-if-size-too-large-CVE-2019-8356.patch sox-14.4.1/debian/patches/0004-fft4g-bail-if-size-too-large-CVE-2019-8356.patch
--- sox-14.4.1/debian/patches/0004-fft4g-bail-if-size-too-large-CVE-2019-8356.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/0004-fft4g-bail-if-size-too-large-CVE-2019-8356.patch 2019-05-10 01:08:00.000000000 +0200
@@ -0,0 +1,92 @@
+From b7883ae1398499daaa926ae6621f088f0f531ed8 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 16:56:42 +0100
+Subject: [PATCH 4/5] fft4g: bail if size too large (CVE-2019-8356)
+
+Prevent overflowing of fixed-size buffers in bitrv2() and bitrv2conj()
+if the transform size is too large.
+---
+ src/fft4g.c | 18 ++++++++++++++++++
+ src/fft4g.h | 2 ++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/src/fft4g.c b/src/fft4g.c
+index 38a8bcc0..88a2a7ec 100644
+--- a/src/fft4g.c
++++ b/src/fft4g.c
+@@ -322,6 +322,9 @@ static void rftfsub(int n, double *a, int nc, double const *c);
+
+ void cdft(int n, int isgn, double *a, int *ip, double *w)
+ {
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ if (n > (ip[0] << 2)) {
+ makewt(n >> 2, ip, w);
+ }
+@@ -344,6 +347,9 @@ void rdft(int n, int isgn, double *a, int *ip, double *w)
+ int nw, nc;
+ double xi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -384,6 +390,9 @@ void ddct(int n, int isgn, double *a, int *ip, double *w)
+ int j, nw, nc;
+ double xr;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -435,6 +444,9 @@ void ddst(int n, int isgn, double *a, int *ip, double *w)
+ int j, nw, nc;
+ double xr;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -486,6 +498,9 @@ void dfct(int n, double *a, double *t, int *ip, double *w)
+ int j, k, l, m, mh, nw, nc;
+ double xr, xi, yr, yi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 3)) {
+ nw = n >> 3;
+@@ -576,6 +591,9 @@ void dfst(int n, double *a, double *t, int *ip, double *w)
+ int j, k, l, m, mh, nw, nc;
+ double xr, xi, yr, yi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 3)) {
+ nw = n >> 3;
+diff --git a/src/fft4g.h b/src/fft4g.h
+index 2b8051ca..95ee3413 100644
+--- a/src/fft4g.h
++++ b/src/fft4g.h
+@@ -13,6 +13,8 @@
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
++#define FFT4G_MAX_SIZE 262144
++
+ void lsx_cdft(int, int, double *, int *, double *);
+ void lsx_rdft(int, int, double *, int *, double *);
+ void lsx_ddct(int, int, double *, int *, double *);
+--
+2.20.1
+
diff -Nru sox-14.4.1/debian/patches/0005-fix-possible-null-pointer-deref-in-lsx_make_lpf-CVE-.patch sox-14.4.1/debian/patches/0005-fix-possible-null-pointer-deref-in-lsx_make_lpf-CVE-.patch
--- sox-14.4.1/debian/patches/0005-fix-possible-null-pointer-deref-in-lsx_make_lpf-CVE-.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/0005-fix-possible-null-pointer-deref-in-lsx_make_lpf-CVE-.patch 2019-05-10 01:08:00.000000000 +0200
@@ -0,0 +1,24 @@
+From 2ce02fea7b350de9ddfbcf542ba4dd59a8ab255b Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 15:08:51 +0100
+Subject: [PATCH 5/5] fix possible null pointer deref in lsx_make_lpf()
+ (CVE-2019-8357)
+
+If the buffer allocation fails, return NULL.
+---
+ src/effects_i_dsp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/effects_i_dsp.c
++++ b/src/effects_i_dsp.c
+@@ -260,6 +260,10 @@
+ double mult = scale / lsx_bessel_I_0(beta);
+ assert(Fc >= 0 && Fc <= 1);
+ lsx_debug("make_lpf(n=%i, Fc=%g beta=%g dc-norm=%i scale=%g)", num_taps, Fc, beta, dc_norm, scale);
++
++ if (!h)
++ return NULL;
++
+ for (i = 0; i <= m / 2; ++i) {
+ double x = M_PI * (i - .5 * m), y = 2. * i / m - 1;
+ h[i] = x? sin(Fc * x) / x : Fc;
diff -Nru sox-14.4.1/debian/patches/CVE-2017-11332.patch sox-14.4.1/debian/patches/CVE-2017-11332.patch
--- sox-14.4.1/debian/patches/CVE-2017-11332.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/CVE-2017-11332.patch 2019-03-05 16:43:06.000000000 +0100
@@ -0,0 +1,19 @@
+Description: wav: fix crash if channel count is zero
+ WAV files declaring zero channels lead to division-by-zero crashes.
+ numchannels = 0 is not a meaningful value, forbid it.
+Author: Mans Rullgard <mans@mansr.com>
+Origin: upstream, https://github.com/mansr/sox/commit/7405bcaacb1ded8c595cb751d407cf738cb26571
+--- a/src/wav.c 2019-03-05 16:42:55.000000000 +0100
++++ b/src/wav.c 2019-03-05 16:58:31.066400747 +0100
+@@ -614,6 +614,11 @@
+ else
+ lsx_report("User options overriding channels read in .wav header");
+
++ if (ft->signal.channels == 0) {
++ lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero");
++ return SOX_EOF;
++ }
++
+ if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond)
+ ft->signal.rate = dwSamplesPerSecond;
+ else
diff -Nru sox-14.4.1/debian/patches/CVE-2017-11358.patch sox-14.4.1/debian/patches/CVE-2017-11358.patch
--- sox-14.4.1/debian/patches/CVE-2017-11358.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/CVE-2017-11358.patch 2019-03-05 16:43:06.000000000 +0100
@@ -0,0 +1,17 @@
+Subject: hcom: fix crash on input with corrupt dictionary
+Author: Mans Rullgard <mans@mansr.com>
+Origin: upstream, https://github.com/mansr/sox/commit/6cb44a44b9eda6b321ccdbf6483348d4a9798b00
+--- a/src/hcom.c 2012-01-23 23:27:33.000000000 +0100
++++ b/src/hcom.c 2019-03-05 17:03:20.202990165 +0100
+@@ -150,6 +150,11 @@
+ lsx_debug("%d %d",
+ p->dictionary[i].dict_leftson,
+ p->dictionary[i].dict_rightson);
++ if ((unsigned) p->dictionary[i].dict_leftson >= dictsize ||
++ (unsigned) p->dictionary[i].dict_rightson >= dictsize) {
++ lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary");
++ return SOX_EOF;
++ }
+ }
+ rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */
+ if (rc)
diff -Nru sox-14.4.1/debian/patches/CVE-2017-11359.patch sox-14.4.1/debian/patches/CVE-2017-11359.patch
--- sox-14.4.1/debian/patches/CVE-2017-11359.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/CVE-2017-11359.patch 2019-03-05 16:43:06.000000000 +0100
@@ -0,0 +1,20 @@
+Description: wav: fix crash writing header when channel count >64k
+ High number of channels (>64k) lead to divide-by-zero error and crash. Number
+ of channels should be representable with 16 bits, so forbid any higher value.
+Author: Mans Rullgard <mans@mansr.com>
+Origin: upstream, https://github.com/mansr/sox/commit/8b590b3a52f4ccc4eea3f41b4a067c38b3565b60
+--- a/src/wav.c 2019-03-05 17:05:44.053925697 +0100
++++ b/src/wav.c 2019-03-05 17:07:53.657036855 +0100
+@@ -1278,6 +1278,12 @@
+ long blocksWritten = 0;
+ sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */
+
++ if (ft->signal.channels > UINT16_MAX) {
++ lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)",
++ ft->signal.channels);
++ return SOX_EOF;
++ }
++
+ dwSamplesPerSecond = ft->signal.rate;
+ wChannels = ft->signal.channels;
+ wBitsPerSample = ft->encoding.bits_per_sample;
diff -Nru sox-14.4.1/debian/patches/CVE-2017-15370.patch sox-14.4.1/debian/patches/CVE-2017-15370.patch
--- sox-14.4.1/debian/patches/CVE-2017-15370.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/CVE-2017-15370.patch 2019-02-28 08:58:56.000000000 +0100
@@ -0,0 +1,16 @@
+Description: wav: ima_adpcm: fix buffer overflow on corrupt input
+ Add the same check bad block size as was done for MS adpcm in patch
+ 0002-More-checks-for-invalid-MS-ADPCM-blocks.patch.
+Author: Mans Rullgard <mans@mansr.com>
+Origin: upstream, https://github.com/mansr/sox/commit/ef3d8be0f80cbb650e4766b545d61e10d7a24c9e
+--- a/src/wav.c 2019-02-28 10:06:36.428053693 +0100
++++ b/src/wav.c 2019-02-28 10:07:05.191757247 +0100
+@@ -125,7 +125,7 @@
+ /* work with partial blocks. Specs say it should be null */
+ /* padded but I guess this is better than trailing quiet. */
+ samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0);
+- if (samplesThisBlock == 0)
++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock)
+ {
+ lsx_warn("Premature EOF on .wav input file");
+ return 0;
diff -Nru sox-14.4.1/debian/patches/CVE-2017-15371.patch sox-14.4.1/debian/patches/CVE-2017-15371.patch
--- sox-14.4.1/debian/patches/CVE-2017-15371.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/CVE-2017-15371.patch 2019-03-05 16:43:06.000000000 +0100
@@ -0,0 +1,29 @@
+Subject: flac: fix crash on corrupt metadata
+Author: Mans Rullgard <mans@mansr.com>
+Origin: upstream, https://github.com/mansr/sox/commit/818bdd0ccc1e5b6cae742c740c17fd414935cf39
+--- a/src/flac.c 2013-01-13 20:57:39.000000000 +0100
++++ b/src/flac.c 2019-03-05 17:15:06.998569651 +0100
+@@ -78,9 +78,10 @@
+ p->total_samples = metadata->data.stream_info.total_samples;
+ }
+ else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) {
++ const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment;
+ size_t i;
+
+- if (metadata->data.vorbis_comment.num_comments == 0)
++ if (vc->num_comments == 0)
+ return;
+
+ if (ft->oob.comments != NULL) {
+@@ -88,8 +89,9 @@
+ return;
+ }
+
+- for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i)
+- sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry);
++ for (i = 0; i < vc->num_comments; ++i)
++ if (vc->comments[i].entry)
++ sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry);
+ }
+ }
+
diff -Nru sox-14.4.1/debian/patches/CVE-2017-15372.patch sox-14.4.1/debian/patches/CVE-2017-15372.patch
--- sox-14.4.1/debian/patches/CVE-2017-15372.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/CVE-2017-15372.patch 2019-02-28 08:58:56.000000000 +0100
@@ -0,0 +1,83 @@
+Subject: fix stack buffer overflow in lsx_ms_adpcm_block_expand_i
+Author: Mans Rullgard <mans@mansr.com>
+Origin: upstream, https://github.com/mansr/sox/commit/001c337552912d286ba68086ac378f6fdc1e8b50
+--- a/src/adpcm.c 2012-01-23 23:27:33.000000000 +0100
++++ b/src/adpcm.c 2019-02-28 10:15:09.251531753 +0100
+@@ -71,6 +71,11 @@
+ { 392,-232}
+ };
+
++extern void *lsx_ms_adpcm_alloc(unsigned chans)
++{
++ return lsx_malloc(chans * sizeof(MsState_t));
++}
++
+ static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state,
+ sox_sample_t sample1, sox_sample_t sample2)
+ {
+@@ -102,6 +107,7 @@
+
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
+ const char *lsx_ms_adpcm_block_expand_i(
++ void *priv,
+ unsigned chans, /* total channels */
+ int nCoef,
+ const short *coef,
+@@ -113,7 +119,7 @@
+ const unsigned char *ip;
+ unsigned ch;
+ const char *errmsg = NULL;
+- MsState_t state[4]; /* One decompressor state for each channel */
++ MsState_t *state = priv; /* One decompressor state for each channel */
+
+ /* Read the four-byte header for each channel */
+ ip = ibuff;
+--- a/src/adpcm.h 2012-01-23 23:27:33.000000000 +0100
++++ b/src/adpcm.h 2019-02-28 10:15:09.251531753 +0100
+@@ -29,8 +29,11 @@
+ /* default coef sets */
+ extern const short lsx_ms_adpcm_i_coef[7][2];
+
++extern void *lsx_ms_adpcm_alloc(unsigned chans);
++
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
+ extern const char *lsx_ms_adpcm_block_expand_i(
++ void *priv,
+ unsigned chans, /* total channels */
+ int nCoef,
+ const short *coef,
+--- a/src/wav.c 2019-02-28 10:14:50.207678261 +0100
++++ b/src/wav.c 2019-02-28 10:15:09.255531722 +0100
+@@ -82,6 +82,7 @@
+ /* following used by *ADPCM wav files */
+ unsigned short nCoefs; /* ADPCM: number of coef sets */
+ short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */
++ void *ms_adpcm_data; /* Private data of adpcm decoder */
+ unsigned char *packet; /* Temporary buffer for packets */
+ short *samples; /* interleaved samples buffer */
+ short *samplePtr; /* Pointer to current sample */
+@@ -173,7 +174,7 @@
+ }
+ }
+
+- errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
++ errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
+
+ if (errmsg)
+ lsx_warn("%s", errmsg);
+@@ -687,6 +688,7 @@
+
+ /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */
+ wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short));
++ wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels);
+ {
+ int i, errct=0;
+ for (i=0; len>=2 && i < 2*wav->nCoefs; i++) {
+@@ -1107,6 +1109,7 @@
+ free(wav->packet);
+ free(wav->samples);
+ free(wav->lsx_ms_adpcm_i_coefs);
++ free(wav->ms_adpcm_data);
+ free(wav->comment);
+ wav->comment = NULL;
+
diff -Nru sox-14.4.1/debian/patches/CVE-2017-15642.patch sox-14.4.1/debian/patches/CVE-2017-15642.patch
--- sox-14.4.1/debian/patches/CVE-2017-15642.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/CVE-2017-15642.patch 2019-02-28 08:58:56.000000000 +0100
@@ -0,0 +1,23 @@
+Description: aiff: fix crash on empty comment chunk (CVE-2017-15642)
+ This fixes a use after free and double free if an empty comment
+ chunk follows a non-empty one.
+Author: Mans Rullgard <mans@mansr.com>
+Origin: upstream, https://github.com/mansr/sox/commit/0be259eaa9ce3f3fa587a3ef0cf2c0b9c73167a2
+--- a/src/aiff.c 2012-01-23 23:27:33.000000000 +0100
++++ b/src/aiff.c 2019-02-28 10:46:46.358710941 +0100
+@@ -62,7 +62,6 @@
+ size_t ssndsize = 0;
+ char *annotation;
+ char *author;
+- char *comment = NULL;
+ char *copyright;
+ char *nametext;
+
+@@ -270,6 +269,7 @@
+ free(annotation);
+ }
+ else if (strncmp(buf, "COMT", (size_t)4) == 0) {
++ char *comment = NULL;
+ rc = commentChunk(&comment, "Comment:", ft);
+ if (rc) {
+ /* Fail already called in function */
diff -Nru sox-14.4.1/debian/patches/CVE-2017-18189.patch sox-14.4.1/debian/patches/CVE-2017-18189.patch
--- sox-14.4.1/debian/patches/CVE-2017-18189.patch 1970-01-01 01:00:00.000000000 +0100
+++ sox-14.4.1/debian/patches/CVE-2017-18189.patch 2019-02-28 08:58:56.000000000 +0100
@@ -0,0 +1,22 @@
+Description: xa: validate channel count
+ A corrupt header specifying zero channels would send read_channels()
+ into an infinite loop. Prevent this by sanity checking the channel
+ count in open_read(). Also add an upper bound to prevent overflow
+ in multiplication.
+Author: Mans Rullgard <mans@mansr.com>
+Origin: upstream, https://github.com/mansr/sox/commit/7a8ceb86212b28243bbb6d0de636f0dfbe833e53
+--- a/src/xa.c 2012-01-23 23:27:33.000000000 +0100
++++ b/src/xa.c 2019-02-28 10:32:46.220409795 +0100
+@@ -143,6 +143,12 @@
+ lsx_report("User options overriding rate read in .xa header");
+ }
+
++ if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) {
++ lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d",
++ ft->signal.channels);
++ return SOX_EOF;
++ }
++
+ /* Check for supported formats */
+ if (ft->encoding.bits_per_sample != 16) {
+ lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.",
diff -Nru sox-14.4.1/debian/patches/series sox-14.4.1/debian/patches/series
--- sox-14.4.1/debian/patches/series 2019-02-01 16:18:21.000000000 +0100
+++ sox-14.4.1/debian/patches/series 2019-08-16 00:28:55.000000000 +0200
@@ -1,2 +1,17 @@
0001-Check-for-minimum-size-sphere-headers.patch
0002-More-checks-for-invalid-MS-ADPCM-blocks.patch
+
+CVE-2017-15370.patch
+CVE-2017-15372.patch
+CVE-2017-18189.patch
+CVE-2017-15642.patch
+
+CVE-2017-11332.patch
+CVE-2017-11358.patch
+CVE-2017-11359.patch
+CVE-2017-15371.patch
+0001-Clean-up-lsx_malloc-and-friends.patch
+0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch
+0003-fix-possible-overflow-in-lsx_-re-valloc-size-calcula.patch
+0004-fft4g-bail-if-size-too-large-CVE-2019-8356.patch
+0005-fix-possible-null-pointer-deref-in-lsx_make_lpf-CVE-.patch
Reply to: