libsndfile1: Security fix CVE-2018-19432

(From OE-Core rev: 6f010c9b7777aae5ce2108122d0c6d3b1d630a21)

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 116 insertions, 0 deletions

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
new file mode 100644
index 0000000000..8ded2c0f85
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
@@ -0,0 +1,115 @@
+From 6f3266277bed16525f0ac2f0f03ff4626f1923e5 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Thu, 8 Mar 2018 18:00:21 +1100
+Subject: [PATCH] Fix max channel count bug
+
+The code was allowing files to be written with a channel count of exactly
+`SF_MAX_CHANNELS` but was failing to read some file formats with the same
+channel count.
+
+Upstream-Status: Backport [https://github.com/erikd/libsndfile/
+commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5]
+
+CVE: CVE-2018-19432
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+---
+ src/aiff.c |    6 +++---
+ src/rf64.c |    4 ++--
+ src/w64.c  |    4 ++--
+ src/wav.c  |    4 ++--
+ 4 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/aiff.c b/src/aiff.c
+index fbd43cb..6386bce 100644
+--- a/src/aiff.c
++++ b/src/aiff.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
++** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
+ ** Copyright (C) 2005 David Viens <davidv@plogue.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -950,7 +950,7 @@ aiff_read_header (SF_PRIVATE *psf, COMM_
+ 	if (psf->sf.channels < 1)
+ 		return SFE_CHANNEL_COUNT_ZERO ;
+ 
+-	if (psf->sf.channels >= SF_MAX_CHANNELS)
++	if (psf->sf.channels > SF_MAX_CHANNELS)
+ 		return SFE_CHANNEL_COUNT ;
+ 
+ 	if (! (found_chunk & HAVE_FORM))
+@@ -1030,7 +1030,7 @@ aiff_read_comm_chunk (SF_PRIVATE *psf, C
+ 	psf_log_printf (psf, "  Sample Rate : %d\n", samplerate) ;
+ 	psf_log_printf (psf, "  Frames      : %u%s\n", comm_fmt->numSampleFrames, (comm_fmt->numSampleFrames == 0 && psf->filelength > 104) ? " (Should not be 0)" : "") ;
+ 
+-	if (comm_fmt->numChannels < 1 || comm_fmt->numChannels >= SF_MAX_CHANNELS)
++	if (comm_fmt->numChannels < 1 || comm_fmt->numChannels > SF_MAX_CHANNELS)
+ 	{	psf_log_printf (psf, "  Channels    : %d (should be >= 1 and < %d)\n", comm_fmt->numChannels, SF_MAX_CHANNELS) ;
+ 		return SFE_CHANNEL_COUNT_BAD ;
+ 		} ;
+diff --git a/src/rf64.c b/src/rf64.c
+index d57f0f3..876cd45 100644
+--- a/src/rf64.c
++++ b/src/rf64.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 2008-2017 Erik de Castro Lopo <erikd@mega-nerd.com>
++** Copyright (C) 2008-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
+ ** Copyright (C) 2009      Uli Franke <cls@nebadje.org>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -382,7 +382,7 @@ rf64_read_header (SF_PRIVATE *psf, int *
+ 	if (psf->sf.channels < 1)
+ 		return SFE_CHANNEL_COUNT_ZERO ;
+ 
+-	if (psf->sf.channels >= SF_MAX_CHANNELS)
++	if (psf->sf.channels > SF_MAX_CHANNELS)
+ 		return SFE_CHANNEL_COUNT ;
+ 
+ 	/* WAVs can be little or big endian */
+diff --git a/src/w64.c b/src/w64.c
+index 939b716..a37d2c5 100644
+--- a/src/w64.c
++++ b/src/w64.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
++** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+ ** it under the terms of the GNU Lesser General Public License as published by
+@@ -383,7 +383,7 @@ w64_read_header	(SF_PRIVATE *psf, int *b
+ 	if (psf->sf.channels < 1)
+ 		return SFE_CHANNEL_COUNT_ZERO ;
+ 
+-	if (psf->sf.channels >= SF_MAX_CHANNELS)
++	if (psf->sf.channels > SF_MAX_CHANNELS)
+ 		return SFE_CHANNEL_COUNT ;
+ 
+ 	psf->endian = SF_ENDIAN_LITTLE ;		/* All W64 files are little endian. */
+diff --git a/src/wav.c b/src/wav.c
+index 7bd97bc..dc97545 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2016 Erik de Castro Lopo <erikd@mega-nerd.com>
++** Copyright (C) 1999-2018 Erik de Castro Lopo <erikd@mega-nerd.com>
+ ** Copyright (C) 2004-2005 David Viens <davidv@plogue.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -627,7 +627,7 @@ wav_read_header	(SF_PRIVATE *psf, int *b
+ 	if (psf->sf.channels < 1)
+ 		return SFE_CHANNEL_COUNT_ZERO ;
+ 
+-	if (psf->sf.channels >= SF_MAX_CHANNELS)
++	if (psf->sf.channels > SF_MAX_CHANNELS)
+ 		return SFE_CHANNEL_COUNT ;
+ 
+ 	if (format != WAVE_FORMAT_PCM && (parsestage & HAVE_fact) == 0)
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 13248f5cb7..9700f4a6e7 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
            file://CVE-2017-14634.patch \
            file://CVE-2018-13139.patch \
            file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
+           file://CVE-2018-19432.patch \
           "
 
 SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"