Merge #31 (open a tracker issue instead)

testing/ffmpeg/build

@@ -0,0 +1,27 @@
+#!/bin/sh -e
+
+patch -p1 < replace-pr-1.patch
+patch -p1 < replace-pr-2.patch
+
+./configure \
+    --prefix=/usr \
+    --disable-debug \
+    --enable-gpl \
+    --enable-version3 \
+    --enable-libaom \
+    --enable-libass \
+    --enable-libmp3lame \
+    --enable-libopus \
+    --enable-libvorbis \
+    --enable-libtheora \
+    --enable-libwavpack \
+    --enable-libvpx \
+    --enable-libx264 \
+    --enable-libx265 \
+    --enable-libxvid \
+    --enable-libwebp \
+    --enable-openssl \
+    --enable-libdrm
+
+make
+make DESTDIR="$1" install

testing/ffmpeg/checksums

@@ -0,0 +1,3 @@
+f1f049a82fcfbf156564e73a3935d7e750891fab2abf302e735104fd4050a7e1  ffmpeg-4.1.4.tar.xz
+5fc8ff90546ea1b11fd8eece4bc190c4452cd4f92a1e5d496337635afc8847be  replace-pr-1.patch
+5ef42e9fa9d400940f10a45c2f877339ff1d354746a793cb4316a5e351b37cea  replace-pr-2.patch

testing/ffmpeg/depends

@@ -0,0 +1,12 @@
+pkgconf make
+perl make
+yasm make
+alsa-lib
+lame
+libass
+libogg
+libtheora
+libvorbis
+libwebp
+opus
+wavpack

testing/ffmpeg/patches/replace-pr-1.patch

@@ -0,0 +1,41 @@
+From ae6486c6251039d3a6bb5a90e1d818331cf55edc Mon Sep 17 00:00:00 2001
+From: "Guo, Yejun" <yejun.guo@intel.com>
+Date: Wed, 24 Apr 2019 21:13:21 +0800
+Subject: [PATCH] configure: replace 'pr' with printf since busybox does not
+ support pr
+
+This patch is based on https://trac.ffmpeg.org/ticket/5680 provided by
+Kylie McClain <somasis@exherbo.org> at Wed, 29 Jun 2016 16:37:20 -0400,
+and have some changes.
+
+contributor: Kylie McClain <somasis@exherbo.org>
+contributor: avih <avihpit@yahoo.com>
+Signed-off-by: Guo, Yejun <yejun.guo@intel.com>
+---
+ configure | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/configure b/configure
+index 580af9c0f6..9b4305cf0d 100755
+--- a/configure
++++ b/configure
+@@ -503,9 +503,13 @@ log(){
+ }
+ 
+ log_file(){
+-    log BEGIN $1
+-    pr -n -t $1 >> $logfile
+-    log END $1
++    log BEGIN "$1"
++    log_file_i=1
++    while IFS= read -r log_file_line; do
++        printf '%5d\t%s\n' "$log_file_i" "$log_file_line"
++        log_file_i=$(($log_file_i+1))
++    done < "$1" >> "$logfile"
++    log END "$1"
+ }
+ 
+ warn(){
+-- 
+2.11.0
+

testing/ffmpeg/patches/replace-pr-2.patch

@@ -0,0 +1,75 @@
+From: Alexander Strasser <eclipse7@gmx.net>
+Date: Sat, 27 Apr 2019 21:15:08 +0000 (+0200)
+Subject: configure: print_in_columns: Replace pr with awk
+X-Git-Url: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff_plain;h=99147312ce6ffd3a3b70e10aacc9b64a63b6aefe
+
+configure: print_in_columns: Replace pr with awk
+
+Get rid of pr dependency and write the columns strictly
+alphabetical without page size considerations (POSIX
+specifies 66 lines as default).
+
+Setting the page size via pr's -l option was considered,
+but as there is issue #5680 which wants to avoid pr
+mainly because it's not in busybox, we chose to replace
+pr instead.
+
+Before pr would attempt to write pages, thus if a page
+boundary was reached, the output looked confusing as one
+couldn't see there was a new page and the alphabetical
+order was disrupted when scanning down one of the columns.
+
+This change is based on a shell implementation submitted
+before by Yejun.
+
+Possible differences to the current version using pr:
+1. pr implementations should truncate items to not overflow columns;
+   depending on how it's done not truncating shall be better IMHO.
+2. pr implementations might balance columns differently;
+   we use minimum number of lines and might end up not
+   using all columns or might have lesser entries in the
+   last column(s)
+3. we use spaces only for padding the columns; at least the GNU pr
+   version on my system also by default stuffs in tabs in addition
+   to a single space in between columns. I don't see that this
+   behaviour is demanded by POSIX, though I might be very well
+   overlooking things. Anyway for our use case I can't see a need
+   for having the additional tabs, or why it would be better compared
+   to padding with spaces only.
+
+Fixes output for sizes with width < column width, too.
+
+Fixes remaining part of ticket #5680
+
+Contributor: Guo, Yejun <yejun.guo@intel.com>
+---
+
+diff --git a/configure b/configure
+index d885690369..7cea9d4d73 100755
+--- a/configure
++++ b/configure
+@@ -3843,8 +3843,22 @@ die_unknown(){
+ }
+ 
+ print_in_columns() {
+-    cols=$(expr $ncols / 24)
+-    cat | tr ' ' '\n' | sort | pr -r "-$cols" -w $ncols -t
++    tr ' ' '\n' | sort | tr '\r\n' '  ' | awk -v col_width=24 -v width="$ncols" '
++    {
++        num_cols = width > col_width ? int(width / col_width) : 1;
++        num_rows = int((NF + num_cols-1) / num_cols);
++        y = x = 1;
++        for (y = 1; y <= num_rows; y++) {
++            i = y;
++            for (x = 1; x <= num_cols; x++) {
++                if (i <= NF) {
++                  line = sprintf("%s%-" col_width "s", line, $i);
++                }
++                i = i + num_rows;
++            }
++            print line; line = "";
++        }
++    }' | sed 's/ *$//'
+ }
+ 
+ show_list() {

testing/ffmpeg/sources

@@ -0,0 +1,3 @@
+https://www.ffmpeg.org/releases/ffmpeg-4.1.4.tar.xz
+patches/replace-pr-1.patch
+patches/replace-pr-2.patch

testing/ffmpeg/version

@@ -0,0 +1 @@
+4.1.4 1

testing/fribidi/build

@@ -0,0 +1,9 @@
+#!/bin/sh -e
+
+./configure \
+    --prefix=/usr \
+    --disable-docs \
+    --with-glib=no
+
+make
+make DESTDIR="$1" install

testing/fribidi/checksums

@@ -0,0 +1 @@
+6a64f2a687f5c4f203a46fa659f43dd43d1f8b845df8d723107e8a7e6158e4ce  fribidi-1.0.5.tar.bz2

testing/fribidi/sources

@@ -0,0 +1 @@
+https://github.com/fribidi/fribidi/releases/download/v1.0.5/fribidi-1.0.5.tar.bz2

testing/fribidi/version

@@ -0,0 +1 @@
+1.0.5 1

testing/lame/build

@@ -0,0 +1,9 @@
+#!/bin/sh -e
+
+./configure \
+    --prefix=/usr \
+    --enable-nasm \
+    --enable-shared
+
+make
+make DESTDIR="$1" install

testing/lame/checksums

@@ -0,0 +1 @@
+ddfe36cab873794038ae2c1210557ad34857a4b6bdc515785d1da9e175b1da1e  lame-3.100.tar.gz

testing/lame/sources

@@ -0,0 +1 @@
+https://downloads.sourceforge.net/lame/lame-3.100.tar.gz

testing/lame/version

@@ -0,0 +1 @@
+3.100 1

testing/libass/build

@@ -0,0 +1,8 @@
+#!/bin/sh -e
+
+./configure \
+    --prefix=/usr \
+    --enable-fontconfig
+
+make
+make DESTDIR="$1" install

testing/libass/checksums

@@ -0,0 +1 @@
+881f2382af48aead75b7a0e02e65d88c5ebd369fe46bc77d9270a94aa8fd38a2  libass-0.14.0.tar.xz

testing/libass/depends

@@ -0,0 +1,6 @@
+pkgconf make
+yasm make
+expat
+fribidi
+fontconfig
+freetype

testing/libass/sources

@@ -0,0 +1 @@
+https://github.com/libass/libass/releases/download/0.14.0/libass-0.14.0.tar.xz

testing/libass/version

@@ -0,0 +1 @@
+0.14.0 1

testing/libogg/build

@@ -0,0 +1,7 @@
+#!/bin/sh -e
+
+./configure \
+    --prefix=/usr
+
+make
+make DESTDIR="$1" install

testing/libogg/checksums

@@ -0,0 +1 @@
+4f3fc6178a533d392064f14776b23c397ed4b9f48f5de297aba73b643f955c08  libogg-1.3.3.tar.xz

testing/libogg/sources

@@ -0,0 +1 @@
+https://downloads.xiph.org/releases/ogg/libogg-1.3.3.tar.xz

testing/libogg/version

@@ -0,0 +1 @@
+1.3.3 1

testing/libtheora/build

@@ -0,0 +1,9 @@
+#!/bin/sh -e
+
+patch -p0 < libtheora-1.1.1-libpng16.patch
+
+./configure \
+    --prefix=/usr
+
+make
+make DESTDIR="$1" install

testing/libtheora/checksums

@@ -0,0 +1,2 @@
+40952956c47811928d1e7922cda3bc1f427eb75680c3c37249c91e949054916b  libtheora-1.1.1.tar.gz
+e4c9a8dc798c596ed32a2a720020ae27a0e72f5add1a47cb8fadebe0e7180d7e  libtheora-1.1.1-libpng16.patch

testing/libtheora/depends

@@ -0,0 +1 @@
+libogg

testing/libtheora/patches/libtheora-1.1.1-libpng16.patch

@@ -0,0 +1,17 @@
+http://bugs.gentoo.org/465450
+http://trac.xiph.org/ticket/1947
+
+--- examples/png2theora.c
++++ examples/png2theora.c
+@@ -462,9 +462,9 @@
+   png_set_strip_alpha(png_ptr);
+ 
+   row_data = (png_bytep)png_malloc(png_ptr,
+-    3*height*width*png_sizeof(*row_data));
++    3*height*width*sizeof(*row_data));
+   row_pointers = (png_bytep *)png_malloc(png_ptr,
+-    height*png_sizeof(*row_pointers));
++    height*sizeof(*row_pointers));
+   for(y = 0; y < height; y++) {
+     row_pointers[y] = row_data + y*(3*width);
+   }

testing/libtheora/sources

@@ -0,0 +1,2 @@
+https://downloads.xiph.org/releases/theora/libtheora-1.1.1.tar.gz
+patches/libtheora-1.1.1-libpng16.patch

testing/libtheora/version

@@ -0,0 +1 @@
+1.1.1 1

testing/libvorbis/build

@@ -0,0 +1,7 @@
+#!/bin/sh -e
+
+./configure \
+    --prefix=/usr
+
+make
+make DESTDIR="$1" install

testing/libvorbis/checksums

@@ -0,0 +1 @@
+6ed40e0241089a42c48604dc00e362beee00036af2d8b3f46338031c9e0351cb  libvorbis-1.3.6.tar.gz

testing/libvorbis/depends

@@ -0,0 +1 @@
+libogg

testing/libvorbis/sources

@@ -0,0 +1 @@
+https://downloads.xiph.org/releases/vorbis/libvorbis-1.3.6.tar.gz

testing/libvorbis/version

@@ -0,0 +1 @@
+1.3.6 1

testing/libwebp/build

@@ -0,0 +1,11 @@
+#!/bin/sh -e
+
+./configure \
+    --prefix=/usr \
+    --disable-static \
+    --enable-libwebpmux \
+    --enable-libwebpdemux \
+    --enable-libwebpdecoder
+
+make
+make DESTDIR="$1" install

testing/libwebp/checksums

@@ -0,0 +1 @@
+e20a07865c8697bba00aebccc6f54912d6bc333bb4d604e6b07491c1a226b34f  libwebp-1.0.3.tar.gz

testing/libwebp/depends

@@ -0,0 +1,3 @@
+pkgconf make
+libpng
+libjpeg-turbo

testing/libwebp/sources

@@ -0,0 +1 @@
+https://downloads.webmproject.org/releases/webp/libwebp-1.0.3.tar.gz

testing/libwebp/version

@@ -0,0 +1 @@
+1.0.3 1

testing/opus/build

@@ -0,0 +1,9 @@
+#!/bin/sh -e
+
+./configure \
+    --prefix=/usr \
+    --enable-custom-modes \
+    --enable-float-approx
+
+make
+make DESTDIR="$1" install

testing/opus/checksums

@@ -0,0 +1 @@
+65b58e1e25b2a114157014736a3d9dfeaad8d41be1c8179866f144a2fb44ff9d  opus-1.3.1.tar.gz

testing/opus/sources

@@ -0,0 +1 @@
+https://archive.mozilla.org/pub/opus/opus-1.3.1.tar.gz

testing/opus/version

@@ -0,0 +1 @@
+1.3.1 1

testing/wavpack/build

@@ -0,0 +1,15 @@
+#!/bin/sh -e
+
+patch -p1 < CVE-2018-6767.patch
+patch -p1 < CVE-2018-7253.patch
+patch -p1 < CVE-2018-7254.patch
+patch -p1 < CVE-2018-10536.patch
+patch -p1 < CVE-2018-10538.patch
+patch -p1 < CVE-2018-19840.patch
+patch -p1 < CVE-2018-19841.patch
+
+./configure \
+    --prefix=/usr
+
+make
+make DESTDIR="$1" install

testing/wavpack/checksums

@@ -0,0 +1,8 @@
+1939627d5358d1da62bc6158d63f7ed12905552f3a799c799ee90296a7612944  wavpack-5.1.0.tar.bz2
+b3142472c92460375914dddeaa3c473b8c33cd1a57acdd7e3a4680ed029424b3  CVE-2018-10536.patch
+3a378d2c8be1114f88b00e0fa28d5ea1974c8b82504256c6040246a4b201052a  CVE-2018-19840.patch
+ce376bfd4c20a49e58db25e38a4cb1706a81c537c935ebe27529b198bfd98624  CVE-2018-10538.patch
+547c1bde5dc25c4bc6298e83aa69a27dad26983dcc1225711fd8c0091b14f520  CVE-2018-19841.patch
+b78ef4bcff64a9d51eb5a5ea6e37d3a23f2a6b86b4435140ecd49352e3d51b57  CVE-2018-7253.patch
+27dd49dac0a904d44a4e630de49b18edd52e3a0518e62c35c09e1d8a7778f7bc  CVE-2018-6767.patch
+a407b856166eefdb1e1920b804f6c8532787ae9949e1b056305150558310f9f1  CVE-2018-7254.patch

testing/wavpack/patches/CVE-2018-10536.patch

@@ -0,0 +1,63 @@
+From 26cb47f99d481ad9b93eeff80d26e6b63bbd7e15 Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Tue, 24 Apr 2018 22:18:07 -0700
+Subject: [PATCH] issue #30 issue #31 issue #32: no multiple format chunks in
+ WAV or W64
+
+fixes CVE-2018-10537 CVE-2018-10536
+
+---
+ cli/riff.c   | 7 ++++++-
+ cli/wave64.c | 6 ++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/cli/riff.c b/cli/riff.c
+index 7bddf63..5d6452e 100644
+--- a/cli/riff.c
++++ b/cli/riff.c
+@@ -53,7 +53,7 @@ extern int debug_logging_mode;
+ 
+ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackContext *wpc, WavpackConfig *config)
+ {
+-    int is_rf64 = !strncmp (fourcc, "RF64", 4), got_ds64 = 0;
++    int is_rf64 = !strncmp (fourcc, "RF64", 4), got_ds64 = 0, format_chunk = 0;
+     int64_t total_samples = 0, infilesize;
+     RiffChunkHeader riff_chunk_header;
+     ChunkHeader chunk_header;
+@@ -140,6 +140,11 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+         else if (!strncmp (chunk_header.ckID, "fmt ", 4)) {     // if it's the format chunk, we want to get some info out of there and
+             int supported = TRUE, format;                        // make sure it's a .wav file we can handle
+ 
++            if (format_chunk++) {
++                error_line ("%s is not a valid .WAV file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
+             if (chunk_header.ckSize < 16 || chunk_header.ckSize > sizeof (WaveHeader) ||
+                 !DoReadFile (infile, &WaveHeader, chunk_header.ckSize, &bcount) ||
+                 bcount != chunk_header.ckSize) {
+diff --git a/cli/wave64.c b/cli/wave64.c
+index fa928a0..0388dc7 100644
+--- a/cli/wave64.c
++++ b/cli/wave64.c
+@@ -53,6 +53,7 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+     Wave64ChunkHeader chunk_header;
+     Wave64FileHeader filehdr;
+     WaveHeader WaveHeader;
++    int format_chunk = 0;
+     uint32_t bcount;
+ 
+     infilesize = DoGetFileSize (infile);
+@@ -104,6 +105,11 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+         if (!memcmp (chunk_header.ckID, fmt_guid, sizeof (fmt_guid))) {
+             int supported = TRUE, format;
+ 
++            if (format_chunk++) {
++                error_line ("%s is not a valid .W64 file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
+             chunk_header.ckSize = (chunk_header.ckSize + 7) & ~7L;
+ 
+             if (chunk_header.ckSize < 16 || chunk_header.ckSize > sizeof (WaveHeader) ||
+

testing/wavpack/patches/CVE-2018-10538.patch

@@ -0,0 +1,74 @@
+From 6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Tue, 24 Apr 2018 17:27:01 -0700
+Subject: [PATCH] issue #33, sanitize size of unknown chunks before malloc()
+
+fixes CVE-2018-10539 CVE-2018-10538 CVE-2018-10540
+
+---
+ cli/dsdiff.c | 9 ++++++++-
+ cli/riff.c   | 9 ++++++++-
+ cli/wave64.c | 9 ++++++++-
+ 3 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index c016df9..fa56bbb 100644
+--- a/cli/dsdiff.c
++++ b/cli/dsdiff.c
+@@ -279,7 +279,14 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+         else {          // just copy unknown chunks to output file
+ 
+             int bytes_to_copy = (int)(((dff_chunk_header.ckDataSize) + 1) & ~(int64_t)1);
+-            char *buff = malloc (bytes_to_copy);
++            char *buff;
++
++            if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
++                error_line ("%s is not a valid .DFF file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
++            buff = malloc (bytes_to_copy);
+ 
+             if (debug_logging_mode)
+                 error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
+diff --git a/cli/riff.c b/cli/riff.c
+index de98c1e..7bddf63 100644
+--- a/cli/riff.c
++++ b/cli/riff.c
+@@ -286,7 +286,14 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+         else {          // just copy unknown chunks to output file
+ 
+             int bytes_to_copy = (chunk_header.ckSize + 1) & ~1L;
+-            char *buff = malloc (bytes_to_copy);
++            char *buff;
++
++            if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
++                error_line ("%s is not a valid .WAV file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
++            buff = malloc (bytes_to_copy);
+ 
+             if (debug_logging_mode)
+                 error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
+diff --git a/cli/wave64.c b/cli/wave64.c
+index 591d640..fa928a0 100644
+--- a/cli/wave64.c
++++ b/cli/wave64.c
+@@ -241,7 +241,14 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+         }
+         else {          // just copy unknown chunks to output file
+             int bytes_to_copy = (chunk_header.ckSize + 7) & ~7L;
+-            char *buff = malloc (bytes_to_copy);
++            char *buff;
++
++            if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
++                error_line ("%s is not a valid .W64 file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
++            buff = malloc (bytes_to_copy);
+ 
+             if (debug_logging_mode)
+                 error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
+

testing/wavpack/patches/CVE-2018-19840.patch

@@ -0,0 +1,25 @@
+From 070ef6f138956d9ea9612e69586152339dbefe51 Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Thu, 29 Nov 2018 21:00:42 -0800
+Subject: [PATCH] issue #53: error out on zero sample rate
+
+---
+ src/pack_utils.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git src/pack_utils.c src/pack_utils.c
+index 2253f0d..2a83497 100644
+--- a/src/pack_utils.c
++++ b/src/pack_utils.c
+@@ -195,6 +195,11 @@ int WavpackSetConfiguration64 (WavpackContext *wpc, WavpackConfig *config, int64
+     int num_chans = config->num_channels;
+     int i;
+ 
++    if (!config->sample_rate) {
++        strcpy (wpc->error_message, "sample rate cannot be zero!");
++        return FALSE;
++    }
++
+     wpc->stream_version = (config->flags & CONFIG_COMPATIBLE_WRITE) ? CUR_STREAM_VERS : MAX_STREAM_VERS;
+ 
+     if ((config->qmode & QMODE_DSD_AUDIO) && config->bytes_per_sample == 1 && config->bits_per_sample == 8) {

testing/wavpack/patches/CVE-2018-19841.patch

@@ -0,0 +1,29 @@
+From bba5389dc598a92bdf2b297c3ea34620b6679b5b Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Thu, 29 Nov 2018 21:53:51 -0800
+Subject: [PATCH] issue #54: fix potential out-of-bounds heap read
+
+---
+ src/open_utils.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/open_utils.c b/src/open_utils.c
+index 80051fc..4fe0d67 100644
+--- a/src/open_utils.c
++++ b/src/open_utils.c
+@@ -1258,13 +1258,13 @@ int WavpackVerifySingleBlock (unsigned char *buffer, int verify_checksum)
+ #endif
+ 
+             if (meta_bc == 4) {
+-                if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff) || *dp++ != ((csum >> 16) & 0xff) || *dp++ != ((csum >> 24) & 0xff))
++                if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff) || dp[2] != ((csum >> 16) & 0xff) || dp[3] != ((csum >> 24) & 0xff))
+                     return FALSE;
+             }
+             else {
+                 csum ^= csum >> 16;
+ 
+-                if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff))
++                if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff))
+                     return FALSE;
+             }
+ 

testing/wavpack/patches/CVE-2018-6767.patch

@@ -0,0 +1,113 @@
+From d5bf76b5a88d044a1be1d5656698e3ba737167e5 Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Sun, 4 Feb 2018 11:28:15 -0800
+Subject: [PATCH] issue #27, do not overwrite stack on corrupt RF64 file
+
+---
+ cli/riff.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/cli/riff.c b/cli/riff.c
+index 8b1af45..de98c1e 100644
+--- a/cli/riff.c
++++ b/cli/riff.c
+@@ -42,6 +42,7 @@ typedef struct {
+ 
+ #pragma pack(pop)
+ 
++#define CS64ChunkFormat "4D"
+ #define DS64ChunkFormat "DDDL"
+ 
+ #define WAVPACK_NO_ERROR    0
+@@ -101,13 +102,13 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+ 
+         if (!strncmp (chunk_header.ckID, "ds64", 4)) {
+             if (chunk_header.ckSize < sizeof (DS64Chunk) ||
+-                !DoReadFile (infile, &ds64_chunk, chunk_header.ckSize, &bcount) ||
+-                bcount != chunk_header.ckSize) {
++                !DoReadFile (infile, &ds64_chunk, sizeof (DS64Chunk), &bcount) ||
++                bcount != sizeof (DS64Chunk)) {
+                     error_line ("%s is not a valid .WAV file!", infilename);
+                     return WAVPACK_SOFT_ERROR;
+             }
+             else if (!(config->qmode & QMODE_NO_STORE_WRAPPER) &&
+-                !WavpackAddWrapper (wpc, &ds64_chunk, chunk_header.ckSize)) {
++                !WavpackAddWrapper (wpc, &ds64_chunk, sizeof (DS64Chunk))) {
+                     error_line ("%s", WavpackGetErrorMessage (wpc));
+                     return WAVPACK_SOFT_ERROR;
+             }
+@@ -315,10 +316,11 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+ 
+ int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples, int qmode)
+ {
+-    int do_rf64 = 0, write_junk = 1;
++    int do_rf64 = 0, write_junk = 1, table_length = 0;
+     ChunkHeader ds64hdr, datahdr, fmthdr;
+     RiffChunkHeader riffhdr;
+     DS64Chunk ds64_chunk;
++    CS64Chunk cs64_chunk;
+     JunkChunk junkchunk;
+     WaveHeader wavhdr;
+     uint32_t bcount;
+@@ -380,6 +382,7 @@ int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples,
+     strncpy (riffhdr.formType, "WAVE", sizeof (riffhdr.formType));
+     total_riff_bytes = sizeof (riffhdr) + wavhdrsize + sizeof (datahdr) + ((total_data_bytes + 1) & ~(int64_t)1);
+     if (do_rf64) total_riff_bytes += sizeof (ds64hdr) + sizeof (ds64_chunk);
++    total_riff_bytes += table_length * sizeof (CS64Chunk);
+     if (write_junk) total_riff_bytes += sizeof (junkchunk);
+     strncpy (fmthdr.ckID, "fmt ", sizeof (fmthdr.ckID));
+     strncpy (datahdr.ckID, "data", sizeof (datahdr.ckID));
+@@ -394,11 +397,12 @@ int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples,
+ 
+     if (do_rf64) {
+         strncpy (ds64hdr.ckID, "ds64", sizeof (ds64hdr.ckID));
+-        ds64hdr.ckSize = sizeof (ds64_chunk);
++        ds64hdr.ckSize = sizeof (ds64_chunk) + (table_length * sizeof (CS64Chunk));
+         CLEAR (ds64_chunk);
+         ds64_chunk.riffSize64 = total_riff_bytes;
+         ds64_chunk.dataSize64 = total_data_bytes;
+         ds64_chunk.sampleCount64 = total_samples;
++        ds64_chunk.tableLength = table_length;
+         riffhdr.ckSize = (uint32_t) -1;
+         datahdr.ckSize = (uint32_t) -1;
+         WavpackNativeToLittleEndian (&ds64hdr, ChunkHeaderFormat);
+@@ -409,6 +413,14 @@ int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples,
+         datahdr.ckSize = (uint32_t) total_data_bytes;
+     }
+ 
++    // this "table" is just a dummy placeholder for testing (normally not written)
++
++    if (table_length) {
++        strncpy (cs64_chunk.ckID, "dmmy", sizeof (cs64_chunk.ckID));
++        cs64_chunk.chunkSize64 = 12345678;
++        WavpackNativeToLittleEndian (&cs64_chunk, CS64ChunkFormat);
++    }
++
+     // write the RIFF chunks up to just before the data starts
+ 
+     WavpackNativeToLittleEndian (&riffhdr, ChunkHeaderFormat);
+@@ -418,8 +430,21 @@ int WriteRiffHeader (FILE *outfile, WavpackContext *wpc, int64_t total_samples,
+ 
+     if (!DoWriteFile (outfile, &riffhdr, sizeof (riffhdr), &bcount) || bcount != sizeof (riffhdr) ||
+         (do_rf64 && (!DoWriteFile (outfile, &ds64hdr, sizeof (ds64hdr), &bcount) || bcount != sizeof (ds64hdr))) ||
+-        (do_rf64 && (!DoWriteFile (outfile, &ds64_chunk, sizeof (ds64_chunk), &bcount) || bcount != sizeof (ds64_chunk))) ||
+-        (write_junk && (!DoWriteFile (outfile, &junkchunk, sizeof (junkchunk), &bcount) || bcount != sizeof (junkchunk))) ||
++        (do_rf64 && (!DoWriteFile (outfile, &ds64_chunk, sizeof (ds64_chunk), &bcount) || bcount != sizeof (ds64_chunk)))) {
++            error_line ("can't write .WAV data, disk probably full!");
++            return FALSE;
++    }
++
++    // again, this is normally not written except for testing
++
++    while (table_length--)
++        if (!DoWriteFile (outfile, &cs64_chunk, sizeof (cs64_chunk), &bcount) || bcount != sizeof (cs64_chunk)) {
++            error_line ("can't write .WAV data, disk probably full!");
++            return FALSE;
++        }
++
++
++    if ((write_junk && (!DoWriteFile (outfile, &junkchunk, sizeof (junkchunk), &bcount) || bcount != sizeof (junkchunk))) ||
+         !DoWriteFile (outfile, &fmthdr, sizeof (fmthdr), &bcount) || bcount != sizeof (fmthdr) ||
+         !DoWriteFile (outfile, &wavhdr, wavhdrsize, &bcount) || bcount != wavhdrsize ||
+         !DoWriteFile (outfile, &datahdr, sizeof (datahdr), &bcount) || bcount != sizeof (datahdr)) {
+

testing/wavpack/patches/CVE-2018-7253.patch

@@ -0,0 +1,33 @@
+From 36a24c7881427d2e1e4dc1cef58f19eee0d13aec Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Sat, 10 Feb 2018 16:01:39 -0800
+Subject: [PATCH] issue #28, do not overwrite heap on corrupt DSDIFF file
+
+---
+ cli/dsdiff.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index 410dc1c..c016df9 100644
+--- a/cli/dsdiff.c
++++ b/cli/dsdiff.c
+@@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+                 error_line ("dsdiff file version = 0x%08x", version);
+         }
+         else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
+-            char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
++            char *prop_chunk;
++
++            if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) {
++                error_line ("%s is not a valid .DFF file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
++            if (debug_logging_mode)
++                error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
++
++            prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
+ 
+             if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) ||
+                 bcount != dff_chunk_header.ckDataSize) {
+

testing/wavpack/patches/CVE-2018-7254.patch

@@ -0,0 +1,67 @@
+From 8e3fe45a7bac31d9a3b558ae0079e2d92a04799e Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Sun, 11 Feb 2018 16:37:47 -0800
+Subject: [PATCH] issue #28, fix buffer overflows and bad allocs on corrupt CAF
+ files
+
+---
+ cli/caff.c | 30 +++++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/cli/caff.c b/cli/caff.c
+index ae57c4b..6248a71 100644
+--- a/cli/caff.c
++++ b/cli/caff.c
+@@ -89,8 +89,8 @@ typedef struct
+ 
+ #define CAFChannelDescriptionFormat "LLLLL"
+ 
+-static const char TMH_full [] = { 1,2,3,13,9,10,5,6,12,14,15,16,17,9,4,18,7,8,19,20,21 };
+-static const char TMH_std [] = { 1,2,3,11,8,9,5,6,10,12,13,14,15,7,4,16 };
++static const char TMH_full [] = { 1,2,3,13,9,10,5,6,12,14,15,16,17,9,4,18,7,8,19,20,21,0 };
++static const char TMH_std [] = { 1,2,3,11,8,9,5,6,10,12,13,14,15,7,4,16,0 };
+ 
+ static struct {
+     uint32_t mChannelLayoutTag;     // Core Audio layout, 100 - 146 in high word, num channels in low word
+@@ -274,10 +274,19 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+             }
+         }
+         else if (!strncmp (caf_chunk_header.mChunkType, "chan", 4)) {
+-            CAFChannelLayout *caf_channel_layout = malloc ((size_t) caf_chunk_header.mChunkSize);
++            CAFChannelLayout *caf_channel_layout;
+ 
+-            if (caf_chunk_header.mChunkSize < sizeof (CAFChannelLayout) ||
+-                !DoReadFile (infile, caf_channel_layout, (uint32_t) caf_chunk_header.mChunkSize, &bcount) ||
++            if (caf_chunk_header.mChunkSize < sizeof (CAFChannelLayout) || caf_chunk_header.mChunkSize > 1024) {
++                error_line ("this .CAF file has an invalid 'chan' chunk!");
++                return WAVPACK_SOFT_ERROR;
++            }
++
++            if (debug_logging_mode)
++                error_line ("'chan' chunk is %d bytes", (int) caf_chunk_header.mChunkSize);
++
++            caf_channel_layout = malloc ((size_t) caf_chunk_header.mChunkSize);
++
++            if (!DoReadFile (infile, caf_channel_layout, (uint32_t) caf_chunk_header.mChunkSize, &bcount) ||
+                 bcount != caf_chunk_header.mChunkSize) {
+                     error_line ("%s is not a valid .CAF file!", infilename);
+                     free (caf_channel_layout);
+@@ -495,8 +504,15 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+         }
+         else {          // just copy unknown chunks to output file
+ 
+-            int bytes_to_copy = (uint32_t) caf_chunk_header.mChunkSize;
+-            char *buff = malloc (bytes_to_copy);
++            uint32_t bytes_to_copy = (uint32_t) caf_chunk_header.mChunkSize;
++            char *buff;
++
++            if (caf_chunk_header.mChunkSize < 0 || caf_chunk_header.mChunkSize > 1048576) {
++                error_line ("%s is not a valid .CAF file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
++            buff = malloc (bytes_to_copy);
+ 
+             if (debug_logging_mode)
+                 error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
+

testing/wavpack/sources

@@ -0,0 +1,8 @@
+http://www.wavpack.com/wavpack-5.1.0.tar.bz2
+patches/CVE-2018-10536.patch
+patches/CVE-2018-19840.patch
+patches/CVE-2018-10538.patch
+patches/CVE-2018-19841.patch
+patches/CVE-2018-7253.patch
+patches/CVE-2018-6767.patch
+patches/CVE-2018-7254.patch

testing/wavpack/version

@@ -0,0 +1 @@
+5.1.0 1