summaryrefslogtreecommitdiff
path: root/user/audiofile
diff options
context:
space:
mode:
authorZach van Rijn <me@zv.io>2022-11-11 14:15:59 -0600
committerZach van Rijn <me@zv.io>2022-11-11 14:19:24 -0600
commit451e5cf47f3a45ebf46cad0940f07ef05324f4c5 (patch)
tree1592e1938805a7576fd31da137fb568eb8d5468a /user/audiofile
parent27d6cb412d2697940aafceba923878050b1a1add (diff)
downloadpackages-451e5cf47f3a45ebf46cad0940f07ef05324f4c5.tar.gz
packages-451e5cf47f3a45ebf46cad0940f07ef05324f4c5.tar.bz2
packages-451e5cf47f3a45ebf46cad0940f07ef05324f4c5.tar.xz
packages-451e5cf47f3a45ebf46cad0940f07ef05324f4c5.zip
user/audiofile: multiple CVE patches. fixes #124.
Diffstat (limited to 'user/audiofile')
-rw-r--r--user/audiofile/APKBUILD19
-rw-r--r--user/audiofile/CVE-2015-7747.patch156
-rw-r--r--user/audiofile/CVE-2017-6827,6828,6832,6833,6835,6837.patch34
-rw-r--r--user/audiofile/CVE-2017-6829.patch33
-rw-r--r--user/audiofile/CVE-2017-6830,6834,6836,6838.patch70
-rw-r--r--user/audiofile/CVE-2017-6831.patch36
-rw-r--r--user/audiofile/CVE-2017-6839.patch120
-rw-r--r--user/audiofile/CVE-2018-13440,17095.patch77
8 files changed, 543 insertions, 2 deletions
diff --git a/user/audiofile/APKBUILD b/user/audiofile/APKBUILD
index 66b00d0c7..904fea5d0 100644
--- a/user/audiofile/APKBUILD
+++ b/user/audiofile/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=audiofile
pkgver=0.3.6
-pkgrel=0
+pkgrel=1
pkgdesc="Library for reading and writing audio files in many formats"
url="https://audiofile.68k.org"
arch="all"
@@ -13,6 +13,14 @@ makedepends="$depends_dev alsa-lib-dev"
subpackages="$pkgname-dev $pkgname-doc"
source="https://audiofile.68k.org/audiofile-$pkgver.tar.gz
tests-unsigned-gcc6.patch
+
+ CVE-2015-7747.patch
+ CVE-2017-6827,6828,6832,6833,6835,6837.patch
+ CVE-2017-6829.patch
+ CVE-2017-6830,6834,6836,6838.patch
+ CVE-2017-6831.patch
+ CVE-2017-6839.patch
+ CVE-2018-13440,17095.patch
"
prepare() {
@@ -41,4 +49,11 @@ package() {
}
sha512sums="f9a1182d93e405c21eba79c5cc40962347bff13f1b3b732d9a396e3d1675297515188bd6eb43033aaa00e9bde74ff4628c1614462456529cabba464f03c1d5fa audiofile-0.3.6.tar.gz
-b85546eaccf0911fb2f5ba26c323ea2c0b18cae7d7476d5ac9e821c90097f331e3391b787f390d130382fffb6b777887344f914489ca1bc0a3974f1ebe16e328 tests-unsigned-gcc6.patch"
+b85546eaccf0911fb2f5ba26c323ea2c0b18cae7d7476d5ac9e821c90097f331e3391b787f390d130382fffb6b777887344f914489ca1bc0a3974f1ebe16e328 tests-unsigned-gcc6.patch
+7673ab3fafdb0dac514a42622f53ea17aa56836c76413e5680c475537e195c53df21f26da1bd4e7941df2dc8b33a471ab52d539dabffbaef8bc95ee59951e7fe CVE-2015-7747.patch
+880392c89e0f5982ceb3f56b32da7f28217df64dedf588eb2a72616367f77813b34f3f12092d0b05818247da8e411de8fded336fe09413e81184e98546489b3a CVE-2017-6827,6828,6832,6833,6835,6837.patch
+e7afe1a27566fb593ea53176256df23e447a2ee842cb4168930dec365fdabe7f2f43512d81bca5f14336ef0c756f6006c24948a3c2d79baafb0042ed8a145aae CVE-2017-6829.patch
+3b870602fab366015de6dc2f3cf83eae90a4113e2c18e843494c3a75744730f41aefd99547ea758cef194d921a7fc66024b1b9ffbf0bbe6614693453cce09e99 CVE-2017-6830,6834,6836,6838.patch
+51c92ce66e987ae1d4bda65247134097705ef45cf7670401af7943bf6bbfc674089bcfafa49983046b10573ea72900adb96c296739c234d5e98539098eebe022 CVE-2017-6831.patch
+88603061ffe607910d0c73b88c2a305134d6ea4d51dadb6a33163d24c7dd3ab091e7f32c8549fec442c4898a2d6ba91da209973d002c47342645d82d3957a0f0 CVE-2017-6839.patch
+b90684b8e8082acd84f40ec8da83a6f2a2280e71be873055829d4555377454797446f4f5f77c7a9cda7aa4450f1647370a16e2284b5b7777eb86da4ff7d1e336 CVE-2018-13440,17095.patch"
diff --git a/user/audiofile/CVE-2015-7747.patch b/user/audiofile/CVE-2015-7747.patch
new file mode 100644
index 000000000..332563959
--- /dev/null
+++ b/user/audiofile/CVE-2015-7747.patch
@@ -0,0 +1,156 @@
+Description: fix buffer overflow when changing both sample format and
+ number of channels
+Origin: https://github.com/mpruett/audiofile/pull/25
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721
+Bug-Debian: https://bugs.debian.org/801102
+
+--- a/libaudiofile/modules/ModuleState.cpp
++++ b/libaudiofile/modules/ModuleState.cpp
+@@ -402,7 +402,7 @@ status ModuleState::arrange(AFfilehandle
+ addModule(new Transform(outfc, in.pcm, out.pcm));
+
+ if (in.channelCount != out.channelCount)
+- addModule(new ApplyChannelMatrix(infc, isReading,
++ addModule(new ApplyChannelMatrix(outfc, isReading,
+ in.channelCount, out.channelCount,
+ in.pcm.minClip, in.pcm.maxClip,
+ track->channelMatrix));
+--- a/test/Makefile.am
++++ b/test/Makefile.am
+@@ -26,6 +26,7 @@ TESTS = \
+ VirtualFile \
+ floatto24 \
+ query2 \
++ sixteen-stereo-to-eight-mono \
+ sixteen-to-eight \
+ testchannelmatrix \
+ testdouble \
+@@ -139,6 +140,7 @@ printmarkers_SOURCES = printmarkers.c
+ printmarkers_LDADD = $(LIBAUDIOFILE) -lm
+
+ sixteen_to_eight_SOURCES = sixteen-to-eight.c TestUtilities.cpp TestUtilities.h
++sixteen_stereo_to_eight_mono_SOURCES = sixteen-stereo-to-eight-mono.c TestUtilities.cpp TestUtilities.h
+
+ testchannelmatrix_SOURCES = testchannelmatrix.c TestUtilities.cpp TestUtilities.h
+
+--- /dev/null
++++ b/test/sixteen-stereo-to-eight-mono.c
+@@ -0,0 +1,118 @@
++/*
++ Audio File Library
++
++ Copyright 2000, Silicon Graphics, Inc.
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 2 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License along
++ with this program; if not, write to the Free Software Foundation, Inc.,
++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++*/
++
++/*
++ sixteen-stereo-to-eight-mono.c
++
++ This program tests the conversion from 2-channel 16-bit integers to
++ 1-channel 8-bit integers.
++*/
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdint.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include <limits.h>
++
++#include <audiofile.h>
++
++#include "TestUtilities.h"
++
++int main (int argc, char **argv)
++{
++ AFfilehandle file;
++ AFfilesetup setup;
++ int16_t frames16[] = {14298, 392, 3923, -683, 958, -1921};
++ int8_t frames8[] = {28, 6, -2};
++ int i, frameCount = 3;
++ int8_t byte;
++ AFframecount result;
++
++ setup = afNewFileSetup();
++
++ afInitFileFormat(setup, AF_FILE_WAVE);
++
++ afInitSampleFormat(setup, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 16);
++ afInitChannels(setup, AF_DEFAULT_TRACK, 2);
++
++ char *testFileName;
++ if (!createTemporaryFile("sixteen-to-eight", &testFileName))
++ {
++ fprintf(stderr, "Could not create temporary file.\n");
++ exit(EXIT_FAILURE);
++ }
++
++ file = afOpenFile(testFileName, "w", setup);
++ if (file == AF_NULL_FILEHANDLE)
++ {
++ fprintf(stderr, "could not open file for writing\n");
++ exit(EXIT_FAILURE);
++ }
++
++ afFreeFileSetup(setup);
++
++ afWriteFrames(file, AF_DEFAULT_TRACK, frames16, frameCount);
++
++ afCloseFile(file);
++
++ file = afOpenFile(testFileName, "r", AF_NULL_FILESETUP);
++ if (file == AF_NULL_FILEHANDLE)
++ {
++ fprintf(stderr, "could not open file for reading\n");
++ exit(EXIT_FAILURE);
++ }
++
++ afSetVirtualSampleFormat(file, AF_DEFAULT_TRACK, AF_SAMPFMT_TWOSCOMP, 8);
++ afSetVirtualChannels(file, AF_DEFAULT_TRACK, 1);
++
++ for (i=0; i<frameCount; i++)
++ {
++ /* Read one frame. */
++ result = afReadFrames(file, AF_DEFAULT_TRACK, &byte, 1);
++
++ if (result != 1)
++ break;
++
++ /* Compare the byte read with its precalculated value. */
++ if (memcmp(&byte, &frames8[i], 1) != 0)
++ {
++ printf("error\n");
++ printf("expected %d, got %d\n", frames8[i], byte);
++ exit(EXIT_FAILURE);
++ }
++ else
++ {
++#ifdef DEBUG
++ printf("got what was expected: %d\n", byte);
++#endif
++ }
++ }
++
++ afCloseFile(file);
++ unlink(testFileName);
++ free(testFileName);
++
++ exit(EXIT_SUCCESS);
++}
diff --git a/user/audiofile/CVE-2017-6827,6828,6832,6833,6835,6837.patch b/user/audiofile/CVE-2017-6827,6828,6832,6833,6835,6837.patch
new file mode 100644
index 000000000..0465a1f59
--- /dev/null
+++ b/user/audiofile/CVE-2017-6827,6828,6832,6833,6835,6837.patch
@@ -0,0 +1,34 @@
+From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 12:51:22 +0100
+Subject: [PATCH 1/3] Always check the number of coefficients
+
+When building the library with NDEBUG, asserts are eliminated
+so it's better to always check that the number of coefficients
+is inside the array range.
+
+This fixes the 00191-audiofile-indexoob issue in #41
+---
+ libaudiofile/WAVE.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..61f9541 100644
+--- a/libaudiofile/WAVE.cpp
++++ b/libaudiofile/WAVE.cpp
+@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+
+ /* numCoefficients should be at least 7. */
+ assert(numCoefficients >= 7 && numCoefficients <= 255);
++ if (numCoefficients < 7 || numCoefficients > 255)
++ {
++ _af_error(AF_BAD_HEADER,
++ "Bad number of coefficients");
++ return AF_FAIL;
++ }
+
+ m_msadpcmNumCoefficients = numCoefficients;
+
+--
+2.36.1
+
diff --git a/user/audiofile/CVE-2017-6829.patch b/user/audiofile/CVE-2017-6829.patch
new file mode 100644
index 000000000..c1047af06
--- /dev/null
+++ b/user/audiofile/CVE-2017-6829.patch
@@ -0,0 +1,33 @@
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:02:31 +0100
+Subject: clamp index values to fix index overflow in IMA.cpp
+
+This fixes #33
+(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981
+and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/)
+---
+ libaudiofile/modules/IMA.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp
+index 7476d44..df4aad6 100644
+--- a/libaudiofile/modules/IMA.cpp
++++ b/libaudiofile/modules/IMA.cpp
+@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded)
+ if (encoded[1] & 0x80)
+ m_adpcmState[c].previousValue -= 0x10000;
+
+- m_adpcmState[c].index = encoded[2];
++ m_adpcmState[c].index = clamp(encoded[2], 0, 88);
+
+ *decoded++ = m_adpcmState[c].previousValue;
+
+@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded)
+ predictor -= 0x10000;
+
+ state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
+- state.index = encoded[1] & 0x7f;
++ state.index = clamp(encoded[1] & 0x7f, 0, 88);
+ encoded += 2;
+
+ for (int n=0; n<m_framesPerPacket; n+=2)
diff --git a/user/audiofile/CVE-2017-6830,6834,6836,6838.patch b/user/audiofile/CVE-2017-6830,6834,6836,6838.patch
new file mode 100644
index 000000000..eae11b27b
--- /dev/null
+++ b/user/audiofile/CVE-2017-6830,6834,6836,6838.patch
@@ -0,0 +1,70 @@
+From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:54:52 +0100
+Subject: [PATCH 3/3] Check for multiplication overflow in sfconvert
+
+Checks that a multiplication doesn't overflow when
+calculating the buffer size, and if it overflows,
+reduce the buffer size instead of failing.
+
+This fixes the 00192-audiofile-signintoverflow-sfconvert case
+in #41
+---
+ sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 80a1bc4..970a3e4 100644
+--- a/sfcommands/sfconvert.c
++++ b/sfcommands/sfconvert.c
+@@ -45,6 +45,33 @@ void printusage (void);
+ void usageerror (void);
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
+
++int firstBitSet(int x)
++{
++ int position=0;
++ while (x!=0)
++ {
++ x>>=1;
++ ++position;
++ }
++ return position;
++}
++
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++int multiplyCheckOverflow(int a, int b, int *result)
++{
++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
++ return __builtin_mul_overflow(a, b, result);
++#else
++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
++ return true;
++ *result = a * b;
++ return false;
++#endif
++}
++
+ int main (int argc, char **argv)
+ {
+ if (argc == 2)
+@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+ int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+
+- const int kBufferFrameCount = 65536;
+- void *buffer = malloc(kBufferFrameCount * frameSize);
++ int kBufferFrameCount = 65536;
++ int bufferSize;
++ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
++ kBufferFrameCount /= 2;
++ void *buffer = malloc(bufferSize);
+
+ AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
+ AFframecount totalFramesWritten = 0;
+--
+2.36.1
+
diff --git a/user/audiofile/CVE-2017-6831.patch b/user/audiofile/CVE-2017-6831.patch
new file mode 100644
index 000000000..50cd3dc9a
--- /dev/null
+++ b/user/audiofile/CVE-2017-6831.patch
@@ -0,0 +1,36 @@
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:59:26 +0100
+Subject: Actually fail when error occurs in parseFormat
+
+When there's an unsupported number of bits per sample or an invalid
+number of samples per block, don't only print an error message using
+the error handler, but actually stop parsing the file.
+
+This fixes #35 (also reported at
+https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
+https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
+)
+---
+ libaudiofile/WAVE.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0fc48e8..d04b796 100644
+--- a/libaudiofile/WAVE.cpp
++++ b/libaudiofile/WAVE.cpp
+@@ -332,6 +332,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ {
+ _af_error(AF_BAD_NOT_IMPLEMENTED,
+ "IMA ADPCM compression supports only 4 bits per sample");
++ return AF_FAIL;
+ }
+
+ int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
+@@ -339,6 +340,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ {
+ _af_error(AF_BAD_CODEC_CONFIG,
+ "Invalid samples per block for IMA ADPCM compression");
++ return AF_FAIL;
+ }
+
+ track->f.sampleWidth = 16;
diff --git a/user/audiofile/CVE-2017-6839.patch b/user/audiofile/CVE-2017-6839.patch
new file mode 100644
index 000000000..ff0cdc2b3
--- /dev/null
+++ b/user/audiofile/CVE-2017-6839.patch
@@ -0,0 +1,120 @@
+From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:43:53 +0100
+Subject: [PATCH 2/3] Check for multiplication overflow in MSADPCM decodeSample
+
+Check for multiplication overflow (using __builtin_mul_overflow
+if available) in MSADPCM.cpp decodeSample and return an empty
+decoded block if an error occurs.
+
+This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41
+---
+ libaudiofile/modules/BlockCodec.cpp | 5 +--
+ libaudiofile/modules/MSADPCM.cpp | 47 ++++++++++++++++++++++++++---
+ 2 files changed, 46 insertions(+), 6 deletions(-)
+
+diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
+index 45925e8..4731be1 100644
+--- a/libaudiofile/modules/BlockCodec.cpp
++++ b/libaudiofile/modules/BlockCodec.cpp
+@@ -52,8 +52,9 @@ void BlockCodec::runPull()
+ // Decompress into m_outChunk.
+ for (int i=0; i<blocksRead; i++)
+ {
+- decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
+- static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount);
++ if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
++ static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0)
++ break;
+
+ framesRead += m_framesPerPacket;
+ }
+diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
+index 8ea3c85..ef9c38c 100644
+--- a/libaudiofile/modules/MSADPCM.cpp
++++ b/libaudiofile/modules/MSADPCM.cpp
+@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] =
+ 768, 614, 512, 409, 307, 230, 230, 230
+ };
+
++int firstBitSet(int x)
++{
++ int position=0;
++ while (x!=0)
++ {
++ x>>=1;
++ ++position;
++ }
++ return position;
++}
++
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++int multiplyCheckOverflow(int a, int b, int *result)
++{
++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
++ return __builtin_mul_overflow(a, b, result);
++#else
++ if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
++ return true;
++ *result = a * b;
++ return false;
++#endif
++}
++
++
+ // Compute a linear PCM value from the given differential coded value.
+ static int16_t decodeSample(ms_adpcm_state &state,
+- uint8_t code, const int16_t *coefficient)
++ uint8_t code, const int16_t *coefficient, bool *ok=NULL)
+ {
+ int linearSample = (state.sample1 * coefficient[0] +
+ state.sample2 * coefficient[1]) >> 8;
++ int delta;
+
+ linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta;
+
+ linearSample = clamp(linearSample, MIN_INT16, MAX_INT16);
+
+- int delta = (state.delta * adaptationTable[code]) >> 8;
++ if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta))
++ {
++ if (ok) *ok=false;
++ _af_error(AF_BAD_COMPRESSION, "Error decoding sample");
++ return 0;
++ }
++ delta >>= 8;
+ if (delta < 16)
+ delta = 16;
+
+ state.delta = delta;
+ state.sample2 = state.sample1;
+ state.sample1 = linearSample;
++ if (ok) *ok=true;
+
+ return static_cast<int16_t>(linearSample);
+ }
+@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded)
+ {
+ uint8_t code;
+ int16_t newSample;
++ bool ok;
+
+ code = *encoded >> 4;
+- newSample = decodeSample(*state[0], code, coefficient[0]);
++ newSample = decodeSample(*state[0], code, coefficient[0], &ok);
++ if (!ok) return 0;
+ *decoded++ = newSample;
+
+ code = *encoded & 0x0f;
+- newSample = decodeSample(*state[1], code, coefficient[1]);
++ newSample = decodeSample(*state[1], code, coefficient[1], &ok);
++ if (!ok) return 0;
+ *decoded++ = newSample;
+
+ encoded++;
+--
+2.36.1
+
diff --git a/user/audiofile/CVE-2018-13440,17095.patch b/user/audiofile/CVE-2018-13440,17095.patch
new file mode 100644
index 000000000..b35ce980e
--- /dev/null
+++ b/user/audiofile/CVE-2018-13440,17095.patch
@@ -0,0 +1,77 @@
+From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 10:48:45 +0200
+Subject: [PATCH 1/3] ModuleState: handle compress/decompress init failure
+
+When the unit initcompress or initdecompress function fails,
+m_fileModule is NULL. Return AF_FAIL in that case instead of
+causing NULL pointer dereferences later.
+
+Fixes #49
+---
+ libaudiofile/modules/ModuleState.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp
+index 0c29d7a..070fd9b 100644
+--- a/libaudiofile/modules/ModuleState.cpp
++++ b/libaudiofile/modules/ModuleState.cpp
+@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track)
+ m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok,
+ file->m_fileFormat == AF_FILE_RAWDATA, &chunkFrames);
+
++ if (!m_fileModule)
++ return AF_FAIL;
++
+ if (unit->needsRebuffer)
+ {
+ assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP);
+
+From 941774c8c0e79007196d7f1e7afdc97689f869b3 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 12:09:45 +0200
+Subject: [PATCH 2/3] ALAC: set chunk frameCount to 0 on short read
+
+---
+ libaudiofile/modules/ALAC.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libaudiofile/modules/ALAC.cpp b/libaudiofile/modules/ALAC.cpp
+index 7593c11..478e2af 100644
+--- a/libaudiofile/modules/ALAC.cpp
++++ b/libaudiofile/modules/ALAC.cpp
+@@ -240,6 +240,7 @@ void ALAC::runPull()
+ if (read(m_inChunk->buffer, bytesPerPacket) < bytesPerPacket)
+ {
+ reportReadError(0, m_track->f.framesPerPacket);
++ m_outChunk->frameCount = 0;
+ return;
+ }
+
+
+From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Thu, 27 Sep 2018 12:11:12 +0200
+Subject: [PATCH 3/3] SimpleModule: set output chunk framecount after pull
+
+After pulling the data, set the output chunk to the amount of
+frames we pulled so that the next module in the chain has the correct
+frame count.
+
+Fixes #50 and #51
+---
+ libaudiofile/modules/SimpleModule.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp
+index 2bae1eb..e87932c 100644
+--- a/libaudiofile/modules/SimpleModule.cpp
++++ b/libaudiofile/modules/SimpleModule.cpp
+@@ -26,6 +26,7 @@
+ void SimpleModule::runPull()
+ {
+ pull(m_outChunk->frameCount);
++ m_outChunk->frameCount = m_inChunk->frameCount;
+ run(*m_inChunk, *m_outChunk);
+ }
+