user/sox: patch multiple CVEs (#166)

1 files changed, 59 insertions, 0 deletions

diff --git a/user/sox/CVE-2019-8355.patch b/user/sox/CVE-2019-8355.patch
new file mode 100644
index 000000000..d4d8cb808
--- /dev/null
+++ b/user/sox/CVE-2019-8355.patch
@@ -0,0 +1,59 @@
+Backport of the following:
+
+From ec073861aa9c0f779a3741c456e4f97d59366ffb Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 15:40:16 +0000
+Subject: [PATCH] make: update exported symbol list [bug #266]
+
+From f8587e2d50dad72d40453ac1191c539ee9e50381 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 24 Apr 2019 17:39:45 +0100
+Subject: [PATCH] fix possible overflow in lsx_(re)valloc() size calculation
+ (CVE-2019-8355)
+
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -95,7 +95,7 @@ libsox_la_LIBADD += @GOMP_LIBS@
+ 
+ libsox_la_CFLAGS = @WARN_CFLAGS@
+ libsox_la_LDFLAGS = @APP_LDFLAGS@ -version-info @SHLIB_VERSION@ \
+-  -export-symbols-regex '^(sox_.*|lsx_(check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|fail_errno|filelength|find_(enum_(text|value)|file_extension)|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|realloc|rewind|seeki|sigfigs3p?|strcasecmp|tell|unreadb|write(b|_b_buf|buf|s)))$$'
++  -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc.*|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$'
+ 
+ if HAVE_WIN32_LTDL
+   libsox_la_SOURCES += win32-ltdl.c win32-ltdl.h
+--- sox-14.4.2/src/xmalloc.c	2012-01-23 16:27:33.000000000 -0600
++++ sox-14.4.2/src/xmalloc.c	2020-03-21 13:24:52.660007611 -0500
+@@ -41,3 +41,13 @@ void *lsx_realloc(void *ptr, size_t news
+ 
+   return ptr;
+ }
++
++void *lsx_realloc_array(void *p, size_t n, size_t size)
++{
++  if (n > (size_t)-1 / size) {
++    lsx_fail("malloc size overflow");
++    exit(2);
++  }
++
++  return lsx_realloc(p, n * size);
++}
+--- sox-14.4.2/src/xmalloc.h	2012-01-23 16:27:33.000000000 -0600
++++ sox-14.4.2/src/xmalloc.h	2020-03-21 13:24:14.610007203 -0500
+@@ -23,12 +23,14 @@
+ #include <stddef.h>
+ #include <string.h>
+ 
++LSX_RETURN_VALID void *lsx_realloc_array(void *p, size_t n, size_t size);
++
+ #define lsx_malloc(size) lsx_realloc(NULL, (size))
+ #define lsx_calloc(n,s) (((n)*(s))? memset(lsx_malloc((n)*(s)),0,(n)*(s)) : NULL)
+ #define lsx_Calloc(v,n)  v = lsx_calloc(n,sizeof(*(v)))
+ #define lsx_strdup(p) ((p)? strcpy((char *)lsx_malloc(strlen(p) + 1), p) : NULL)
+ #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL)
+-#define lsx_valloc(v,n)  v = lsx_malloc((n)*sizeof(*(v)))
+-#define lsx_revalloc(v,n)  v = lsx_realloc(v, (n)*sizeof(*(v)))
++#define lsx_valloc(v,n)  v = lsx_realloc_array(NULL, n, sizeof(*(v)))
++#define lsx_revalloc(v,n)  v = lsx_realloc_array(v, n, sizeof(*(v)))
+ 
+ #endif