media-sound/timidity++: EAPI-6, CVE-2017-11546, CVE-2017-11547

Bug: https://bugs.gentoo.org/626706 Package-Manager: Portage-2.3.48, Repoman-2.3.10
author: Andreas Sturmlechner <asturm@gentoo.org> 2018-08-22 23:56:46 +0200
committer: Andreas Sturmlechner <asturm@gentoo.org> 2018-08-23 00:23:22 +0200
commit: 6a87c686d9ac9de5e0e455d15773d11307a73c66 (patch)
tree: 5389c019246a19492abc6d51f8d835d48514dd9a /media-sound/timidity++/files
parent: x11-libs/libX11-1.6.6: arm64 stable (bug #664184) (diff)
download: gentoo-6a87c686d9ac9de5e0e455d15773d11307a73c66.tar.gz
gentoo-6a87c686d9ac9de5e0e455d15773d11307a73c66.tar.bz2
gentoo-6a87c686d9ac9de5e0e455d15773d11307a73c66.zip
5 files changed, 104 insertions, 6 deletions
diff --git a/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch
new file mode 100644
index 000000000000..94135e98b96a
--- /dev/null
+++ b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch
@@ -0,0 +1,31 @@
+From 2386ec2c745f6c5075e53ea051da211336b44b84 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 26 Jun 2018 22:31:27 +0200
+Subject: readmidi: Fix division by zero
+
+References: CVE-2017-11546
+
+An adhoc fix for division by zero in insert_note_steps().
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+bug-debian: https://bugs.debian.org/870338
+bug-suse: https://bugzilla.suse.com/show_bug.cgi?id=1081694
+bug: https://bugzilla.suse.com/show_bug.cgi?id=1081694
+origin: https://bugzilla.suse.com/attachment.cgi?id=760825
+---
+ timidity/readmidi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/timidity/readmidi.c b/timidity/readmidi.c
+index 158388a..341777e 100644
+--- a/timidity/readmidi.c
++++ b/timidity/readmidi.c
+@@ -4585,6 +4585,8 @@ static void insert_note_steps(void)
+ 			if (beat != 0)
+ 				meas++, beat = 0;
+ 			num = timesig[n].a, denom = timesig[n].b, n++;
++			if (!denom)
++				denom = 1;
+ 		}
+ 		a = (meas + 1) & 0xff;
+ 		b = (((meas + 1) >> 8) & 0x0f) + ((beat + 1) << 4);
diff --git a/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch
new file mode 100644
index 000000000000..12562a577e0e
--- /dev/null
+++ b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch
@@ -0,0 +1,67 @@
+From 34328d22cbb4ccf03f29223f54f1834c796d86a2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 26 Jun 2018 22:31:28 +0200
+Subject: resample: Fix out-of-bound access in resamplers
+
+References: CVE-2017-11547
+
+An adhoc fix for out-of-bound accesses in resamples.
+The offset might overflow the given data range.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+bug-debian: https://bugs.debian.org/870338
+bug-suse: https://bugzilla.suse.com/show_bug.cgi?id=1081694
+origin: https://bugzilla.suse.com/attachment.cgi?id=760826
+---
+ timidity/resample.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/timidity/resample.c b/timidity/resample.c
+index cd6b8e6..4a3fadf 100644
+--- a/timidity/resample.c
++++ b/timidity/resample.c
+@@ -57,6 +57,8 @@ static resample_t resample_cspline(sample_t *src, splen_t ofs, resample_rec_t *r
+ {
+     int32 ofsi, ofsf, v0, v1, v2, v3, temp;
+ 
++    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++      return src[ofs >> FRACTION_BITS];
+     ofsi = ofs >> FRACTION_BITS;
+     v1 = src[ofsi];
+     v2 = src[ofsi + 1];
+@@ -96,6 +98,8 @@ static resample_t resample_lagrange(sample_t *src, splen_t ofs, resample_rec_t *
+ {
+     int32 ofsi, ofsf, v0, v1, v2, v3;
+ 
++    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++      return src[ofs >> FRACTION_BITS];
+     ofsi = ofs >> FRACTION_BITS;
+     v1 = (int32)src[ofsi];
+     v2 = (int32)src[ofsi + 1];
+@@ -154,6 +158,8 @@ static resample_t resample_gauss(sample_t *src, splen_t ofs, resample_rec_t *rec
+     sample_t *sptr;
+     int32 left, right, temp_n;
+ 
++    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++      return src[ofs >> FRACTION_BITS];
+     left = (ofs>>FRACTION_BITS);
+     right = (rec->data_length>>FRACTION_BITS) - left - 1;
+     temp_n = (right<<1)-1;
+@@ -261,6 +267,8 @@ static resample_t resample_newton(sample_t *src, splen_t ofs, resample_rec_t *re
+     int32 left, right, temp_n;
+     int ii, jj;
+ 
++    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++      return src[ofs >> FRACTION_BITS];
+     left = (ofs>>FRACTION_BITS);
+     right = (rec->data_length>>FRACTION_BITS)-(ofs>>FRACTION_BITS)-1;
+     temp_n = (right<<1)-1;
+@@ -330,6 +338,8 @@ static resample_t resample_linear(sample_t *src, splen_t ofs, resample_rec_t *re
+ {
+     int32 v1, v2, ofsi;
+ 
++    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++      return src[ofs >> FRACTION_BITS];
+     ofsi = ofs >> FRACTION_BITS;
+     v1 = src[ofsi];
+     v2 = src[ofsi + 1];
diff --git a/media-sound/timidity++/files/timidity++-2.14.0-params.patch b/media-sound/timidity++/files/timidity++-2.14.0-params.patch
index d56448b8761b..18790f8bffb4 100644
--- a/media-sound/timidity++/files/timidity++-2.14.0-params.patch
+++ b/media-sound/timidity++/files/timidity++-2.14.0-params.patch
@@ -1,5 +1,5 @@
---- configure.in
-+++ configure.in
+--- a/configure.in
++++ b/configure.in
 @@ -2245,10 +2245,15 @@
  
  AM_CONDITIONAL(W32READDIR, test "x$W32READDIR" = "xyes")
diff --git a/media-sound/timidity++/files/timidity++-2.14.0-revert-for-required-ctl_speana_data-function.patch b/media-sound/timidity++/files/timidity++-2.14.0-revert-for-required-ctl_speana_data-function.patch
index a83a7db993f8..6f901eab8bc0 100644
--- a/media-sound/timidity++/files/timidity++-2.14.0-revert-for-required-ctl_speana_data-function.patch
+++ b/media-sound/timidity++/files/timidity++-2.14.0-revert-for-required-ctl_speana_data-function.patch
@@ -8,8 +8,8 @@ Because otherwise TiMidity++ simply won't build as per:
 xskin_c.c:(.text+0x17c): undefined reference to `ctl_speana_data'
 collect2: error: ld returned 1 exit status
 
---- interface/xskin_c.c
-+++ interface/xskin_c.c
+--- a/interface/xskin_c.c
++++ b/interface/xskin_c.c
 @@ -228,7 +228,6 @@
      }
  }
diff --git a/media-sound/timidity++/files/timidity++-2.14.0-tcltk86.patch b/media-sound/timidity++/files/timidity++-2.14.0-tcltk86.patch
index ea2c0eec6c7d..23ef62aa03e5 100644
--- a/media-sound/timidity++/files/timidity++-2.14.0-tcltk86.patch
+++ b/media-sound/timidity++/files/timidity++-2.14.0-tcltk86.patch
@@ -1,7 +1,7 @@
 http://bugs.gentoo.org/451296
 
---- interface/tk_c.c
-+++ interface/tk_c.c
+--- a/interface/tk_c.c
++++ b/interface/tk_c.c
 @@ -913,7 +913,7 @@
  	vsnprintf(buf, sizeof(buf), fmt, ap);
  	Tcl_Eval(my_interp, buf);
author	Andreas Sturmlechner <asturm@gentoo.org>	2018-08-22 23:56:46 +0200
committer	Andreas Sturmlechner <asturm@gentoo.org>	2018-08-23 00:23:22 +0200
commit	6a87c686d9ac9de5e0e455d15773d11307a73c66 (patch)
tree	5389c019246a19492abc6d51f8d835d48514dd9a /media-sound/timidity++/files
parent	x11-libs/libX11-1.6.6: arm64 stable (bug #664184) (diff)
download	gentoo-6a87c686d9ac9de5e0e455d15773d11307a73c66.tar.gz gentoo-6a87c686d9ac9de5e0e455d15773d11307a73c66.tar.bz2 gentoo-6a87c686d9ac9de5e0e455d15773d11307a73c66.zip