main/libao: security fix for CVE-2017-11548

fixes #9210

main/libao: security fix for CVE-2017-11548
fixes #9210
e31e4436 · Natanael Copa · 4f5598e3 · e31e4436 · e31e4436
Commit e31e4436 authored Dec 04, 2018 by Natanael Copa
Hide whitespace changes
Inline Side-by-side

Showing with 187 additions and 5 deletions

main/libao/APKBUILD main/libao/APKBUILD +10 -5

main/libao/CVE-2017-11548.patch main/libao/CVE-2017-11548.patch +177 -0

No files found.
--- a/main/libao/APKBUILD
+++ b/main/libao/APKBUILD
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libao
 pkgver=1.2.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Cross-platform audio output library and plugins"
 url="http://www.xiph.org/ao"
 arch="all"
@@ -9,7 +9,13 @@ license="GPL"
 subpackages="$pkgname-dev $pkgname-doc"
 depends=""
 makedepends="alsa-lib-dev"
-source="http://downloads.xiph.org/releases/ao/$pkgname-$pkgver.tar.gz"
+source="http://downloads.xiph.org/releases/ao/$pkgname-$pkgver.tar.gz
+	CVE-2017-11548.patch
+	"
+
+# secfixes:
+#   1.2.0-r2:
+#   - CVE-2017-11548

 _builddir="$srcdir/$pkgname-$pkgver"

@@ -34,6 +40,5 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 }

-md5sums="9f5dd20d7e95fd0dd72df5353829f097  libao-1.2.0.tar.gz"
-sha256sums="03ad231ad1f9d64b52474392d63c31197b0bc7bd416e58b1c10a329a5ed89caf  libao-1.2.0.tar.gz"
-sha512sums="9456953826c188d67129ad78366bb86d6243499f2cd340d20d61366f7e40a33f3f8ab601c7f18ce9e24aa22f898093b482b2415b7e428c1486ef7e5ac27b3ee4  libao-1.2.0.tar.gz"
+sha512sums="9456953826c188d67129ad78366bb86d6243499f2cd340d20d61366f7e40a33f3f8ab601c7f18ce9e24aa22f898093b482b2415b7e428c1486ef7e5ac27b3ee4  libao-1.2.0.tar.gz
+2108047bf0b17b1a516c6acaa7d373f46f0c8efe8d355c5353abf73ead987b5a3b97a102ebd596113ca8670d303c13922e5cca764c0604971a1ccac4cba770be  CVE-2017-11548.patch"
--- a/main/libao/CVE-2017-11548.patch
+++ b/main/libao/CVE-2017-11548.patch
+diff --git a/src/audio_out.c b/src/audio_out.c
+index bd8f6fc..f5942d6 100644
+--- a/src/audio_out.c
+++ b/src/audio_out.c
+@@ -634,6 +634,10 @@ static char *_sanitize_matrix(int maxchannels, char *matrix, ao_device *device){
+     char *ret = calloc(strlen(matrix)+1,1); /* can only get smaller */
+     char *p=matrix;
+     int count=0;
+
+    if(!ret)
+      return NULL;
+
+     while(count<maxchannels){
+       char *h,*t;
+       int m=0;
+@@ -706,6 +710,15 @@ static int _find_channel(int needle, char *haystack){
+   return -1;
+ }
+ 
+static void _free_map(char **m){
+  char **in=m;
+  while(m && *m){
+    free(*m);
+    m++;
+  }
+  if(in)free(in);
+}
+
+ static char **_tokenize_matrix(char *matrix){
+   char **ret=NULL;
+   char *p=matrix;
+@@ -730,6 +743,8 @@ static char **_tokenize_matrix(char *matrix){
+   }
+ 
+   ret = calloc(count+1,sizeof(*ret));
+  if(!ret)
+    return NULL;
+ 
+   p=matrix;
+   count=0;
+@@ -748,6 +763,10 @@ static char **_tokenize_matrix(char *matrix){
+     while(t>p && isspace(*(t-1)))t--;
+ 
+     ret[count] = calloc(t-p+1,1);
+    if(!ret[count]){
+      _free_map(ret);
+      return NULL;
+    }
+     memcpy(ret[count],p,t-p);
+     count++;
+     if(!*h)break;
+@@ -755,16 +774,6 @@ static char **_tokenize_matrix(char *matrix){
+   }
+ 
+   return ret;
+-
+-}
+-
+-static void _free_map(char **m){
+-  char **in=m;
+-  while(m && *m){
+-    free(*m);
+-    m++;
+-  }
+-  if(in)free(in);
+ }
+ 
+ static unsigned int _matrix_to_channelmask(int ch, char *matrix, char *premap, int **mout){
+@@ -772,7 +781,14 @@ static unsigned int _matrix_to_channelmask(int ch, char *matrix, char *premap, i
+   char *p=matrix;
+   int *perm=(*mout=malloc(ch*sizeof(*mout)));
+   int i;
+-  char **map = _tokenize_matrix(premap);
+  char **map;
+
+  if(!perm)
+    return 0;
+
+  map = _tokenize_matrix(premap);
+  if(!map)
+    return 0;
+ 
+   for(i=0;i<ch;i++) perm[i] = -1;
+   i=0;
+@@ -810,6 +826,9 @@ static char *_channelmask_to_matrix(unsigned int mask, char *premap){
+   char buffer[257]={0};
+   char **map = _tokenize_matrix(premap);
+ 
+  if(!map)
+    return NULL;
+
+   while(map[m]){
+     if(mask & (1<<m)){
+       if(count)
+@@ -849,6 +868,9 @@ static char *_matrix_intersect(char *matrix,char *premap){
+   int count=0;
+   char **map = _tokenize_matrix(premap);
+ 
+  if(!map)
+    return NULL;
+
+   while(1){
+     char *h=p;
+     int m=0;
+@@ -1039,7 +1061,7 @@ static ao_device* _open_device(int driver_id, ao_sample_format *format,
+                                                          device->output_matrix,
+                                                          &device->input_map);
+               int channels = _channelmask_bits(mask);
+-              if(channels<0){
+              if(channels<=0){
+                 aerror("Unable to map any channels from input matrix to output");
+                 errno = AO_EBADFORMAT;
+                 goto error;
+@@ -1060,7 +1082,7 @@ static ao_device* _open_device(int driver_id, ao_sample_format *format,
+                                                          device->output_matrix,
+                                                          &device->input_map);
+               int channels = _channelmask_bits(mask);
+-              if(channels<0){
+              if(channels<=0){
+                 aerror("Unable to map any channels from input matrix to output");
+                 errno = AO_EBADFORMAT;
+                 goto error;
+@@ -1111,6 +1133,10 @@ static ao_device* _open_device(int driver_id, ao_sample_format *format,
+             int count=0;
+             device->inter_permute = calloc(device->output_channels,sizeof(int));
+ 
+            if (!device->inter_permute) {
+              errno = AO_EFAIL;
+              goto error;
+            }
+             adebug("\n");
+ 
+             while(count<device->output_channels){
+@@ -1157,8 +1183,10 @@ static ao_device* _open_device(int driver_id, ao_sample_format *format,
+                 for(i=0;i<device->output_channels;i++)
+                   if(device->inter_permute[i]==j)break;
+                 if(i==device->output_channels){
+-                  adebug("input %d (%s)\t -> none\n",
+-                         j,inch[j]);
+                  if(inch){
+                    adebug("input %d (%s)\t -> none\n",
+                           j,inch[j]);
+                  }
+                   unflag=1;
+                 }
+               }
+diff --git a/src/plugins/macosx/ao_macosx.c b/src/plugins/macosx/ao_macosx.c
+index a3daf1b..129020d 100644
+--- a/src/plugins/macosx/ao_macosx.c
+++ b/src/plugins/macosx/ao_macosx.c
+@@ -594,11 +594,11 @@ int ao_plugin_open(ao_device *device, ao_sample_format *format)
+   internal->firstValidByteOffset = 0;
+   internal->validByteCount = 0;
+   internal->buffer = malloc(internal->bufferByteCount);
+-  memset(internal->buffer, 0, internal->bufferByteCount);
+   if (!internal->buffer) {
+     aerror("Unable to allocate queue buffer.\n");
+     return 0;
+   }
+  memset(internal->buffer, 0, internal->bufferByteCount);
+ 
+   /* limited to stereo for now */
+   //if(!device->output_matrix)
+diff --git a/src/plugins/sndio/ao_sndio.c b/src/plugins/sndio/ao_sndio.c
+index ec251fb..e23fd47 100644
+--- a/src/plugins/sndio/ao_sndio.c
+++ b/src/plugins/sndio/ao_sndio.c
+@@ -67,6 +67,9 @@ int ao_plugin_device_init(ao_device *device)
+ {
+   ao_sndio_internal *internal;
+   internal = (ao_sndio_internal *) calloc(1,sizeof(*internal));
+  if (internal == NULL)
+    return 0;
+
+   internal->id=-1;
+   device->internal = internal;
+   device->output_matrix_order = AO_OUTPUT_MATRIX_FIXED;