Commit e31e4436 authored by Natanael Copa's avatar Natanael Copa

main/libao: security fix for CVE-2017-11548

fixes #9210
parent 4f5598e3
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libao
pkgver=1.2.0
pkgrel=1
pkgrel=2
pkgdesc="Cross-platform audio output library and plugins"
url="http://www.xiph.org/ao"
arch="all"
......@@ -9,7 +9,13 @@ license="GPL"
subpackages="$pkgname-dev $pkgname-doc"
depends=""
makedepends="alsa-lib-dev"
source="http://downloads.xiph.org/releases/ao/$pkgname-$pkgver.tar.gz"
source="http://downloads.xiph.org/releases/ao/$pkgname-$pkgver.tar.gz
CVE-2017-11548.patch
"
# secfixes:
# 1.2.0-r2:
# - CVE-2017-11548
_builddir="$srcdir/$pkgname-$pkgver"
......@@ -34,6 +40,5 @@ package() {
make DESTDIR="$pkgdir" install || return 1
}
md5sums="9f5dd20d7e95fd0dd72df5353829f097 libao-1.2.0.tar.gz"
sha256sums="03ad231ad1f9d64b52474392d63c31197b0bc7bd416e58b1c10a329a5ed89caf libao-1.2.0.tar.gz"
sha512sums="9456953826c188d67129ad78366bb86d6243499f2cd340d20d61366f7e40a33f3f8ab601c7f18ce9e24aa22f898093b482b2415b7e428c1486ef7e5ac27b3ee4 libao-1.2.0.tar.gz"
sha512sums="9456953826c188d67129ad78366bb86d6243499f2cd340d20d61366f7e40a33f3f8ab601c7f18ce9e24aa22f898093b482b2415b7e428c1486ef7e5ac27b3ee4 libao-1.2.0.tar.gz
2108047bf0b17b1a516c6acaa7d373f46f0c8efe8d355c5353abf73ead987b5a3b97a102ebd596113ca8670d303c13922e5cca764c0604971a1ccac4cba770be CVE-2017-11548.patch"
diff --git a/src/audio_out.c b/src/audio_out.c
index bd8f6fc..f5942d6 100644
--- a/src/audio_out.c
+++ b/src/audio_out.c
@@ -634,6 +634,10 @@ static char *_sanitize_matrix(int maxchannels, char *matrix, ao_device *device){
char *ret = calloc(strlen(matrix)+1,1); /* can only get smaller */
char *p=matrix;
int count=0;
+
+ if(!ret)
+ return NULL;
+
while(count<maxchannels){
char *h,*t;
int m=0;
@@ -706,6 +710,15 @@ static int _find_channel(int needle, char *haystack){
return -1;
}
+static void _free_map(char **m){
+ char **in=m;
+ while(m && *m){
+ free(*m);
+ m++;
+ }
+ if(in)free(in);
+}
+
static char **_tokenize_matrix(char *matrix){
char **ret=NULL;
char *p=matrix;
@@ -730,6 +743,8 @@ static char **_tokenize_matrix(char *matrix){
}
ret = calloc(count+1,sizeof(*ret));
+ if(!ret)
+ return NULL;
p=matrix;
count=0;
@@ -748,6 +763,10 @@ static char **_tokenize_matrix(char *matrix){
while(t>p && isspace(*(t-1)))t--;
ret[count] = calloc(t-p+1,1);
+ if(!ret[count]){
+ _free_map(ret);
+ return NULL;
+ }
memcpy(ret[count],p,t-p);
count++;
if(!*h)break;
@@ -755,16 +774,6 @@ static char **_tokenize_matrix(char *matrix){
}
return ret;
-
-}
-
-static void _free_map(char **m){
- char **in=m;
- while(m && *m){
- free(*m);
- m++;
- }
- if(in)free(in);
}
static unsigned int _matrix_to_channelmask(int ch, char *matrix, char *premap, int **mout){
@@ -772,7 +781,14 @@ static unsigned int _matrix_to_channelmask(int ch, char *matrix, char *premap, i
char *p=matrix;
int *perm=(*mout=malloc(ch*sizeof(*mout)));
int i;
- char **map = _tokenize_matrix(premap);
+ char **map;
+
+ if(!perm)
+ return 0;
+
+ map = _tokenize_matrix(premap);
+ if(!map)
+ return 0;
for(i=0;i<ch;i++) perm[i] = -1;
i=0;
@@ -810,6 +826,9 @@ static char *_channelmask_to_matrix(unsigned int mask, char *premap){
char buffer[257]={0};
char **map = _tokenize_matrix(premap);
+ if(!map)
+ return NULL;
+
while(map[m]){
if(mask & (1<<m)){
if(count)
@@ -849,6 +868,9 @@ static char *_matrix_intersect(char *matrix,char *premap){
int count=0;
char **map = _tokenize_matrix(premap);
+ if(!map)
+ return NULL;
+
while(1){
char *h=p;
int m=0;
@@ -1039,7 +1061,7 @@ static ao_device* _open_device(int driver_id, ao_sample_format *format,
device->output_matrix,
&device->input_map);
int channels = _channelmask_bits(mask);
- if(channels<0){
+ if(channels<=0){
aerror("Unable to map any channels from input matrix to output");
errno = AO_EBADFORMAT;
goto error;
@@ -1060,7 +1082,7 @@ static ao_device* _open_device(int driver_id, ao_sample_format *format,
device->output_matrix,
&device->input_map);
int channels = _channelmask_bits(mask);
- if(channels<0){
+ if(channels<=0){
aerror("Unable to map any channels from input matrix to output");
errno = AO_EBADFORMAT;
goto error;
@@ -1111,6 +1133,10 @@ static ao_device* _open_device(int driver_id, ao_sample_format *format,
int count=0;
device->inter_permute = calloc(device->output_channels,sizeof(int));
+ if (!device->inter_permute) {
+ errno = AO_EFAIL;
+ goto error;
+ }
adebug("\n");
while(count<device->output_channels){
@@ -1157,8 +1183,10 @@ static ao_device* _open_device(int driver_id, ao_sample_format *format,
for(i=0;i<device->output_channels;i++)
if(device->inter_permute[i]==j)break;
if(i==device->output_channels){
- adebug("input %d (%s)\t -> none\n",
- j,inch[j]);
+ if(inch){
+ adebug("input %d (%s)\t -> none\n",
+ j,inch[j]);
+ }
unflag=1;
}
}
diff --git a/src/plugins/macosx/ao_macosx.c b/src/plugins/macosx/ao_macosx.c
index a3daf1b..129020d 100644
--- a/src/plugins/macosx/ao_macosx.c
+++ b/src/plugins/macosx/ao_macosx.c
@@ -594,11 +594,11 @@ int ao_plugin_open(ao_device *device, ao_sample_format *format)
internal->firstValidByteOffset = 0;
internal->validByteCount = 0;
internal->buffer = malloc(internal->bufferByteCount);
- memset(internal->buffer, 0, internal->bufferByteCount);
if (!internal->buffer) {
aerror("Unable to allocate queue buffer.\n");
return 0;
}
+ memset(internal->buffer, 0, internal->bufferByteCount);
/* limited to stereo for now */
//if(!device->output_matrix)
diff --git a/src/plugins/sndio/ao_sndio.c b/src/plugins/sndio/ao_sndio.c
index ec251fb..e23fd47 100644
--- a/src/plugins/sndio/ao_sndio.c
+++ b/src/plugins/sndio/ao_sndio.c
@@ -67,6 +67,9 @@ int ao_plugin_device_init(ao_device *device)
{
ao_sndio_internal *internal;
internal = (ao_sndio_internal *) calloc(1,sizeof(*internal));
+ if (internal == NULL)
+ return 0;
+
internal->id=-1;
device->internal = internal;
device->output_matrix_order = AO_OUTPUT_MATRIX_FIXED;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment