[Buildroot] [PATCH 1/5] audiofile: add security patch for CVE-2017-6827 / CVE-2017-6828 / CVE-2017-6832 / CVE-2017-6833 / CVE-2017-6835 / CVE-2017-6837

[Buildroot] [PATCH 1/5] audiofile: add security patch for CVE-2017-6827 / CVE-2017-6828 / CVE-2017-6832 / CVE-2017-6833 / CVE-2017-6835 / CVE-2017-6837

[Peter Korsgaard]

CVE-2017-6827: A heap-based buffer overflow in the
MSADPCM::initializeCoefficients function in MSADPCM.cpp in audiofile (aka
libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have
unspecified impact via a crafted audio file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp
https://github.com/mpruett/audiofile/issues/32

CVE-2017-6828: A Heap-based buffer overflow in the readValue function in
FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6
allows remote attackers to have unspecified impact via a crafted WAV file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp
https://github.com/mpruett/audiofile/issues/31

CVE-2017-6832: A Heap-based buffer overflow in the decodeBlock in
MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
attackers to cause a denial of service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp
https://github.com/mpruett/audiofile/issues/36

CVE-2017-6833: The runPull function in libaudiofile/modules/BlockCodec.cpp
in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause
a denial of service (divide-by-zero error and crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp
https://github.com/mpruett/audiofile/issues/37

CVE-2017-6835: The reset1 function in libaudiofile/modules/BlockCodec.cpp in
Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
denial of service (divide-by-zero error and crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp
https://github.com/mpruett/audiofile/issues/39

CVE-2017-6837: WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows
remote attackers to cause a denial of service (crash) via vectors related to
a large number of coefficients.

http://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
https://github.com/mpruett/audiofile/issues/41

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...3-Always-check-the-number-of-coefficients.patch | 36 ++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 package/audiofile/0003-Always-check-the-number-of-coefficients.patch

diff --git a/package/audiofile/0003-Always-check-the-number-of-coefficients.patch b/package/audiofile/0003-Always-check-the-number-of-coefficients.patch
new file mode 100644
index 000000000..5c99c3cd7
--- /dev/null
+++ b/package/audiofile/0003-Always-check-the-number-of-coefficients.patch
@@ -0,0 +1,36 @@
+From c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 12:51:22 +0100
+Subject: [PATCH] Always check the number of coefficients
+
+When building the library with NDEBUG, asserts are eliminated
+so it's better to always check that the number of coefficients
+is inside the array range.
+
+This fixes the 00191-audiofile-indexoob issue in #41
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libaudiofile/WAVE.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..61f9541 100644
+--- a/libaudiofile/WAVE.cpp
++++ b/libaudiofile/WAVE.cpp
+@@ -281,6 +281,12 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ 
+ 			/* numCoefficients should be at least 7. */
+ 			assert(numCoefficients >= 7 && numCoefficients <= 255);
++			if (numCoefficients < 7 || numCoefficients > 255)
++			{
++				_af_error(AF_BAD_HEADER,
++						"Bad number of coefficients");
++				return AF_FAIL;
++			}
+ 
+ 			m_msadpcmNumCoefficients = numCoefficients;
+ 
+-- 
+2.11.0
+
-- 
2.11.0

[Buildroot] [PATCH 2/5] audiofile: add security patch for CVE-2017-6829

[Peter Korsgaard]

The decodeSample function in IMA.cpp in Audio File Library (aka audiofile)
0.3.6 allows remote attackers to cause a denial of service (crash) via a
crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp
https://github.com/mpruett/audiofile/issues/33

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...x-values-to-fix-index-overflow-in-IMA.cpp.patch | 39 ++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 package/audiofile/0004-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch

diff --git a/package/audiofile/0004-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch b/package/audiofile/0004-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
new file mode 100644
index 000000000..21f899a46
--- /dev/null
+++ b/package/audiofile/0004-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
@@ -0,0 +1,39 @@
+From 25eb00ce913452c2e614548d7df93070bf0d066f Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:02:31 +0100
+Subject: [PATCH] clamp index values to fix index overflow in IMA.cpp
+
+This fixes #33
+(also reported at https://bugzilla.opensuse.org/show_bug.cgi?id=1026981
+and https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/)
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libaudiofile/modules/IMA.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libaudiofile/modules/IMA.cpp b/libaudiofile/modules/IMA.cpp
+index 7476d44..df4aad6 100644
+--- a/libaudiofile/modules/IMA.cpp
++++ b/libaudiofile/modules/IMA.cpp
+@@ -169,7 +169,7 @@ int IMA::decodeBlockWAVE(const uint8_t *encoded, int16_t *decoded)
+ 		if (encoded[1] & 0x80)
+ 			m_adpcmState[c].previousValue -= 0x10000;
+ 
+-		m_adpcmState[c].index = encoded[2];
++		m_adpcmState[c].index = clamp(encoded[2], 0, 88);
+ 
+ 		*decoded++ = m_adpcmState[c].previousValue;
+ 
+@@ -210,7 +210,7 @@ int IMA::decodeBlockQT(const uint8_t *encoded, int16_t *decoded)
+ 			predictor -= 0x10000;
+ 
+ 		state.previousValue = clamp(predictor, MIN_INT16, MAX_INT16);
+-		state.index = encoded[1] & 0x7f;
++		state.index = clamp(encoded[1] & 0x7f, 0, 88);
+ 		encoded += 2;
+ 
+ 		for (int n=0; n<m_framesPerPacket; n+=2)
+-- 
+2.11.0
+
-- 
2.11.0

[Buildroot] [PATCH 3/5] audiofile: add security patch for CVE-2017-6830 / CVE-2017-6834 / CVE-2017-6836 / CVE-2017-6838

[Peter Korsgaard]

CVE-2017-6830: A heap-based buffer overflow in the alaw2linear_buf function
in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
attackers to cause a denial of service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp
https://github.com/mpruett/audiofile/issues/34

CVE-2017-6834: A heap-based buffer overflow in the ulaw2linear_buf function
in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
attackers to cause a denial of service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp
https://github.com/mpruett/audiofile/issues/38

CVE-2017-6836: A heap-based buffer overflow in the Expand3To4Module::run
function in libaudiofile/modules/SimpleModule.h in Audio File Library (aka
audiofile) 0.3.6 allows remote attackers to cause a denial of service
(crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h
https://github.com/mpruett/audiofile/issues/40

CVE-2017-6838: Integer overflow in sfcommands/sfconvert.c in Audio File
Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of
service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
https://github.com/mpruett/audiofile/issues/41

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...-for-multiplication-overflow-in-sfconvert.patch | 72 ++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 package/audiofile/0005-Check-for-multiplication-overflow-in-sfconvert.patch

diff --git a/package/audiofile/0005-Check-for-multiplication-overflow-in-sfconvert.patch b/package/audiofile/0005-Check-for-multiplication-overflow-in-sfconvert.patch
new file mode 100644
index 000000000..c72619030
--- /dev/null
+++ b/package/audiofile/0005-Check-for-multiplication-overflow-in-sfconvert.patch
@@ -0,0 +1,72 @@
+From 7d65f89defb092b63bcbc5d98349fb222ca73b3c Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:54:52 +0100
+Subject: [PATCH] Check for multiplication overflow in sfconvert
+
+Checks that a multiplication doesn't overflow when
+calculating the buffer size, and if it overflows,
+reduce the buffer size instead of failing.
+
+This fixes the 00192-audiofile-signintoverflow-sfconvert case
+in #41
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ sfcommands/sfconvert.c | 34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 80a1bc4..970a3e4 100644
+--- a/sfcommands/sfconvert.c
++++ b/sfcommands/sfconvert.c
+@@ -45,6 +45,33 @@ void printusage (void);
+ void usageerror (void);
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid);
+ 
++int firstBitSet(int x)
++{
++        int position=0;
++        while (x!=0)
++        {
++                x>>=1;
++                ++position;
++        }
++        return position;
++}
++
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++int multiplyCheckOverflow(int a, int b, int *result)
++{
++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
++	return __builtin_mul_overflow(a, b, result);
++#else
++	if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
++		return true;
++	*result = a * b;
++	return false;
++#endif
++}
++
+ int main (int argc, char **argv)
+ {
+ 	if (argc == 2)
+@@ -323,8 +350,11 @@ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+ 	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+ 
+-	const int kBufferFrameCount = 65536;
+-	void *buffer = malloc(kBufferFrameCount * frameSize);
++	int kBufferFrameCount = 65536;
++	int bufferSize;
++	while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
++		kBufferFrameCount /= 2;
++	void *buffer = malloc(bufferSize);
+ 
+ 	AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
+ 	AFframecount totalFramesWritten = 0;
+-- 
+2.11.0
+
-- 
2.11.0

[Buildroot] [PATCH 4/5] audiofile: add security patch for CVE-2017-6831

[Peter Korsgaard]

Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in
Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
denial of service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp
https://github.com/mpruett/audiofile/issues/35

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...lly-fail-when-error-occurs-in-parseFormat.patch | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 package/audiofile/0006-Actually-fail-when-error-occurs-in-parseFormat.patch

diff --git a/package/audiofile/0006-Actually-fail-when-error-occurs-in-parseFormat.patch b/package/audiofile/0006-Actually-fail-when-error-occurs-in-parseFormat.patch
new file mode 100644
index 000000000..0c6be2a2c
--- /dev/null
+++ b/package/audiofile/0006-Actually-fail-when-error-occurs-in-parseFormat.patch
@@ -0,0 +1,42 @@
+From a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 18:59:26 +0100
+Subject: [PATCH] Actually fail when error occurs in parseFormat
+
+When there's an unsupported number of bits per sample or an invalid
+number of samples per block, don't only print an error message using
+the error handler, but actually stop parsing the file.
+
+This fixes #35 (also reported at
+https://bugzilla.opensuse.org/show_bug.cgi?id=1026983 and
+https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
+)
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libaudiofile/WAVE.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libaudiofile/WAVE.cpp b/libaudiofile/WAVE.cpp
+index 0e81cf7..d762249 100644
+--- a/libaudiofile/WAVE.cpp
++++ b/libaudiofile/WAVE.cpp
+@@ -326,6 +326,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ 			{
+ 				_af_error(AF_BAD_NOT_IMPLEMENTED,
+ 					"IMA ADPCM compression supports only 4 bits per sample");
++				return AF_FAIL;
+ 			}
+ 
+ 			int bytesPerBlock = (samplesPerBlock + 14) / 8 * 4 * channelCount;
+@@ -333,6 +334,7 @@ status WAVEFile::parseFormat(const Tag &id, uint32_t size)
+ 			{
+ 				_af_error(AF_BAD_CODEC_CONFIG,
+ 					"Invalid samples per block for IMA ADPCM compression");
++				return AF_FAIL;
+ 			}
+ 
+ 			track->f.sampleWidth = 16;
+-- 
+2.11.0
+
-- 
2.11.0

[Buildroot] [PATCH 5/5] audiofile: add security patch for CVE-2017-6839

[Peter Korsgaard]

Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka
audiofile) 0.3.6 allows remote attackers to cause a denial of service
(crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
https://github.com/mpruett/audiofile/issues/41

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...ultiplication-overflow-in-MSADPCM-decodeS.patch | 122 +++++++++++++++++++++
 1 file changed, 122 insertions(+)
 create mode 100644 package/audiofile/0007-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch

diff --git a/package/audiofile/0007-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch b/package/audiofile/0007-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
new file mode 100644
index 000000000..5411f13bb
--- /dev/null
+++ b/package/audiofile/0007-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
@@ -0,0 +1,122 @@
+From beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 Mon Sep 17 00:00:00 2001
+From: Antonio Larrosa <larrosa@kde.org>
+Date: Mon, 6 Mar 2017 13:43:53 +0100
+Subject: [PATCH] Check for multiplication overflow in MSADPCM decodeSample
+
+Check for multiplication overflow (using __builtin_mul_overflow
+if available) in MSADPCM.cpp decodeSample and return an empty
+decoded block if an error occurs.
+
+This fixes the 00193-audiofile-signintoverflow-MSADPCM case of #41
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libaudiofile/modules/BlockCodec.cpp |  5 ++--
+ libaudiofile/modules/MSADPCM.cpp    | 47 +++++++++++++++++++++++++++++++++----
+ 2 files changed, 46 insertions(+), 6 deletions(-)
+
+diff --git a/libaudiofile/modules/BlockCodec.cpp b/libaudiofile/modules/BlockCodec.cpp
+index 45925e8..4731be1 100644
+--- a/libaudiofile/modules/BlockCodec.cpp
++++ b/libaudiofile/modules/BlockCodec.cpp
+@@ -52,8 +52,9 @@ void BlockCodec::runPull()
+ 	// Decompress into m_outChunk.
+ 	for (int i=0; i<blocksRead; i++)
+ 	{
+-		decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
+-			static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount);
++		if (decodeBlock(static_cast<const uint8_t *>(m_inChunk->buffer) + i * m_bytesPerPacket,
++			static_cast<int16_t *>(m_outChunk->buffer) + i * m_framesPerPacket * m_track->f.channelCount)==0)
++			break;
+ 
+ 		framesRead += m_framesPerPacket;
+ 	}
+diff --git a/libaudiofile/modules/MSADPCM.cpp b/libaudiofile/modules/MSADPCM.cpp
+index 8ea3c85..ef9c38c 100644
+--- a/libaudiofile/modules/MSADPCM.cpp
++++ b/libaudiofile/modules/MSADPCM.cpp
+@@ -101,24 +101,60 @@ static const int16_t adaptationTable[] =
+ 	768, 614, 512, 409, 307, 230, 230, 230
+ };
+ 
++int firstBitSet(int x)
++{
++        int position=0;
++        while (x!=0)
++        {
++                x>>=1;
++                ++position;
++        }
++        return position;
++}
++
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++int multiplyCheckOverflow(int a, int b, int *result)
++{
++#if (defined __GNUC__ && __GNUC__ >= 5) || ( __clang__ && __has_builtin(__builtin_mul_overflow))
++	return __builtin_mul_overflow(a, b, result);
++#else
++	if (firstBitSet(a)+firstBitSet(b)>31) // int is signed, so we can't use 32 bits
++		return true;
++	*result = a * b;
++	return false;
++#endif
++}
++
++
+ // Compute a linear PCM value from the given differential coded value.
+ static int16_t decodeSample(ms_adpcm_state &state,
+-	uint8_t code, const int16_t *coefficient)
++	uint8_t code, const int16_t *coefficient, bool *ok=NULL)
+ {
+ 	int linearSample = (state.sample1 * coefficient[0] +
+ 		state.sample2 * coefficient[1]) >> 8;
++	int delta;
+ 
+ 	linearSample += ((code & 0x08) ? (code - 0x10) : code) * state.delta;
+ 
+ 	linearSample = clamp(linearSample, MIN_INT16, MAX_INT16);
+ 
+-	int delta = (state.delta * adaptationTable[code]) >> 8;
++	if (multiplyCheckOverflow(state.delta, adaptationTable[code], &delta))
++	{
++                if (ok) *ok=false;
++		_af_error(AF_BAD_COMPRESSION, "Error decoding sample");
++		return 0;
++	}
++	delta >>= 8;
+ 	if (delta < 16)
+ 		delta = 16;
+ 
+ 	state.delta = delta;
+ 	state.sample2 = state.sample1;
+ 	state.sample1 = linearSample;
++	if (ok) *ok=true;
+ 
+ 	return static_cast<int16_t>(linearSample);
+ }
+@@ -212,13 +248,16 @@ int MSADPCM::decodeBlock(const uint8_t *encoded, int16_t *decoded)
+ 	{
+ 		uint8_t code;
+ 		int16_t newSample;
++		bool ok;
+ 
+ 		code = *encoded >> 4;
+-		newSample = decodeSample(*state[0], code, coefficient[0]);
++		newSample = decodeSample(*state[0], code, coefficient[0], &ok);
++		if (!ok) return 0;
+ 		*decoded++ = newSample;
+ 
+ 		code = *encoded & 0x0f;
+-		newSample = decodeSample(*state[1], code, coefficient[1]);
++		newSample = decodeSample(*state[1], code, coefficient[1], &ok);
++		if (!ok) return 0;
+ 		*decoded++ = newSample;
+ 
+ 		encoded++;
+-- 
+2.11.0
+
-- 
2.11.0

[Buildroot] [PATCH 1/5] audiofile: add security patch for CVE-2017-6827 / CVE-2017-6828 / CVE-2017-6832 / CVE-2017-6833 / CVE-2017-6835 / CVE-2017-6837

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > CVE-2017-6827: A heap-based buffer overflow in the
 > MSADPCM::initializeCoefficients function in MSADPCM.cpp in audiofile (aka
 > libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have
 > unspecified impact via a crafted audio file.

 > https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp
 > https://github.com/mpruett/audiofile/issues/32

 > CVE-2017-6828: A Heap-based buffer overflow in the readValue function in
 > FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6
 > allows remote attackers to have unspecified impact via a crafted WAV file.

 > https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp
 > https://github.com/mpruett/audiofile/issues/31

 > CVE-2017-6832: A Heap-based buffer overflow in the decodeBlock in
 > MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
 > attackers to cause a denial of service (crash) via a crafted file.

 > https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp
 > https://github.com/mpruett/audiofile/issues/36

 > CVE-2017-6833: The runPull function in libaudiofile/modules/BlockCodec.cpp
 > in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause
 > a denial of service (divide-by-zero error and crash) via a crafted file.

 > https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp
 > https://github.com/mpruett/audiofile/issues/37

 > CVE-2017-6835: The reset1 function in libaudiofile/modules/BlockCodec.cpp in
 > Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
 > denial of service (divide-by-zero error and crash) via a crafted file.

 > https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp
 > https://github.com/mpruett/audiofile/issues/39

 > CVE-2017-6837: WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows
 > remote attackers to cause a denial of service (crash) via vectors related to
 > a large number of coefficients.

 > http://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
 > https://github.com/mpruett/audiofile/issues/41

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed all 5, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/5] audiofile: add security patch for CVE-2017-6827 / CVE-2017-6828 / CVE-2017-6832 / CVE-2017-6833 / CVE-2017-6835 / CVE-2017-6837

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > CVE-2017-6827: A heap-based buffer overflow in the
 > MSADPCM::initializeCoefficients function in MSADPCM.cpp in audiofile (aka
 > libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have
 > unspecified impact via a crafted audio file.

 > https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp
 > https://github.com/mpruett/audiofile/issues/32

 > CVE-2017-6828: A Heap-based buffer overflow in the readValue function in
 > FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6
 > allows remote attackers to have unspecified impact via a crafted WAV file.

 > https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp
 > https://github.com/mpruett/audiofile/issues/31

 > CVE-2017-6832: A Heap-based buffer overflow in the decodeBlock in
 > MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
 > attackers to cause a denial of service (crash) via a crafted file.

 > https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp
 > https://github.com/mpruett/audiofile/issues/36

 > CVE-2017-6833: The runPull function in libaudiofile/modules/BlockCodec.cpp
 > in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause
 > a denial of service (divide-by-zero error and crash) via a crafted file.

 > https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp
 > https://github.com/mpruett/audiofile/issues/37

 > CVE-2017-6835: The reset1 function in libaudiofile/modules/BlockCodec.cpp in
 > Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
 > denial of service (divide-by-zero error and crash) via a crafted file.

 > https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp
 > https://github.com/mpruett/audiofile/issues/39

 > CVE-2017-6837: WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows
 > remote attackers to cause a denial of service (crash) via vectors related to
 > a large number of coefficients.

 > http://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
 > https://github.com/mpruett/audiofile/issues/41

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed all 5 to 2017.02.x, thanks.

-- 
Bye, Peter Korsgaard