| Message ID | 20230205130600.18051-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/opusfile: fix CVE-2022-47021 | expand |
Fabrice, All, On 2023-02-05 14:06 +0100, Fabrice Fontaine spake thusly: > A null pointer dereference issue was discovered in functions op_get_data > and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows > attackers to cause denial of service or other unspecified impacts. > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > ...ocation-failure-from-ogg_sync_buffer.patch | 44 +++++++++++++++++++ > package/opusfile/opusfile.mk | 3 ++ > 2 files changed, 47 insertions(+) > create mode 100644 package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch > > diff --git a/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch > new file mode 100644 > index 0000000000..2ef08502ab > --- /dev/null > +++ b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch > @@ -0,0 +1,44 @@ > +From 0a4cd796df5b030cb866f3f4a5e41a4b92caddf5 Mon Sep 17 00:00:00 2001 > +From: Ralph Giles <giles@thaumas.net> > +Date: Tue, 6 Sep 2022 19:04:31 -0700 > +Subject: [PATCH] Propagate allocation failure from ogg_sync_buffer. > + > +Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns > +a null pointer. This allows more graceful recovery by the caller > +in the unlikely event of a fallible ogg_malloc call. > + > +We do check the return value elsewhere in the code, so the new > +checks make the code more consistent. > + > +Thanks to https://github.com/xiph/opusfile/issues/36 for reporting. > + > +Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org> > +Signed-off-by: Mark Harris <mark.hsj@gmail.com> > + > +[Retrieved from: > +https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5] > +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > +--- > + src/opusfile.c | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/src/opusfile.c b/src/opusfile.c > +index ca219b2..3c3c81e 100644 > +--- a/src/opusfile.c > ++++ b/src/opusfile.c > +@@ -148,6 +148,7 @@ static int op_get_data(OggOpusFile *_of,int _nbytes){ > + int nbytes; > + OP_ASSERT(_nbytes>0); > + buffer=(unsigned char *)ogg_sync_buffer(&_of->oy,_nbytes); > ++ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT; > + nbytes=(int)(*_of->callbacks.read)(_of->stream,buffer,_nbytes); > + OP_ASSERT(nbytes<=_nbytes); > + if(OP_LIKELY(nbytes>0))ogg_sync_wrote(&_of->oy,nbytes); > +@@ -1527,6 +1528,7 @@ static int op_open1(OggOpusFile *_of, > + if(_initial_bytes>0){ > + char *buffer; > + buffer=ogg_sync_buffer(&_of->oy,(long)_initial_bytes); > ++ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT; > + memcpy(buffer,_initial_data,_initial_bytes*sizeof(*buffer)); > + ogg_sync_wrote(&_of->oy,(long)_initial_bytes); > + } > diff --git a/package/opusfile/opusfile.mk b/package/opusfile/opusfile.mk > index 72ae82e801..63553a81e7 100644 > --- a/package/opusfile/opusfile.mk > +++ b/package/opusfile/opusfile.mk > @@ -11,6 +11,9 @@ OPUSFILE_LICENSE = BSD-3-Clause > OPUSFILE_LICENSE_FILES = COPYING > OPUSFILE_INSTALL_STAGING = YES > > +# 0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch > +OPUSFILE_IGNORE_CVES += CVE-2022-47021 > + > ifeq ($(BR2_PACKAGE_OPENSSL),y) > OPUSFILE_DEPENDENCIES += openssl > else > -- > 2.39.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > A null pointer dereference issue was discovered in functions op_get_data > and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows > attackers to cause denial of service or other unspecified impacts. > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2022.11.x and 2022.02.x, thanks.
diff --git a/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch new file mode 100644 index 0000000000..2ef08502ab --- /dev/null +++ b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch @@ -0,0 +1,44 @@ +From 0a4cd796df5b030cb866f3f4a5e41a4b92caddf5 Mon Sep 17 00:00:00 2001 +From: Ralph Giles <giles@thaumas.net> +Date: Tue, 6 Sep 2022 19:04:31 -0700 +Subject: [PATCH] Propagate allocation failure from ogg_sync_buffer. + +Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns +a null pointer. This allows more graceful recovery by the caller +in the unlikely event of a fallible ogg_malloc call. + +We do check the return value elsewhere in the code, so the new +checks make the code more consistent. + +Thanks to https://github.com/xiph/opusfile/issues/36 for reporting. + +Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org> +Signed-off-by: Mark Harris <mark.hsj@gmail.com> + +[Retrieved from: +https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5] +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> +--- + src/opusfile.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/opusfile.c b/src/opusfile.c +index ca219b2..3c3c81e 100644 +--- a/src/opusfile.c ++++ b/src/opusfile.c +@@ -148,6 +148,7 @@ static int op_get_data(OggOpusFile *_of,int _nbytes){ + int nbytes; + OP_ASSERT(_nbytes>0); + buffer=(unsigned char *)ogg_sync_buffer(&_of->oy,_nbytes); ++ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT; + nbytes=(int)(*_of->callbacks.read)(_of->stream,buffer,_nbytes); + OP_ASSERT(nbytes<=_nbytes); + if(OP_LIKELY(nbytes>0))ogg_sync_wrote(&_of->oy,nbytes); +@@ -1527,6 +1528,7 @@ static int op_open1(OggOpusFile *_of, + if(_initial_bytes>0){ + char *buffer; + buffer=ogg_sync_buffer(&_of->oy,(long)_initial_bytes); ++ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT; + memcpy(buffer,_initial_data,_initial_bytes*sizeof(*buffer)); + ogg_sync_wrote(&_of->oy,(long)_initial_bytes); + } diff --git a/package/opusfile/opusfile.mk b/package/opusfile/opusfile.mk index 72ae82e801..63553a81e7 100644 --- a/package/opusfile/opusfile.mk +++ b/package/opusfile/opusfile.mk @@ -11,6 +11,9 @@ OPUSFILE_LICENSE = BSD-3-Clause OPUSFILE_LICENSE_FILES = COPYING OPUSFILE_INSTALL_STAGING = YES +# 0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch +OPUSFILE_IGNORE_CVES += CVE-2022-47021 + ifeq ($(BR2_PACKAGE_OPENSSL),y) OPUSFILE_DEPENDENCIES += openssl else
A null pointer dereference issue was discovered in functions op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows attackers to cause denial of service or other unspecified impacts. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- ...ocation-failure-from-ogg_sync_buffer.patch | 44 +++++++++++++++++++ package/opusfile/opusfile.mk | 3 ++ 2 files changed, 47 insertions(+) create mode 100644 package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch