media-sound/timidity++: restore CVE patches from 2.14.0

Whoops, misgrep (fooled by {}, I think?) Thanks-to: Jeroen Roovers Fixes: 4071642e177ae0e7289d684387d1f01af563cbd1 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org>
author: Sam James <sam@gentoo.org> 2021-01-07 05:18:53 +0000
committer: Sam James <sam@gentoo.org> 2021-01-07 05:18:53 +0000
commit: 585ee02d57684b9b47738d103492543eb5786418 (patch)
tree: 8774f2202475fca8347229c34aba17ab6118e7c7
parent: dev-libs/libnl: cleanup old (diff)
download: gentoo-585ee02d.tar.gz
gentoo-585ee02d.tar.bz2
gentoo-585ee02d.zip
2 files changed, 98 insertions, 0 deletions
diff --git a/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch
new file mode 100644
index 000000000000..94135e98b96a
--- /dev/null
+++ b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11546.patch
@@ -0,0 +1,31 @@
+From 2386ec2c745f6c5075e53ea051da211336b44b84 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 26 Jun 2018 22:31:27 +0200
+Subject: readmidi: Fix division by zero
+
+References: CVE-2017-11546
+
+An adhoc fix for division by zero in insert_note_steps().
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+bug-debian: https://bugs.debian.org/870338
+bug-suse: https://bugzilla.suse.com/show_bug.cgi?id=1081694
+bug: https://bugzilla.suse.com/show_bug.cgi?id=1081694
+origin: https://bugzilla.suse.com/attachment.cgi?id=760825
+---
+ timidity/readmidi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/timidity/readmidi.c b/timidity/readmidi.c
+index 158388a..341777e 100644
+--- a/timidity/readmidi.c
++++ b/timidity/readmidi.c
+@@ -4585,6 +4585,8 @@ static void insert_note_steps(void)
+ 			if (beat != 0)
+ 				meas++, beat = 0;
+ 			num = timesig[n].a, denom = timesig[n].b, n++;
++			if (!denom)
++				denom = 1;
+ 		}
+ 		a = (meas + 1) & 0xff;
+ 		b = (((meas + 1) >> 8) & 0x0f) + ((beat + 1) << 4);
diff --git a/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch
new file mode 100644
index 000000000000..12562a577e0e
--- /dev/null
+++ b/media-sound/timidity++/files/timidity++-2.14.0-CVE-2017-11547.patch
@@ -0,0 +1,67 @@
+From 34328d22cbb4ccf03f29223f54f1834c796d86a2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 26 Jun 2018 22:31:28 +0200
+Subject: resample: Fix out-of-bound access in resamplers
+
+References: CVE-2017-11547
+
+An adhoc fix for out-of-bound accesses in resamples.
+The offset might overflow the given data range.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+bug-debian: https://bugs.debian.org/870338
+bug-suse: https://bugzilla.suse.com/show_bug.cgi?id=1081694
+origin: https://bugzilla.suse.com/attachment.cgi?id=760826
+---
+ timidity/resample.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/timidity/resample.c b/timidity/resample.c
+index cd6b8e6..4a3fadf 100644
+--- a/timidity/resample.c
++++ b/timidity/resample.c
+@@ -57,6 +57,8 @@ static resample_t resample_cspline(sample_t *src, splen_t ofs, resample_rec_t *r
+ {
+     int32 ofsi, ofsf, v0, v1, v2, v3, temp;
+ 
++    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++      return src[ofs >> FRACTION_BITS];
+     ofsi = ofs >> FRACTION_BITS;
+     v1 = src[ofsi];
+     v2 = src[ofsi + 1];
+@@ -96,6 +98,8 @@ static resample_t resample_lagrange(sample_t *src, splen_t ofs, resample_rec_t *
+ {
+     int32 ofsi, ofsf, v0, v1, v2, v3;
+ 
++    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++      return src[ofs >> FRACTION_BITS];
+     ofsi = ofs >> FRACTION_BITS;
+     v1 = (int32)src[ofsi];
+     v2 = (int32)src[ofsi + 1];
+@@ -154,6 +158,8 @@ static resample_t resample_gauss(sample_t *src, splen_t ofs, resample_rec_t *rec
+     sample_t *sptr;
+     int32 left, right, temp_n;
+ 
++    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++      return src[ofs >> FRACTION_BITS];
+     left = (ofs>>FRACTION_BITS);
+     right = (rec->data_length>>FRACTION_BITS) - left - 1;
+     temp_n = (right<<1)-1;
+@@ -261,6 +267,8 @@ static resample_t resample_newton(sample_t *src, splen_t ofs, resample_rec_t *re
+     int32 left, right, temp_n;
+     int ii, jj;
+ 
++    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++      return src[ofs >> FRACTION_BITS];
+     left = (ofs>>FRACTION_BITS);
+     right = (rec->data_length>>FRACTION_BITS)-(ofs>>FRACTION_BITS)-1;
+     temp_n = (right<<1)-1;
+@@ -330,6 +338,8 @@ static resample_t resample_linear(sample_t *src, splen_t ofs, resample_rec_t *re
+ {
+     int32 v1, v2, ofsi;
+ 
++    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
++      return src[ofs >> FRACTION_BITS];
+     ofsi = ofs >> FRACTION_BITS;
+     v1 = src[ofsi];
+     v2 = src[ofsi + 1];
author	Sam James <sam@gentoo.org>	2021-01-07 05:18:53 +0000
committer	Sam James <sam@gentoo.org>	2021-01-07 05:18:53 +0000
commit	585ee02d57684b9b47738d103492543eb5786418 (patch)
tree	8774f2202475fca8347229c34aba17ab6118e7c7
parent	dev-libs/libnl: cleanup old (diff)
download	gentoo-585ee02d.tar.gz gentoo-585ee02d.tar.bz2 gentoo-585ee02d.zip