[notify] flac: security fix for CVE-2020-0499

4 files changed, 110 insertions, 4 deletions

diff --git a/flac/.signature b/flac/.signature
index a6c6320fb..7f0fff74a 100644
--- a/flac/.signature
+++ b/flac/.signature
@@ -1,5 +1,7 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/RXGEQQsM7jj9a2XgMwJduX3cjXGm3hkD9LVGeloGKU/CEXW3mnA05NbCYUQI48BY1Xpz9/faXs46z7qwyVUTgs=
-SHA256 (Pkgfile) = 7051386c258bb4bc1f4394fa0fea2e22e5d698e8b53c14e5cde6deb0b36e880e
+RWSE3ohX2g5d/Uxh4j/6PEOv3zoJy43TDAwlkCC7uje5YLqSKUNMxXBdNiDaF0rquUbwnvlnyuX7NEE/xAJixVnV3pn2HA+V7Aw=
+SHA256 (Pkgfile) = 7e94e96a7c807506dc3ecd9b5f94dcdd816d108b2c22a4e9ba892b738327e577
 SHA256 (.footprint) = 1b4686b5a9615a67c8c91b0b51f2e1688c245bf737e0d2772231bcd502d96004
 SHA256 (flac-1.3.3.tar.xz) = 213e82bd716c9de6db2f98bcadbc4c24c7e2efe8c75939a1a84e28539c4e1748
+SHA256 (2e7931c.patch) = 4c720576c909cb0a624dba339285970bc01488b19a875333fdc74b43e1c020ba
+SHA256 (ced7f68.patch) = f41722979b57c4fd9cc80018af90e035f0ecacbfb5cbe8161838c01d58879047
diff --git a/flac/2e7931c.patch b/flac/2e7931c.patch
new file mode 100644
index 000000000..53556bbca
--- /dev/null
+++ b/flac/2e7931c.patch
@@ -0,0 +1,25 @@
+From 2e7931c27eb15e387da440a37f12437e35b22dd4 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Mon, 7 Oct 2019 12:55:58 +1100
+Subject: [PATCH] libFLAC/bitreader.c: Fix out-of-bounds read
+
+Credit: Oss-Fuzz
+Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17069
+Testcase: fuzzer_decoder-5670265022840832
+---
+ src/libFLAC/bitreader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libFLAC/bitreader.c b/src/libFLAC/bitreader.c
+index 5e4b59180e..3df4d02c0b 100644
+--- a/src/libFLAC/bitreader.c
++++ b/src/libFLAC/bitreader.c
+@@ -869,7 +869,7 @@ FLAC__bool FLAC__bitreader_read_rice_signed_block(FLAC__BitReader *br, int vals[
+ 			cwords = br->consumed_words;
+ 			words = br->words;
+ 			ucbits = FLAC__BITS_PER_WORD - br->consumed_bits;
+-			b = br->buffer[cwords] << br->consumed_bits;
++			b = cwords < br->capacity ? br->buffer[cwords] << br->consumed_bits : 0;
+ 		} while(cwords >= words && val < end);
+ 	}
+ 
diff --git a/flac/Pkgfile b/flac/Pkgfile
index 3d2b54407..7c9d40f81 100644
--- a/flac/Pkgfile
+++ b/flac/Pkgfile
@@ -5,12 +5,17 @@
 
 name=flac
 version=1.3.3
-release=1
-source=(https://downloads.xiph.org/releases/flac/$name-$version.tar.xz)
+release=2
+source=(https://downloads.xiph.org/releases/flac/$name-$version.tar.xz
+	2e7931c.patch
+	ced7f68.patch)
 
 build() {
 	cd $name-$version
 
+	patch -p1 -i $SRC/2e7931c.patch # CVE-2020-0499
+	patch -p1 -i $SRC/ced7f68.patch # overflow checks
+
 	./configure --prefix=/usr
 
 	make
diff --git a/flac/ced7f68.patch b/flac/ced7f68.patch
new file mode 100644
index 000000000..eb2b7871b
--- /dev/null
+++ b/flac/ced7f68.patch
@@ -0,0 +1,74 @@
+From ced7f6829d14e38128bf0ba66412cc0541246c46 Mon Sep 17 00:00:00 2001
+From: Martijn van Beurden <mvanb1@gmail.com>
+Date: Mon, 6 Jul 2020 21:38:39 +0200
+Subject: [PATCH] Add some overflow checks for residual bits calculation
+
+---
+ src/libFLAC/stream_encoder.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
+index 74387ec3be..4c91247fe8 100644
+--- a/src/libFLAC/stream_encoder.c
++++ b/src/libFLAC/stream_encoder.c
+@@ -4110,13 +4110,14 @@ static inline uint32_t count_rice_bits_in_partition_(
+ 	const FLAC__int32 *residual
+ )
+ {
+-	uint32_t i, partition_bits =
++	uint32_t i;
++	uint64_t partition_bits =
+ 		FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE_PARAMETER_LEN + /* actually could end up being FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE2_PARAMETER_LEN but err on side of 16bps */
+ 		(1+rice_parameter) * partition_samples /* 1 for unary stop bit + rice_parameter for the binary portion */
+ 	;
+ 	for(i = 0; i < partition_samples; i++)
+ 		partition_bits += ( (FLAC__uint32)((residual[i]<<1)^(residual[i]>>31)) >> rice_parameter );
+-	return partition_bits;
++	return (uint32_t)(flac_min(partition_bits,(uint32_t)(-1))); // To make sure the return value doesn't overflow
+ }
+ #else
+ static inline uint32_t count_rice_bits_in_partition_(
+@@ -4125,15 +4126,15 @@ static inline uint32_t count_rice_bits_in_partition_(
+ 	const FLAC__uint64 abs_residual_partition_sum
+ )
+ {
+-	return
++	return (uint32_t)(flac_min( // To make sure the return value doesn't overflow
+ 		FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE_PARAMETER_LEN + /* actually could end up being FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE2_PARAMETER_LEN but err on side of 16bps */
+ 		(1+rice_parameter) * partition_samples + /* 1 for unary stop bit + rice_parameter for the binary portion */
+ 		(
+ 			rice_parameter?
+-				(uint32_t)(abs_residual_partition_sum >> (rice_parameter-1)) /* rice_parameter-1 because the real coder sign-folds instead of using a sign bit */
+-				: (uint32_t)(abs_residual_partition_sum << 1) /* can't shift by negative number, so reverse */
++				(abs_residual_partition_sum >> (rice_parameter-1)) /* rice_parameter-1 because the real coder sign-folds instead of using a sign bit */
++				: (abs_residual_partition_sum << 1) /* can't shift by negative number, so reverse */
+ 		)
+-		- (partition_samples >> 1)
++		- (partition_samples >> 1),(uint32_t)(-1)));
+ 		/* -(partition_samples>>1) to subtract out extra contributions to the abs_residual_partition_sum.
+ 		 * The actual number of bits used is closer to the sum(for all i in the partition) of  abs(residual[i])>>(rice_parameter-1)
+ 		 * By using the abs_residual_partition sum, we also add in bits in the LSBs that would normally be shifted out.
+@@ -4224,7 +4225,10 @@ FLAC__bool set_partitioned_rice_(
+ 				raw_bits[0] = 0;
+ 		}
+ 		parameters[0] = best_rice_parameter;
+-		bits_ += best_partition_bits;
++		if(best_partition_bits < UINT_MAX - bits_) // To make sure _bits doesn't overflow
++			bits_ += best_partition_bits;
++		else
++			bits_ = UINT_MAX;
+ 	}
+ 	else {
+ 		uint32_t partition, residual_sample;
+@@ -4327,7 +4331,10 @@ FLAC__bool set_partitioned_rice_(
+ 					raw_bits[partition] = 0;
+ 			}
+ 			parameters[partition] = best_rice_parameter;
+-			bits_ += best_partition_bits;
++			if(best_partition_bits < UINT_MAX - bits_) // To make sure _bits doesn't overflow
++				bits_ += best_partition_bits;
++			else
++				bits_ = UINT_MAX;
+ 			residual_sample += partition_samples;
+ 		}
+ 	}