reinit the tree, so we can have metadata

author: V3n3RiX <venerix@redcorelinux.org> 2017-10-09 18:53:29 +0100
committer: V3n3RiX <venerix@redcorelinux.org> 2017-10-09 18:53:29 +0100
commit: 4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch)
tree: ba5f07bf3f9d22d82e54a462313f5d244036c768 /media-sound/vorbis-tools/files
5 files changed, 205 insertions, 0 deletions
diff --git a/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9638.patch b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9638.patch
new file mode 100644
index 000000000000..79859df0274f
--- /dev/null
+++ b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9638.patch
@@ -0,0 +1,92 @@
+Patches taken as references: 
+https://github.com/mark4o/opus-tools/commit/8c412e619b83eb6dd32191909cf6672e93e5802e
+https://trac.xiph.org/attachment/ticket/2212/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch
+To fix bug report:
+http://www.openwall.com/lists/oss-security/2015/08/29/1
+    https://bugs.gentoo.org/show_bug.cgi?id=559170
+https://bugs.gentoo.org/show_bug.cgi?id=537422
+--- oggenc/audio.h
++++ oggenc/audio.h
+@@ -25,7 +25,7 @@
+ 
+ typedef struct {
+     short format;
+-    short channels;
++    unsigned short channels;
+     int samplerate;
+     int bytespersec;
+     short align;
+@@ -44,7 +44,7 @@
+ } wavfile;
+ 
+ typedef struct {
+-    short channels;
++    unsigned short channels;
+     int totalframes;
+     short samplesize;
+     int rate;
+--- oggenc/audio.c	
++++ oggenc/audio.c
+@@ -245,8 +245,8 @@
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+     int aifc; /* AIFC or AIFF? */
+-    unsigned int len;
+-    unsigned char *buffer;
++    unsigned int len,readlen;
++    unsigned char buffer[22];
+     unsigned char buf2[8];
+     aiff_fmt format;
+     aifffile *aiff = malloc(sizeof(aifffile));
+@@ -269,9 +269,9 @@
+         return 0; /* Weird common chunk */
+     }
+
+-    buffer = alloca(len);
+-
+-    if(fread(buffer,1,len,in) < len)
++    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
++    if(fread(buffer,1,readlen,in) < readlen ||
++        (len > readlen && !seek_forward(in, len-readlen)))
+     {
+         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
+         return 0;
+@@ -277,11 +277,18 @@
+         return 0;
+     }
+ 
+-    format.channels = READ_U16_BE(buffer);
++    format.channels = (short)READ_U16_BE(buffer);
+     format.totalframes = READ_U32_BE(buffer+2);
+     format.samplesize = READ_U16_BE(buffer+6);
+     format.rate = (int)read_IEEE80(buffer+8);
+ 
++    if(format.channels <=0)
++    {
++    	fprintf(stderr, _("ERROR: Invalid channel count in AIFF header\n"));
++	return 0;
++
++    }
++
+     aiff->bigendian = 1;
+ 
+     if(aifc)
+@@ -449,11 +449,17 @@
+     }
+
+     format.format =      READ_U16_LE(buf);
+-    format.channels =    READ_U16_LE(buf+2);
++    format.channels =    (short)READ_U16_LE(buf+2);
+     format.samplerate =  READ_U32_LE(buf+4);
+     format.bytespersec = READ_U32_LE(buf+8);
+     format.align =       READ_U16_LE(buf+12);
+     format.samplesize =  READ_U16_LE(buf+14);
++
++    if(format.channels == 0)
++    {
++      fprintf(stderr, _("ERROR: Zero channels in WAV header\n"));
++      return 0;
++    }
+
+     if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */
+     {
diff --git a/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9640.patch b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9640.patch
new file mode 100644
index 000000000000..51c23b062aff
--- /dev/null
+++ b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-CVE-2014-9640.patch
@@ -0,0 +1,24 @@
+Patch taken from: 
+https://trac.xiph.org/changeset/19117
+To fix bug report:
+https://bugs.gentoo.org/show_bug.cgi?id=537422
+--- vorbis-tools-1.4.0/oggenc/oggenc.c	
++++ vorbis-tools-1.4.0/oggenc/oggenc.c
+@@ -97,6 +97,8 @@
+               .3,-1,
+               0,0,0.f,
+               0, 0, 0, 0, 0};
++    input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", 
++        N_("RAW file reader")};
+ 
+     int i;
+ 
+@@ -239,8 +241,6 @@
+ 
+         if(opt.rawmode)
+         {
+-            input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", 
+-                N_("RAW file reader")};
+ 
+             enc_opts.rate=opt.raw_samplerate;
+             enc_opts.channels=opt.raw_channels;
diff --git a/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-aiff-buffer-overflow.patch b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-aiff-buffer-overflow.patch
new file mode 100644
index 000000000000..f8b66a90e7cd
--- /dev/null
+++ b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-aiff-buffer-overflow.patch
@@ -0,0 +1,31 @@
+Patch taken from: 
+https://trac.xiph.org/attachment/ticket/2212/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch
+To fix bug report:
+http://www.openwall.com/lists/oss-security/2015/08/29/1
+    https://bugs.gentoo.org/show_bug.cgi?id=559170
+--- oggenc/audio.c
++++ oggenc/audio.c
+@@ -245,8 +245,8 @@
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+     int aifc; /* AIFC or AIFF? */
+-    unsigned int len;
+-    unsigned char *buffer;
++    unsigned int len,readlen;
++    unsigned char buffer[22];
+     unsigned char buf2[8];
+     aiff_fmt format;
+     aifffile *aiff = malloc(sizeof(aifffile));
+@@ -269,9 +269,9 @@
+         return 0; /* Weird common chunk */
+     }
+ 
+-    buffer = alloca(len);
+-
+-    if(fread(buffer,1,len,in) < len)
++    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
++    if(fread(buffer,1,readlen,in) < readlen ||
++        (len > readlen && !seek_forward(in, len-readlen)))
+     {
+         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
+         return 0;
diff --git a/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-format-security.patch b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-format-security.patch
new file mode 100644
index 000000000000..501300ca6171
--- /dev/null
+++ b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-format-security.patch
@@ -0,0 +1,11 @@
+--- vorbis-tools-1.4.0.orig/ogg123/status.c
++++ vorbis-tools-1.4.0/ogg123/status.c
+@@ -148,7 +148,7 @@
+ 
+     switch (stats->type) {
+     case stat_noarg:
+-      len += sprintf(str+len, stats->formatstr);
++      len += sprintf(str+len, "%s", stats->formatstr);
+       break;
+     case stat_intarg:
+       len += sprintf(str+len, stats->formatstr, stats->arg.intarg);
diff --git a/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-underlinking.patch b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-underlinking.patch
new file mode 100644
index 000000000000..aaa10fbb54f9
--- /dev/null
+++ b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-underlinking.patch
@@ -0,0 +1,47 @@
+http://bugs.gentoo.org/513942
+
+Fix building with `./configure --enable-ogg123 --without-flac --without-speex --without-kate` and `make`:
+
+libtool: link: gcc -Wall -ffast-math -fsigned-char -O2 -pipe -march=native -Wl,-O1 -Wl,--hash-style=gnu -o oggenc oggenc.o audio.o encode.o platform.o resample.o skeleton.o  -Wl,--as-needed ../share/libutf8.a ../share/libgetopt.a -lvorbisenc -lvorbis -logg
+resample.o:resample.c:function res_init: error: undefined reference to 'sin'
+collect2: error: ld returned 1 exit status
+
+libtool: link: gcc -Wall -ffast-math -fsigned-char -O2 -pipe -march=native -Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -o ogg123 audio.o buffer.o callbacks.o cfgfile_options.o cmdline_options.o file_transport.o format.o http_transport.o ogg123.o oggvorbis_format.o playlist.o status.o remote.o transport.o vorbis_comments.o vgfilter.o  ../share/libutf8.a ../share/libgetopt.a -lvorbisfile -lvorbis -logg -lao -lnsl -lcurl -lpthread
+vgfilter.o:vgfilter.c:function vg_init: error: undefined reference to '__pow_finite'
+vgfilter.o:vgfilter.c:function vg_init: error: undefined reference to '__pow_finite'
+vgfilter.o:vgfilter.c:function vg_filter: error: undefined reference to 'tanh'
+vgfilter.o:vgfilter.c:function vg_filter: error: undefined reference to 'tanh'
+collect2: error: ld returned 1 exit status
+
+This is using the new GNU gold linker:
+
+$ ld -v
+GNU gold (GNU Binutils 2.24) 1.11
+
+Happens because -lm gets appended to the libraries list only with, for example, --with-flac but vgfilter.c and resample.c are always
+using functions from the mathlib.
+
+Therefore, always link to mathlib:
+
+--- ogg123/Makefile.am
++++ ogg123/Makefile.am
+@@ -30,7 +30,7 @@
+ ogg123_LDADD = @SHARE_LIBS@ \
+ 	       @VORBISFILE_LIBS@ @VORBIS_LIBS@ @OGG_LIBS@ @AO_LIBS@ \
+                @SOCKET_LIBS@ @LIBICONV@ @CURL_LIBS@ @PTHREAD_CFLAGS@ \
+-               @PTHREAD_LIBS@ @I18N_LIBS@ @FLAC_LIBS@ @SPEEX_LIBS@
++               @PTHREAD_LIBS@ @I18N_LIBS@ @FLAC_LIBS@ @SPEEX_LIBS@ -lm
+ 
+ ogg123_DEPENDENCIES = @SHARE_LIBS@
+ ogg123_SOURCES = audio.c buffer.c callbacks.c \
+--- oggenc/Makefile.am
++++ oggenc/Makefile.am
+@@ -23,7 +23,7 @@
+ 
+ oggenc_LDADD = @SHARE_LIBS@ \
+ 	       @VORBISENC_LIBS@ @VORBIS_LIBS@ @KATE_LIBS@ @OGG_LIBS@ \
+-	       @LIBICONV@ @I18N_LIBS@ @FLAC_LIBS@
++	       @LIBICONV@ @I18N_LIBS@ @FLAC_LIBS@ -lm
+ 
+ oggenc_DEPENDENCIES = @SHARE_LIBS@
+
author	V3n3RiX <venerix@redcorelinux.org>	2017-10-09 18:53:29 +0100
committer	V3n3RiX <venerix@redcorelinux.org>	2017-10-09 18:53:29 +0100
commit	4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch)
tree	ba5f07bf3f9d22d82e54a462313f5d244036c768 /media-sound/vorbis-tools/files