From f1bc537f089cc8477a9a18db597cb349e1b00e91 Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@redcorelinux.org>
Date: Sat, 16 Jun 2018 05:02:38 +0100
Subject: gentoo resync : 16.06.2018

---
 media-sound/sox/Manifest                           | 11 +++
 .../sox/files/sox-14.4.2-CVE-2017-11332.patch      | 25 ++++++
 .../sox/files/sox-14.4.2-CVE-2017-11333.patch      | 43 ++++++++++
 .../sox/files/sox-14.4.2-CVE-2017-11358.patch      | 26 ++++++
 .../sox/files/sox-14.4.2-CVE-2017-11359.patch      | 27 ++++++
 .../sox/files/sox-14.4.2-CVE-2017-15370.patch      | 25 ++++++
 .../sox/files/sox-14.4.2-CVE-2017-15371.patch      | 37 ++++++++
 .../sox/files/sox-14.4.2-CVE-2017-15372.patch      | 97 +++++++++++++++++++++
 .../sox/files/sox-14.4.2-CVE-2017-15642.patch      | 28 +++++++
 .../sox/files/sox-14.4.2-CVE-2017-18189.patch      | 30 +++++++
 .../sox-14.4.2-wavpack-chk-errors-on-init.patch    | 35 ++++++++
 media-sound/sox/sox-14.4.2-r1.ebuild               | 98 ++++++++++++++++++++++
 12 files changed, 482 insertions(+)
 create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch
 create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch
 create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch
 create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch
 create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch
 create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch
 create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch
 create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch
 create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch
 create mode 100644 media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch
 create mode 100644 media-sound/sox/sox-14.4.2-r1.ebuild

(limited to 'media-sound/sox')

diff --git a/media-sound/sox/Manifest b/media-sound/sox/Manifest
index 5d4173464d20..ed26087c5f07 100644
--- a/media-sound/sox/Manifest
+++ b/media-sound/sox/Manifest
@@ -1,3 +1,14 @@
+AUX sox-14.4.2-CVE-2017-11332.patch 792 BLAKE2B 07da752434571a68102c0b712656ca9642b85a67c9f0e740a75fff979c4f8746b152aa0e060dc490ed6b6bdf62eaab29b562ef929cbada035a12fcc76ce6bf15 SHA512 8c26bea077b503c8ec420880539f2a6e275d2b3c26eb5b4c5af38aae16b258a29ceb946aeb2252e47aeea22e5b6513c628a7ee3eb3d201d6fa541456b16bd399
+AUX sox-14.4.2-CVE-2017-11333.patch 1635 BLAKE2B 9dad961dd2679bc87dbf0422de01c3777362a382364db060a08db5265c087d0a943b9be970e886b1ae89c9a451aba13613f13233a5338e6d0100f114543ed4ac SHA512 5e87a6cd045cd499da0af495e09c178c342b36ff3f753d90bb73bca3745223746b3c704db85f60a2d9867d9ac37e715ae819f0a4f90039551c722c0c90af2b27
+AUX sox-14.4.2-CVE-2017-11358.patch 987 BLAKE2B 499968de437944f9261756d3cbc9dd54c60f10eaac02b074348e390fcfe8b3d3c4adb7f599b98e47596bbb87b88d0c9dfc5f3ba027a798b4aeb6038fd7b40be8 SHA512 b2a096659cc98bd50322441d3611e607b71c54025feaf7c2acc322fff8c0ef5a83f06bef31099c4adf1794009b050a3f2dca71c7926892c60081261384891ac4
+AUX sox-14.4.2-CVE-2017-11359.patch 903 BLAKE2B 89bcfbca682ec4ba1529b974e9d767c5a6a87632c92324d2794db5c45e48b7723b334564143037f17c27ffb0d2e330dadc274ef3f0a9fa9ee5ad3f45ad8239e9 SHA512 6fb075c09cfedaec6bb6760ba2e0d55446478c8e2873884b6a940d42f44ad8e840809f8b31b59ff3d40307dd48d74dadf809859dfef190269da8800185b462a6
+AUX sox-14.4.2-CVE-2017-15370.patch 1065 BLAKE2B 1e8609d127c146f378b0c5ae2195fdcabc33230d4685aab3b93c217b748998a82d3d7a46888a32fc61260672b64d9da266d339311142d630f418ae727d91d847 SHA512 e5c079f8e8e4603e068a092db86ec6dea4da395f75fb4bfa284736edce2d8ea3441deda51ca7dce8865e1ac5914cdf9c6767ed74203726f26992e9d76f4d8b0b
+AUX sox-14.4.2-CVE-2017-15371.patch 1313 BLAKE2B 9b6a97d4b2fda76295e2ae260cba76c3a97dc90ec409f450c4eb20367ed8038aac533cf6147d8efb840054fa28e85238c89e85783c082ccefd55a086b94cbb58 SHA512 122783ba75b4ed9062071ace42f7d702e5b37b8d81e479d37ad0e1c4addbf3efd167f4d56c32e9518b3dcb8d20e54f53cb2b573343195823dd871764d1b24fd9
+AUX sox-14.4.2-CVE-2017-15372.patch 3745 BLAKE2B 966abb4f59894e8dec2a29376c4b548640838f489467e9e31b8f1720196ae825f4c401fe738b0252742fa412a220aff98dbe2bad6d9184c0ea037ece610ad0d4 SHA512 ba8e52d02eb453fbdc7cf066c42c2c00591a355026508406029882ab665ec2567dc03efcc7e0ebec9309b7606ba44d2377c25b9e4eeadbb30457304852bfc31c
+AUX sox-14.4.2-CVE-2017-15642.patch 852 BLAKE2B b6d32a2d7909b601953f0603caa678e62a9c5ef6cbce9609f2ad221af0555a2d1990bce38db24c5e127a05b2784ded42faed15a2a018fb73b6416f3c1be4b5a5 SHA512 dfccffbf6be7951c217e8b98a96a6cd48c31d077a535c0e03beffc8f2fea82aa71c0e5d941caa1364771aa0cef8ae915aa5c3e7be8948375151537cc1a8ebdb8
+AUX sox-14.4.2-CVE-2017-18189.patch 1109 BLAKE2B 1014eb9427b4735e08da68707e108a0c04b89ec75c91440a0ce833327af0ed152a1eba1ef46402f198f6394c1787ae899ee1ffc9748d1ec91544fe8f127cecb6 SHA512 dd4023a6bc98f510c2256537e747a20c9b3b8ec35e0f98d19d188a3973f1774566c5d70f8de6cd9083547ade69670d34d10b848836d0724896993e1e56c85c75
+AUX sox-14.4.2-wavpack-chk-errors-on-init.patch 1328 BLAKE2B 0a1f6c0ef96d5508f11901b28b57feda0be79f0af6ead0af51eb97db7a3a97497aa446389904bc9457efd8dc4f9738f5482841caa096d3449d3b1ab5d77b746a SHA512 ae95d810f489efb749f808c6e46b0412f4cfd6ee60fce0289c0c1d689bb599fd2516a79fcd24ac9ddd30fab6f0437a6876dccfb61db2f6c612fe680f6eff13b5
 DIST sox-14.4.2.tar.gz 1134299 BLAKE2B 9fae987d421fc733b84746f8dc8f09ced1c3ce066643a426d7c64c4ed4ceeb18e5d00165108b39065a4ce40ff39e9d020fc6e734ff1121ee39bfeed4ad822bc5 SHA512 b5c6203f4f5577503a034fe5b3d6a033ee97fe4d171c533933e2b036118a43a14f97c9668433229708609ccf9ee16abdeca3fc7501aa0aafe06baacbba537eca
+EBUILD sox-14.4.2-r1.ebuild 2626 BLAKE2B 83929fbf6c871b74ad53c136792ed2bd19e2c34ac6d30c0f0ae1438a92d5b48fed6c659dbac89da3991d5dd5af2a458fb22dfebbbd42d9cd286e28c4f4770db4 SHA512 6f480918d4b518e014adaef92abf1e54b1a569561e173b9b8e16ce41141c296e0864801d82bac874d21dc31e0fa16e83f4898f8432e2b0a493146c9604f63495
 EBUILD sox-14.4.2.ebuild 2162 BLAKE2B acf1642bd7003f6d19bc454196f4b6cf6fe9e7088363b3c3b530a973d874a3261faca50c26fc6d4e076064ebf10a87d39a5d647e4feccacc49d8c4cc052a1d62 SHA512 8bacb2ece8bc4808ad1b5db0a854e3c4c7eb4febaabdc18675bec344c8454243ba0d5530d87c6ae7b0b8416bf726a1d392cc8d6f0ef936dbd4fea01fe02ef825
 MISC metadata.xml 640 BLAKE2B f02bbb657d1f43a5c9394cca0f74a88d56163cbeabccdc481651e52abfb0ddaa00750c1578a6ff7c697848357c9382a537044a4364c9c5dfc35906f665011bec SHA512 0c7363b16df0333f4496a8e2ecb8c267cd1b23b1d946964fd2ff096a98313384f4f9d94e30791464076fe318d6bf7e5f1d4ef6f6a41a020ef1c197988c811862
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch
new file mode 100644
index 000000000000..2b4448ed2d71
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch
@@ -0,0 +1,25 @@
+From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 16:29:28 +0000
+Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332)
+
+---
+ src/wav.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/wav.c b/src/wav.c
+index 3e80e692..3eaebfa7 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -712,6 +712,11 @@ static int startread(sox_format_t * ft)
+     else
+         lsx_report("User options overriding channels read in .wav header");
+ 
++    if (ft->signal.channels == 0) {
++        lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero");
++        return SOX_EOF;
++    }
++
+     if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond)
+         ft->signal.rate = dwSamplesPerSecond;
+     else
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch
new file mode 100644
index 000000000000..a9a5b2762199
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch
@@ -0,0 +1,43 @@
+From 93b6e4b5b0efa47b318151d39c35277fc06525f1 Mon Sep 17 00:00:00 2001
+Message-Id: <93b6e4b5b0efa47b318151d39c35277fc06525f1.1511192342.git.agx@sigxcpu.org>
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:36:58 +0100
+Subject: [PATCH] Handle vorbis_analysis_headerout errors
+
+This is related to
+
+    https://github.com/xiph/vorbis/pull/34
+
+but could also happen today with on other errors in the called function.
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882236
+Forwarded: sox-devel@lists.sourceforge.net
+---
+ src/vorbis.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+Index: sox/src/vorbis.c
+===================================================================
+--- sox.orig/src/vorbis.c
++++ sox/src/vorbis.c
+@@ -270,8 +270,11 @@ static int write_vorbis_header(sox_forma
+       vc.comment_lengths[i] = strlen(text);
+     }
+   }
+-  vorbis_analysis_headerout(    /* Build the packets */
+-      &ve->vd, &vc, &header_main, &header_comments, &header_codebooks);
++  if (vorbis_analysis_headerout(    /* Build the packets */
++      &ve->vd, &vc, &header_main, &header_comments, &header_codebooks) < 0) {
++      ret = HEADER_ERROR;
++      goto cleanup;
++  }
+ 
+   ogg_stream_packetin(&ve->os, &header_main);   /* And stream them out */
+   ogg_stream_packetin(&ve->os, &header_comments);
+@@ -280,6 +283,7 @@ static int write_vorbis_header(sox_forma
+   while (ogg_stream_flush(&ve->os, &ve->og) && ret == HEADER_OK)
+     if (!oe_write_page(&ve->og, ft))
+       ret = HEADER_ERROR;
++cleanup:
+   for (i = 0; i < vc.comments; ++i)
+     free(vc.user_comments[i]);
+   free(vc.user_comments);
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch
new file mode 100644
index 000000000000..6cd8c2bb15f6
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch
@@ -0,0 +1,26 @@
+From 6cb44a44b9eda6b321ccdbf6483348d4a9798b00 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 16:43:35 +0000
+Subject: [PATCH] hcom: fix crash on input with corrupt dictionary
+ (CVE-2017-11358)
+
+---
+ src/hcom.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/hcom.c b/src/hcom.c
+index c62b020c..1b0e09dd 100644
+--- a/src/hcom.c
++++ b/src/hcom.c
+@@ -150,6 +150,11 @@ static int startread(sox_format_t * ft)
+                 lsx_debug("%d %d",
+                        p->dictionary[i].dict_leftson,
+                        p->dictionary[i].dict_rightson);
++                if ((unsigned) p->dictionary[i].dict_leftson >= dictsize ||
++                    (unsigned) p->dictionary[i].dict_rightson >= dictsize) {
++                        lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary");
++                        return SOX_EOF;
++                }
+         }
+         rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */
+         if (rc)
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch
new file mode 100644
index 000000000000..180d7d1c867b
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch
@@ -0,0 +1,27 @@
+From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 17:02:11 +0000
+Subject: [PATCH] wav: fix crash writing header when channel count >64k
+ (CVE-2017-11359)
+
+---
+ src/wav.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/wav.c b/src/wav.c
+index 3eaebfa7..fad334cf 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1379,6 +1379,12 @@ static int wavwritehdr(sox_format_t * ft, int second_header)
+     long blocksWritten = 0;
+     sox_bool isExtensible = sox_false;    /* WAVE_FORMAT_EXTENSIBLE? */
+ 
++    if (ft->signal.channels > UINT16_MAX) {
++        lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)",
++                       ft->signal.channels);
++        return SOX_EOF;
++    }
++
+     dwSamplesPerSecond = ft->signal.rate;
+     wChannels = ft->signal.channels;
+     wBitsPerSample = ft->encoding.bits_per_sample;
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch
new file mode 100644
index 000000000000..473c383a663a
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch
@@ -0,0 +1,25 @@
+From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 16:21:23 +0000
+Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input
+ (CVE-2017-15370)
+
+Add the same check bad block size as was done for MS adpcm in commit
+f39c574b ("More checks for invalid MS ADPCM blocks").
+---
+ src/wav.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/wav.c b/src/wav.c
+index 5202556c..3e80e692 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -127,7 +127,7 @@ static unsigned short  ImaAdpcmReadBlock(sox_format_t * ft)
+         /* work with partial blocks.  Specs say it should be null */
+         /* padded but I guess this is better than trailing quiet. */
+         samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0);
+-        if (samplesThisBlock == 0)
++        if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock)
+         {
+             lsx_warn("Premature EOF on .wav input file");
+             return 0;
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch
new file mode 100644
index 000000000000..cde253da4ecb
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch
@@ -0,0 +1,37 @@
+From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 15:57:48 +0000
+Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371)
+
+---
+ src/flac.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+Index: sox/src/flac.c
+===================================================================
+--- sox.orig/src/flac.c
++++ sox/src/flac.c
+@@ -119,9 +119,10 @@ static void decoder_metadata_callback(FL
+     p->total_samples = metadata->data.stream_info.total_samples;
+   }
+   else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) {
++    const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment;
+     size_t i;
+ 
+-    if (metadata->data.vorbis_comment.num_comments == 0)
++    if (vc->num_comments == 0)
+       return;
+ 
+     if (ft->oob.comments != NULL) {
+@@ -129,8 +130,9 @@ static void decoder_metadata_callback(FL
+       return;
+     }
+ 
+-    for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i)
+-      sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry);
++    for (i = 0; i < vc->num_comments; ++i)
++      if (vc->comments[i].entry)
++        sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry);
+   }
+ }
+ 
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch
new file mode 100644
index 000000000000..8671213a98f3
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch
@@ -0,0 +1,97 @@
+From 3f7ed312614649e2695b54b398475d32be4f64f3 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 8 Nov 2017 00:29:14 +0000
+Subject: adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
+
+---
+ src/adpcm.c | 8 +++++++-
+ src/adpcm.h | 3 +++
+ src/wav.c   | 5 ++++-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+Index: sox/src/adpcm.c
+===================================================================
+--- sox.orig/src/adpcm.c
++++ sox/src/adpcm.c
+@@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] =
+                         { 392,-232}
+ };
+ 
++extern void *lsx_ms_adpcm_alloc(unsigned chans)
++{
++        return lsx_malloc(chans * sizeof(MsState_t));
++}
++
+ static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state,
+                                sox_sample_t sample1, sox_sample_t sample2)
+ {
+@@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(s
+ 
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
+ const char *lsx_ms_adpcm_block_expand_i(
++        void *priv,
+         unsigned chans,          /* total channels             */
+         int nCoef,
+         const short *coef,
+@@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i(
+   const unsigned char *ip;
+   unsigned ch;
+   const char *errmsg = NULL;
+-  MsState_t state[4];  /* One decompressor state for each channel */
++  MsState_t *state = priv;  /* One decompressor state for each channel */
+ 
+   /* Read the four-byte header for each channel */
+   ip = ibuff;
+Index: sox/src/adpcm.h
+===================================================================
+--- sox.orig/src/adpcm.h
++++ sox/src/adpcm.h
+@@ -29,8 +29,11 @@
+ /* default coef sets */
+ extern const short lsx_ms_adpcm_i_coef[7][2];
+ 
++extern void *lsx_ms_adpcm_alloc(unsigned chans);
++
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */
+ extern const char *lsx_ms_adpcm_block_expand_i(
++	void *priv,
+ 	unsigned chans,          /* total channels             */
+ 	int nCoef,
+ 	const short *coef,
+Index: sox/src/wav.c
+===================================================================
+--- sox.orig/src/wav.c
++++ sox/src/wav.c
+@@ -82,6 +82,7 @@ typedef struct {
+     /* following used by *ADPCM wav files */
+     unsigned short nCoefs;          /* ADPCM: number of coef sets */
+     short         *lsx_ms_adpcm_i_coefs;          /* ADPCM: coef sets           */
++    void          *ms_adpcm_data;   /* Private data of adpcm decoder */
+     unsigned char *packet;          /* Temporary buffer for packets */
+     short         *samples;         /* interleaved samples buffer */
+     short         *samplePtr;       /* Pointer to current sample  */
+@@ -175,7 +176,7 @@ static unsigned short  AdpcmReadBlock(so
+         }
+     }
+ 
+-    errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
++    errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock);
+ 
+     if (errmsg)
+         lsx_warn("%s", errmsg);
+@@ -791,6 +792,7 @@ static int startread(sox_format_t * ft)
+ 
+         /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */
+         wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short));
++        wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels);
+         {
+             int i, errct=0;
+             for (i=0; len>=2 && i < 2*wav->nCoefs; i++) {
+@@ -1216,6 +1218,7 @@ static int stopread(sox_format_t * ft)
+     free(wav->packet);
+     free(wav->samples);
+     free(wav->lsx_ms_adpcm_i_coefs);
++    free(wav->ms_adpcm_data);
+     free(wav->comment);
+     wav->comment = NULL;
+ 
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch
new file mode 100644
index 000000000000..d43ef50d1012
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch
@@ -0,0 +1,28 @@
+Description: This fixes a use after free and double free if an empty comment
+chunk follows a non-empty one.
+Author: Mans Rullgard <mans@mansr.com>
+Forwarded: not-needed
+---
+ src/aiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: sox/src/aiff.c
+===================================================================
+--- sox.orig/src/aiff.c
++++ sox/src/aiff.c
+@@ -62,7 +62,6 @@ int lsx_aiffstartread(sox_format_t * ft)
+   size_t ssndsize = 0;
+   char *annotation;
+   char *author;
+-  char *comment = NULL;
+   char *copyright;
+   char *nametext;
+ 
+@@ -270,6 +269,7 @@ int lsx_aiffstartread(sox_format_t * ft)
+       free(annotation);
+     }
+     else if (strncmp(buf, "COMT", (size_t)4) == 0) {
++      char *comment = NULL;
+       rc = commentChunk(&comment, "Comment:", ft);
+       if (rc) {
+         /* Fail already called in function */
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch
new file mode 100644
index 000000000000..fd04bcdff131
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch
@@ -0,0 +1,30 @@
+Description: A corrupt header specifying zero channels would send read_channels()
+into an infinite loop.  Prevent this by sanity checking the channel
+count in open_read().  Also add an upper bound to prevent overflow
+in multiplication.
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121
+Author: Mans Rullgard <mans@mansr.com>
+ Jaromír Mikeš <mira.mikes@seznam.cz>
+Forwarded: not-needed
+
+---
+ src/xa.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: sox/src/xa.c
+===================================================================
+--- sox.orig/src/xa.c
++++ sox/src/xa.c
+@@ -143,6 +143,12 @@ static int startread(sox_format_t * ft)
+         lsx_report("User options overriding rate read in .xa header");
+     }
+ 
++    if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) {
++        lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d",
++                       ft->signal.channels);
++        return SOX_EOF;
++    }
++
+     /* Check for supported formats */
+     if (ft->encoding.bits_per_sample != 16) {
+         lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.",
diff --git a/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch
new file mode 100644
index 000000000000..4ebb31c0ae94
--- /dev/null
+++ b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch
@@ -0,0 +1,35 @@
+Description: wavpack: check errors when initializing
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881145
+Author:  Eric Wong <normalperson@yhbt.net>
+ Jaromír Mikeš <mira.mikes@seznam.cz>
+Forwarded: not-needed
+
+ src/wavpack.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/wavpack.c b/src/wavpack.c
+index 9e525cd4..b7e8dafa 100644
+--- a/src/wavpack.c
++++ b/src/wavpack.c
+@@ -65,6 +65,10 @@ static int start_read(sox_format_t * ft)
+   char msg[80];
+ 
+   p->codec = WavpackOpenFileInputEx(&io_fns, ft, NULL, msg, OPEN_NORMALIZE, 0);
++  if (!p->codec) {
++    lsx_fail_errno(ft, SOX_EHDR, "%s", msg);
++    return SOX_EOF;
++  }
+   ft->encoding.bits_per_sample = WavpackGetBytesPerSample(p->codec) << 3;
+   ft->signal.channels   = WavpackGetNumChannels(p->codec);
+   if (WavpackGetSampleRate(p->codec) && ft->signal.rate && ft->signal.rate != WavpackGetSampleRate(p->codec))
+@@ -108,6 +112,10 @@ static int start_write(sox_format_t * ft)
+   uint64_t size64;
+ 
+   p->codec = WavpackOpenFileOutput(ft_write_b_buf, ft, NULL);
++  if (!p->codec) {
++    lsx_fail_errno(ft, SOX_ENOMEM, "WavPack error creating output instance");
++    return SOX_EOF;
++  }
+   memset(&config, 0, sizeof(config));
+   config.bytes_per_sample  = ft->encoding.bits_per_sample >> 3;
+   config.bits_per_sample   = ft->encoding.bits_per_sample;
diff --git a/media-sound/sox/sox-14.4.2-r1.ebuild b/media-sound/sox/sox-14.4.2-r1.ebuild
new file mode 100644
index 000000000000..112f0b571607
--- /dev/null
+++ b/media-sound/sox/sox-14.4.2-r1.ebuild
@@ -0,0 +1,98 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit autotools
+
+DESCRIPTION="The swiss army knife of sound processing programs"
+HOMEPAGE="http://sox.sourceforge.net"
+SRC_URI="mirror://sourceforge/sox/${P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ia64 ~mips ~ppc ~ppc64 ~sparc x86 ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-solaris"
+IUSE="alsa amr ao debug encode flac id3tag ladspa mad ogg openmp oss opus png pulseaudio sndfile static-libs twolame wavpack"
+
+RDEPEND="
+	dev-libs/libltdl:0=
+	>=media-sound/gsm-1.0.12-r1
+	alsa? ( media-libs/alsa-lib )
+	amr? ( media-libs/opencore-amr )
+	ao? ( media-libs/libao )
+	encode? ( >=media-sound/lame-3.98.4 )
+	flac? ( >=media-libs/flac-1.1.3 )
+	id3tag? ( media-libs/libid3tag )
+	ladspa? ( media-libs/ladspa-sdk )
+	mad? ( media-libs/libmad )
+	ogg? (
+		media-libs/libogg
+		media-libs/libvorbis
+	)
+	opus? (
+		media-libs/opus
+		media-libs/opusfile
+	)
+	png? (
+		media-libs/libpng:0=
+		sys-libs/zlib
+	)
+	pulseaudio? ( media-sound/pulseaudio )
+	sndfile? ( >=media-libs/libsndfile-1.0.11 )
+	twolame? ( media-sound/twolame )
+	wavpack? ( media-sound/wavpack )"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig"
+
+DOCS=( AUTHORS ChangeLog NEWS README )
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2017-11332.patch
+	"${FILESDIR}"/${P}-CVE-2017-11333.patch
+	"${FILESDIR}"/${P}-CVE-2017-11358.patch
+	"${FILESDIR}"/${P}-CVE-2017-11359.patch
+	"${FILESDIR}"/${P}-CVE-2017-15370.patch
+	"${FILESDIR}"/${P}-CVE-2017-15371.patch
+	"${FILESDIR}"/${P}-CVE-2017-15372.patch
+	"${FILESDIR}"/${P}-CVE-2017-15642.patch
+	"${FILESDIR}"/${P}-CVE-2017-18189.patch
+	"${FILESDIR}"/${P}-wavpack-chk-errors-on-init.patch
+)
+
+src_prepare() {
+	default
+	sed -i -e 's:CFLAGS="-g":CFLAGS="$CFLAGS -g":' configure.ac || die #386027
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		$(use_with alsa) \
+		$(use_with amr amrnb) \
+		$(use_with amr amrwb) \
+		$(use_with ao) \
+		$(use_enable debug) \
+		$(use_with encode lame) \
+		$(use_with flac) \
+		$(use_with id3tag) \
+		$(use_with ladspa) \
+		$(use_with mad) \
+		$(use_enable openmp) \
+		$(use_with ogg oggvorbis) \
+		$(use_with oss) \
+		$(use_with opus) \
+		$(use_with png) \
+		$(use_with pulseaudio) \
+		$(use_with sndfile) \
+		$(use_enable static-libs static) \
+		$(use_with twolame) \
+		$(use_with wavpack) \
+		--with-distro="Gentoo"
+}
+
+src_install() {
+	default
+	# libltdl is used for loading plugins, keeping libtool files with empty
+	# dependency_libs what otherwise would be -exec rm -f {} +
+	find "${ED}" -name '*.la' -exec sed -i -e "/^dependency_libs/s:=.*:='':" {} +
+}
-- 
cgit v1.2.3