pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/audio/libsndfile libsndfile: Update to 1.1.0 to get th...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/8c54c1bf1ed1
branches:  trunk
changeset: 375824:8c54c1bf1ed1
user:      nia <nia%pkgsrc.org@localhost>
date:      Sun Mar 27 17:20:39 2022 +0000

description:
libsndfile: Update to 1.1.0 to get the latest security fixes.

## [1.1.0] - 2022-03-27

### Added

* MPEG Encode/Decode Support.

  Uses libmpg123 for decode, liblame for encode. Encoding and decoding support
  is independent of each other and is split into separate files. MPEG support
  is generalized as subformats, `SF_FORMAT_MPEG_LAYER`(I,II,III) so that it
  might be used by other containers (`MPEG1WAVEFORMAT` for example), but also
  contains a major format `SF_FORMAT_MPEG` for 'mp3 files.'

  Encoding Status:
  * Layer III encoding
  * ID3v1 writing
  * ID3v2 writing
  * Lame/Xing Tag writing
  * Bitrate selection command
  * VBR or CBR

  Decoding Status:
  * Layers I/II/III decoding
  * ID3v1 reading
  * ID3v2 reading
  * Seeking
* New fuzzer for OSS-Fuzz, thanks @DavidKorczynski.
* This `CHANGELOG.md`. All notable changes to this project will be documented in
  this file. The old `NEWS` file has been renamed to `NEWS.OLD` and is no longer
  updated.
* Add support for decoding MPEG III Audio in WAV files.
* `SECURITY.md` file to give people instructions for reporting security
  vulnerabilities, thanks @zidingz.
* Support for [Vcpkg manifest mode](https://vcpkg.readthedocs.io/en/latest/users/manifests/).

  If you have problems with manifest mode, disable it with `VCPKG_MANIFEST_MODE`
  switch.
* [Export CMake targets from the build tree](https://cmake.org/cmake/help/latest/guide/importing-exporting/index.html#exporting-targets-from-the-build-tree)
* CIFuzz fuzzer, thanks to @AdamKorcz

### Changed

* `SFC_SET_DITHER_ON_READ` and `SFC_SET_DITHER_ON_WRITE` enums comments in
  public header, thanks @SmiVan.
* `ENABLE_SNDFILE_WINDOWS_PROTOTYPES` define is deprecated and not needed
  anymore.

  Previously, in order for the [`sf_wchar_open`()](http://libsndfile.github.io/libsndfile/api.html#open)
  function to become available on   the Windows platform, it was required to
  perform certain actions:

  ```c
  #include <windows.h>
  #define ENABLE_SNDFILE_WINDOWS_PROTOTYPES 1
  #including <sndfile.h>
  ```

  These steps are no longer required and the `sf_wchar_open`() function is
  always available on the Windows platform.
* Use UTF-8 as internal path encoding on Windows platform.

  This is an internal change to unify and simplify the handling of file paths.

  On the Windows platform, the file path is always converted to UTF-8 and
  converted to UTF-16 only for calls to WinAPI functions.

  The behavior of the functions for opening files on other platforms does not
  change.
* Switch to .xz over .bz2 for release tarballs.
* Disable static builds using Autotools by default. If you want static
  libraries, pass --enable-static to ./configure

### Fixed

* Typo in `docs/index.md`.
* Typo in `programs/sndfile-convert.c`, thanks @fjl.
* Memory leak in `caf_read_header`(), credit to OSS-Fuzz ([issue 30375](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30375)).
* Stack overflow in `guess_file_type`(), thanks @bobsayshilol, credit to
  OSS-Fuzz ([issue 29339](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29339)).
* Abort in fuzzer, thanks @bobsayshilol, credit to OSS-Fuzz
  ([issue 26257](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26257)).
* Infinite loop in `svx_read_header`(), thanks @bobsayshilol, credit to OSS-Fuzz
  ([issue 25442](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25442)).
* GCC and Clang pedantic warnings, thanks @bobsayshilol.
* Normalisation issue when scaling floating point data to `int` in
  `replace_read_f2i`(), thanks @bobsayshilol.
* Missing samples when doing a partial read of Ogg file from index till the end
  of file, thanks @arthurt.
* sndfile-salvage: Handle files > 4 GB on Windows OS
* Undefined shift in `dyn_get_32bit`(), credit to OSS-Fuzz
  ([issue 27366](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27366)).
* Integer overflow in `nms_adpcm_update`(), credit to OSS-Fuzz
  ([issue 25522](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25522)).
* Integer overflow in `psf_log_printf`(), credit to OSS-Fuzz
  ([issue 28441](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28441)),
  ([issue 25624](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25624)).
* ABI version incompatibility between Autotools and CMake build on Apple
  platforms.

  Now ABI must be compatible with Autotools builds. Note that this change
  requires CMake >= 3.17 for building dylib on Apple platforms.

* Fix build with Autotools + MinGW toolchain on Windows platform.

  See https://github.com/msys2/MINGW-packages/issues/5803 for details.

### Security

* Heap buffer overflow in `wavlike_ima_decode_block`(), thanks @bobsayshilol,
  credit to OSS-Fuzz ([issue 25530](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25530)).
* Heap buffer overflow in `msadpcm_decode_block`(), thanks @bobsayshilol,
  credit to OSS-Fuzz ([issue 26803](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803)).
* Heap buffer overflow in `psf_binheader_readf`(), thanks @bobsayshilol,
  credit to OSS-Fuzz ([issue 26026](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026)).
* Index out of bounds in `psf_nms_adpcm_decode_block`(), credit to OSS-Fuzz
  ([issue 25561](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25561)).
* Heap buffer overflow in `flac_buffer_copy`(), thanks @yuawn,  @bobsayshilol.
* Heap buffer overflow in `copyPredictorTo24`(), thanks @bobsayshilol,
  credit to OSS-Fuzz ([issue 27503](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27503)).
* Uninitialized variable in `psf_binheader_readf`(), thanks @shao-hua-li,
  credit to OSS-Fuzz ([issue 25364](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25364)).

diffstat:

 audio/libsndfile/Makefile                              |   9 ++-
 audio/libsndfile/buildlink3.mk                         |   6 +-
 audio/libsndfile/distinfo                              |  11 +--
 audio/libsndfile/patches/patch-CVE-2021-3246           |  31 ------------
 audio/libsndfile/patches/patch-programs_sndfile-play.c |  43 ------------------
 audio/libsndfile/patches/patch-src_wavlike.c           |  26 ----------
 6 files changed, 13 insertions(+), 113 deletions(-)

diffs (180 lines):

diff -r 84d20d02ffc9 -r 8c54c1bf1ed1 audio/libsndfile/Makefile
--- a/audio/libsndfile/Makefile Sun Mar 27 17:03:28 2022 +0000
+++ b/audio/libsndfile/Makefile Sun Mar 27 17:20:39 2022 +0000
@@ -1,12 +1,11 @@
-# $NetBSD: Makefile,v 1.88 2021/09/09 12:14:42 nia Exp $
+# $NetBSD: Makefile,v 1.89 2022/03/27 17:20:39 nia Exp $
 
-DISTNAME=      libsndfile-1.0.31
-PKGREVISION=   2
+DISTNAME=      libsndfile-1.1.0
 CATEGORIES=    audio
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libsndfile/}
 GITHUB_PROJECT=        libsndfile
 GITHUB_RELEASE=        ${PKGVERSION_NOREV}
-EXTRACT_SUFX=  .tar.bz2
+EXTRACT_SUFX=  .tar.xz
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
 HOMEPAGE=      https://libsndfile.github.io/libsndfile/
@@ -33,8 +32,10 @@
 .endif
 
 .include "../../audio/flac/buildlink3.mk"
+.include "../../audio/lame/buildlink3.mk"
 .include "../../audio/libopus/buildlink3.mk"
 .include "../../audio/libvorbis/buildlink3.mk"
+.include "../../audio/mpg123/buildlink3.mk"
 .include "../../lang/python/tool.mk"
 BUILDLINK_API_DEPENDS.libogg+= libogg>=1.1.3
 .include "../../multimedia/libogg/buildlink3.mk"
diff -r 84d20d02ffc9 -r 8c54c1bf1ed1 audio/libsndfile/buildlink3.mk
--- a/audio/libsndfile/buildlink3.mk    Sun Mar 27 17:03:28 2022 +0000
+++ b/audio/libsndfile/buildlink3.mk    Sun Mar 27 17:20:39 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.15 2020/08/18 17:56:38 leot Exp $
+# $NetBSD: buildlink3.mk,v 1.16 2022/03/27 17:20:39 nia Exp $
 
 BUILDLINK_TREE+=       libsndfile
 
@@ -9,9 +9,11 @@
 BUILDLINK_ABI_DEPENDS.libsndfile+=     libsndfile>=1.0.29nb1
 BUILDLINK_PKGSRCDIR.libsndfile?=       ../../audio/libsndfile
 
+.include "../../audio/flac/buildlink3.mk"
+.include "../../audio/lame/buildlink3.mk"
 .include "../../audio/libopus/buildlink3.mk"
 .include "../../audio/libvorbis/buildlink3.mk"
-.include "../../audio/flac/buildlink3.mk"
+.include "../../audio/mpg123/buildlink3.mk"
 .include "../../multimedia/libogg/buildlink3.mk"
 .endif # LIBSNDFILE_BUILDLINK3_MK
 
diff -r 84d20d02ffc9 -r 8c54c1bf1ed1 audio/libsndfile/distinfo
--- a/audio/libsndfile/distinfo Sun Mar 27 17:03:28 2022 +0000
+++ b/audio/libsndfile/distinfo Sun Mar 27 17:20:39 2022 +0000
@@ -1,8 +1,5 @@
-$NetBSD: distinfo,v 1.53 2021/10/26 09:59:09 nia Exp $
+$NetBSD: distinfo,v 1.54 2022/03/27 17:20:39 nia Exp $
 
-BLAKE2s (libsndfile-1.0.31.tar.bz2) = a78c338bb8976c88487a4ca6cdb39f8b2bcafa2b862fece412acf768b116e188
-SHA512 (libsndfile-1.0.31.tar.bz2) = 62202092e5cac6346fd3c0a977380e9bf888fc59d08c9c9707dc254a8ef6ed6356da2ab0430bb970c7b06ba5bb1dafa5d7b0fe13898834c1fe4acb16f409f0e1
-Size (libsndfile-1.0.31.tar.bz2) = 875335 bytes
-SHA1 (patch-CVE-2021-3246) = 08620e24b8a41afd7c164781bf6088028ffc97ed
-SHA1 (patch-programs_sndfile-play.c) = 974cf854b9ae4e8be631583edb3da5e41791d9a7
-SHA1 (patch-src_wavlike.c) = b2524c62d8dad9959ff7a50c412b0e85bf433f47
+BLAKE2s (libsndfile-1.1.0.tar.xz) = 440799cbc364679b39da2a9beaef7a0853f61f120be862830ade3062e9653300
+SHA512 (libsndfile-1.1.0.tar.xz) = d01696a8a88a4444e5eb91a137cf7b26b55b12c1fe3b648653f7e78674bbdf61870066216c9ff2f6a1e63bdf7b558af9a759480cf6523b607d29347b12762006
+Size (libsndfile-1.1.0.tar.xz) = 730604 bytes
diff -r 84d20d02ffc9 -r 8c54c1bf1ed1 audio/libsndfile/patches/patch-CVE-2021-3246
--- a/audio/libsndfile/patches/patch-CVE-2021-3246      Sun Mar 27 17:03:28 2022 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,31 +0,0 @@
-$NetBSD: patch-CVE-2021-3246,v 1.1 2021/09/09 12:03:10 nia Exp $
-
-[PATCH] ms_adpcm: Fix and extend size checks
-
-'blockalign' is the size of a block, and each block contains 7 samples
-per channel as part of the preamble, so check against 'samplesperblock'
-rather than 'blockalign'. Also add an additional check that the block
-is big enough to hold the samples it claims to hold.
-
-https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
-https://github.com/libsndfile/libsndfile/pull/713
-
---- src/ms_adpcm.c.orig        2021-01-23 16:12:45.000000000 +0000
-+++ src/ms_adpcm.c
-@@ -128,8 +128,14 @@ wavlike_msadpcm_init      (SF_PRIVATE *psf, i
-       if (psf->file.mode == SFM_WRITE)
-               samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
- 
--      if (blockalign < 7 * psf->sf.channels)
--      {       psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
-+      /* There's 7 samples per channel in the preamble of each block */
-+      if (samplesperblock < 7 * psf->sf.channels)
-+      {       psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
-+              return SFE_INTERNAL ;
-+              } ;
-+
-+      if (2 * blockalign < samplesperblock * psf->sf.channels)
-+      {       psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
-               return SFE_INTERNAL ;
-               } ;
- 
diff -r 84d20d02ffc9 -r 8c54c1bf1ed1 audio/libsndfile/patches/patch-programs_sndfile-play.c
--- a/audio/libsndfile/patches/patch-programs_sndfile-play.c    Sun Mar 27 17:03:28 2022 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,43 +0,0 @@
-$NetBSD: patch-programs_sndfile-play.c,v 1.3 2021/09/09 12:14:42 nia Exp $
-
-Add support for NetBSD sun-like audio devices.
-Do not change mixing parameters in the sun code.
-
---- programs/sndfile-play.c.orig       2020-10-04 10:00:49.000000000 +0000
-+++ programs/sndfile-play.c
-@@ -64,7 +64,7 @@
- #elif HAVE_SNDIO_H
-       #include <sndio.h>
- 
--#elif (defined (sun) && defined (unix))
-+#elif (defined (sun) && defined (unix)) || defined(__NetBSD__)
-       #include <fcntl.h>
-       #include <sys/ioctl.h>
-       #include <sys/audioio.h>
-@@ -727,7 +727,7 @@ sndio_play (int argc, char *argv [])
- **    Solaris.
- */
- 
--#if (defined (sun) && defined (unix)) /* ie Solaris */
-+#if (defined (sun) && defined (unix)) || defined(__NetBSD__) /* ie Solaris */
- 
- static void
- solaris_play (int argc, char *argv [])
-@@ -764,8 +764,6 @@ solaris_play (int argc, char *argv [])
-               audio_info.play.channels = sfinfo.channels ;
-               audio_info.play.precision = 16 ;
-               audio_info.play.encoding = AUDIO_ENCODING_LINEAR ;
--              audio_info.play.gain = AUDIO_MAX_GAIN ;
--              audio_info.play.balance = AUDIO_MID_BALANCE ;
- 
-               if ((error = ioctl (audio_fd, AUDIO_SETINFO, &audio_info)))
-               {       perror ("ioctl (AUDIO_SETINFO) failed") ;
-@@ -845,7 +843,7 @@ main (int argc, char *argv [])
-       opensoundsys_play (argc, argv) ;
- #elif HAVE_SNDIO_H
-       sndio_play (argc, argv) ;
--#elif (defined (sun) && defined (unix))
-+#elif (defined (sun) && defined (unix)) || defined(__NetBSD__)
-       solaris_play (argc, argv) ;
- #elif (OS_IS_WIN32 == 1)
-       win32_play (argc, argv) ;
diff -r 84d20d02ffc9 -r 8c54c1bf1ed1 audio/libsndfile/patches/patch-src_wavlike.c
--- a/audio/libsndfile/patches/patch-src_wavlike.c      Sun Mar 27 17:03:28 2022 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-$NetBSD: patch-src_wavlike.c,v 1.1 2021/09/09 12:03:10 nia Exp $
-
-[PATCH] wavlike: Fix incorrect size check
-
-The SF_CART_INFO_16K struct has an additional 4 byte field to hold
-the size of 'tag_text' which the file header doesn't, so don't
-include it as part of the check when looking for the max length.
-
-https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
-https://github.com/libsndfile/libsndfile/pull/713
-
---- src/wavlike.c.orig 2021-01-23 16:12:45.000000000 +0000
-+++ src/wavlike.c
-@@ -830,7 +830,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
-               return 0 ;
-               } ;
- 
--      if (chunksize >= sizeof (SF_CART_INFO_16K))
-+      /*
-+      **      SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
-+      **      of the chunk, so don't include it in the size check.
-+      */
-+      if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
-       {       psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
-               psf_binheader_readf (psf, "j", chunksize) ;
-               return 0 ;



Home | Main Index | Thread Index | Old Index