CVS commit: [pkgsrc-2024Q2] pkgsrc/audio/opusfile

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Aug  9 19:03:45 UTC 2024

Modified Files:
        pkgsrc/audio/opusfile [pkgsrc-2024Q2]: Makefile distinfo
Added Files:
        pkgsrc/audio/opusfile/patches [pkgsrc-2024Q2]: patch-CVE-2022-47021

Log Message:
Pullup ticket #6888 - requested by nia
audio/opusfile: security fix

Revisions pulled up:
- audio/opusfile/Makefile                                       1.13
- audio/opusfile/distinfo                                       1.14
- audio/opusfile/patches/patch-CVE-2022-47021                   1.1

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Wed Aug  7 22:34:40 UTC 2024

   Modified Files:
        pkgsrc/audio/opusfile: Makefile distinfo

   Log Message:
   opusfile: Apply patch for CVE-2022-47021

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Thu Aug  8 07:20:54 UTC 2024

   Added Files:
        pkgsrc/audio/opusfile/patches: patch-CVE-2022-47021

   Log Message:
   opusfile: missing file from previous


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.6.1 pkgsrc/audio/opusfile/Makefile
cvs rdiff -u -r1.13 -r1.13.22.1 pkgsrc/audio/opusfile/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/audio/opusfile/patches/patch-CVE-2022-47021

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/audio/opusfile/Makefile
diff -u pkgsrc/audio/opusfile/Makefile:1.12 pkgsrc/audio/opusfile/Makefile:1.12.6.1
--- pkgsrc/audio/opusfile/Makefile:1.12 Tue Oct 24 22:08:14 2023
+++ pkgsrc/audio/opusfile/Makefile      Fri Aug  9 19:03:45 2024
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.12 2023/10/24 22:08:14 wiz Exp $
+# $NetBSD: Makefile,v 1.12.6.1 2024/08/09 19:03:45 bsiegert Exp $
 
 DISTNAME=      opusfile-0.12
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    audio
 MASTER_SITES=  https://downloads.xiph.org/releases/opus/
 

Index: pkgsrc/audio/opusfile/distinfo
diff -u pkgsrc/audio/opusfile/distinfo:1.13 pkgsrc/audio/opusfile/distinfo:1.13.22.1
--- pkgsrc/audio/opusfile/distinfo:1.13 Tue Oct 26 09:59:19 2021
+++ pkgsrc/audio/opusfile/distinfo      Fri Aug  9 19:03:45 2024
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.13 2021/10/26 09:59:19 nia Exp $
+$NetBSD: distinfo,v 1.13.22.1 2024/08/09 19:03:45 bsiegert Exp $
 
 BLAKE2s (opusfile-0.12.tar.gz) = ee75b1526981e01175afb4cf18391c6be40cc7ebb6e4ff006f240922f09b5fa7
 SHA512 (opusfile-0.12.tar.gz) = e25e6968a3183ac0628ce1000840fd6f9f636e92ba984d6a72b76fb2a98ec632d2de4c66a8e4c05ef30655c2a4a13ab35f89606fa7d79a54cfa8506543ca57af
 Size (opusfile-0.12.tar.gz) = 471354 bytes
+SHA1 (patch-CVE-2022-47021) = e4c4c15d0987adddad2f18cd62c85acaddd448c1

Added files:

Index: pkgsrc/audio/opusfile/patches/patch-CVE-2022-47021
diff -u /dev/null pkgsrc/audio/opusfile/patches/patch-CVE-2022-47021:1.1.2.2
--- /dev/null   Fri Aug  9 19:03:45 2024
+++ pkgsrc/audio/opusfile/patches/patch-CVE-2022-47021  Fri Aug  9 19:03:45 2024
@@ -0,0 +1,33 @@
+$NetBSD: patch-CVE-2022-47021,v 1.1.2.2 2024/08/09 19:03:45 bsiegert Exp $
+
+From: Ralph Giles <giles%thaumas.net@localhost>
+Date: Tue, 6 Sep 2022 19:04:31 -0700
+Subject: [PATCH] Propagate allocation failure from ogg_sync_buffer.
+
+Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns
+a null pointer. This allows more graceful recovery by the caller
+in the unlikely event of a fallible ogg_malloc call.
+
+We do check the return value elsewhere in the code, so the new
+checks make the code more consistent.
+
+Thanks to https://github.com/xiph/opusfile/issues/36 for reporting.
+
+--- src/opusfile.c.orig        2020-06-27 00:44:15.000000000 +0000
++++ src/opusfile.c
+@@ -148,6 +148,7 @@ static int op_get_data(OggOpusFile *_of,
+   int            nbytes;
+   OP_ASSERT(_nbytes>0);
+   buffer=(unsigned char *)ogg_sync_buffer(&_of->oy,_nbytes);
++  if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT;
+   nbytes=(int)(*_of->callbacks.read)(_of->stream,buffer,_nbytes);
+   OP_ASSERT(nbytes<=_nbytes);
+   if(OP_LIKELY(nbytes>0))ogg_sync_wrote(&_of->oy,nbytes);
+@@ -1527,6 +1528,7 @@ static int op_open1(OggOpusFile *_of,
+   if(_initial_bytes>0){
+     char *buffer;
+     buffer=ogg_sync_buffer(&_of->oy,(long)_initial_bytes);
++    if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT;
+     memcpy(buffer,_initial_data,_initial_bytes*sizeof(*buffer));
+     ogg_sync_wrote(&_of->oy,(long)_initial_bytes);
+   }