Почетна Преглед Помоћ
Регистрација Пријавите се
PUBLIC_REPOS
/
buildroot
огледало од git://git.buildroot.net/buildroot
2
1
Креирај огранак 0
Датотеке
Дрво: e675ffd964
Гране Ознаке
buildroot
/
package
/
libsndfile
/
0009-nms_adpcm-fix-int-overflow-in-signal-estimate.patch

0009-nms_adpcm-fix-int-overflow-in-signal-estimate.patch 7.2 KB
Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233 
  1. From 71565532463b22c24824101845a533a67bff4c9c Mon Sep 17 00:00:00 2001
    2. 

  2. From: Alex Stewart <alex.stewart@ni.com>
    3. 

  3. Date: Thu, 19 Oct 2023 14:07:19 -0400
    4. 

  4. Subject: [PATCH] nms_adpcm: fix int overflow in signal estimate
    5. 

  5. 

  6. It is possible (though functionally incorrect) for the signal estimate
    7. 

  7. calculation in nms_adpcm_update() to overflow the int value of s_e,
    8. 

  8. resulting in undefined behavior.
    9. 

  9. 

  10. Since adpcm state signal values are never practically larger than
    11. 

  11. 16 bits, use smaller numeric sizes throughout the file to avoid the
    12. 

  12. overflow.
    13. 

  13. 

  14. CVE: CVE-2022-33065
    15. 

  15. Fixes: https://github.com/libsndfile/libsndfile/issues/833
    16. 

  16. 

  17. Authored-by: Arthur Taylor <art@ified.ca>
    18. 

  18. Signed-off-by: Alex Stewart <alex.stewart@ni.com>
    19. 

  19. Upstream: https://github.com/libsndfile/libsndfile/commit/71565532463b22c24824101845a533a67bff4c9c
    20. 

  20. [Peter: adjust for 1.2.2]
    21. 

  21. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
    22. 

  22. ---
    23. 

  23.  src/nms_adpcm.c | 81 ++++++++++++++++++++++++-------------------------
    24. 

  24.  1 file changed, 40 insertions(+), 41 deletions(-)
    25. 

  25. 

  26. diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c
    27. 

  27. index 5999be1f..dca85f0b 100644
    28. 

  28. --- a/src/nms_adpcm.c
    29. 

  29. +++ b/src/nms_adpcm.c
    30. 

  30. @@ -48,36 +48,36 @@
    31. 

  31.  /* Variable names from ITU G.726 spec */
    32. 

  32.  struct nms_adpcm_state
    33. 

  33.  {	/* Log of the step size multiplier. Operated on by codewords. */
    34. 

  34. -	int yl ;
    35. 

  35. +	short yl ;
    36. 

  36.  
    37. 

  37.  	/* Quantizer step size multiplier. Generated from yl. */
    38. 

  38. -	int y ;
    39. 

  39. +	short y ;
    40. 

  40.  
    41. 

  41.  	/* Coefficents of the pole predictor */
    42. 

  42. -	int a [2] ;
    43. 

  43. +	short a [2] ;
    44. 

  44.  
    45. 

  45.  	/* Coefficents of the zero predictor  */
    46. 

  46. -	int b [6] ;
    47. 

  47. +	short b [6] ;
    48. 

  48.  
    49. 

  49.  	/* Previous quantized deltas (multiplied by 2^14) */
    50. 

  50. -	int d_q [7] ;
    51. 

  51. +	short d_q [7] ;
    52. 

  52.  
    53. 

  53.  	/* d_q [x] + s_ez [x], used by the pole-predictor for signs only. */
    54. 

  54. -	int p [3] ;
    55. 

  55. +	short p [3] ;
    56. 

  56.  
    57. 

  57.  	/* Previous reconstructed signal values. */
    58. 

  58. -	int s_r [2] ;
    59. 

  59. +	short s_r [2] ;
    60. 

  60.  
    61. 

  61.  	/* Zero predictor components of the signal estimate. */
    62. 

  62. -	int s_ez ;
    63. 

  63. +	short s_ez ;
    64. 

  64.  
    65. 

  65.  	/* Signal estimate, (including s_ez). */
    66. 

  66. -	int s_e ;
    67. 

  67. +	short s_e ;
    68. 

  68.  
    69. 

  69.  	/* The most recent codeword (enc:generated, dec:inputted) */
    70. 

  70. -	int Ik ;
    71. 

  71. +	char Ik ;
    72. 

  72.  
    73. 

  73. -	int parity ;
    74. 

  74. +	char parity ;
    75. 

  75.  
    76. 

  76.  	/*
    77. 

  77.  	** Offset into code tables for the bitrate.
    78. 

  78. @@ -109,7 +109,7 @@ typedef struct
    79. 

  79.  } NMS_ADPCM_PRIVATE ;
    80. 

  80.  
    81. 

  81.  /* Pre-computed exponential interval used in the antilog approximation. */
    82. 

  82. -static unsigned int table_expn [] =
    83. 

  83. +static unsigned short table_expn [] =
    84. 

  84.  {	0x4000, 0x4167, 0x42d5, 0x444c,	0x45cb, 0x4752, 0x48e2, 0x4a7a,
    85. 

  85.  	0x4c1b, 0x4dc7, 0x4f7a, 0x5138,	0x52ff, 0x54d1, 0x56ac, 0x5892,
    86. 

  86.  	0x5a82, 0x5c7e, 0x5e84, 0x6096,	0x62b4, 0x64dd, 0x6712, 0x6954,
    87. 

  87. @@ -117,21 +117,21 @@ static unsigned int table_expn [] =
    88. 

  88.  } ;
    89. 

  89.  
    90. 

  90.  /* Table mapping codewords to scale factor deltas. */
    91. 

  91. -static int table_scale_factor_step [] =
    92. 

  92. +static short table_scale_factor_step [] =
    93. 

  93.  {	0x0,	0x0,	0x0,	0x0,	0x4b0,	0x0,	0x0,	0x0,	/* 2-bit */
    94. 

  94.  	-0x3c,	0x0,	0x90,	0x0,	0x2ee,	0x0,	0x898,	0x0,	/* 3-bit */
    95. 

  95.  	-0x30,	0x12,	0x6b,	0xc8,	0x188,	0x2e0,	0x551,	0x1150,	/* 4-bit */
    96. 

  96.  } ;
    97. 

  97.  
    98. 

  98.  /* Table mapping codewords to quantized delta interval steps. */
    99. 

  99. -static unsigned int table_step [] =
    100. 

  100. +static unsigned short table_step [] =
    101. 

  101.  {	0x73F,	0,		0,		0,		0x1829,	0,		0,		0,		/* 2-bit */
    102. 

  102.  	0x3EB,	0,		0xC18,	0,		0x1581,	0,		0x226E,	0,		/* 3-bit */
    103. 

  103.  	0x20C,	0x635,	0xA83,	0xF12,	0x1418,	0x19E3,	0x211A,	0x2BBA,	/* 4-bit */
    104. 

  104.  } ;
    105. 

  105.  
    106. 

  106.  /* Binary search lookup table for quantizing using table_step. */
    107. 

  107. -static int table_step_search [] =
    108. 

  108. +static short table_step_search [] =
    109. 

  109.  {	0,		0x1F6D,	0,		-0x1F6D,	0,		0,			0,			0, /* 2-bit */
    110. 

  110.  	0x1008,	0x1192,	0,		-0x219A,	0x1656,	-0x1656,	0,			0, /* 3-bit */
    111. 

  111.  	0x872,	0x1277,	-0x8E6,	-0x232B,	0xD06,	-0x17D7,	-0x11D3,	0, /* 4-bit */
    112. 

  112. @@ -179,23 +179,23 @@ static sf_count_t nms_adpcm_seek (SF_PRIVATE *psf, int mode, sf_count_t offset)
    113. 

  113.  ** Maps [1,20480] to [1,1024] in an exponential relationship. This is
    114. 

  114.  ** approximately ret = b^exp where b = e^(ln(1024)/ln(20480)) ~= 1.0003385
    115. 

  115.  */
    116. 

  116. -static inline int
    117. 

  117. -nms_adpcm_antilog (int exp)
    118. 

  118. -{	int ret ;
    119. 

  119. +static inline short
    120. 

  120. +nms_adpcm_antilog (short exp)
    121. 

  121. +{	int_fast32_t r ;
    122. 

  122.  
    123. 

  123. -	ret = 0x1000 ;
    124. 

  124. -	ret += (((exp & 0x3f) * 0x166b) >> 12) ;
    125. 

  125. -	ret *= table_expn [(exp & 0x7c0) >> 6] ;
    126. 

  126. -	ret >>= (26 - (exp >> 11)) ;
    127. 

  127. +	r = 0x1000 ;
    128. 

  128. +	r += (((int_fast32_t) (exp & 0x3f) * 0x166b) >> 12) ;
    129. 

  129. +	r *= table_expn [(exp & 0x7c0) >> 6] ;
    130. 

  130. +	r >>= (26 - (exp >> 11)) ;
    131. 

  131.  
    132. 

  132. -	return ret ;
    133. 

  133. +	return (short) r ;
    134. 

  134.  } /* nms_adpcm_antilog */
    135. 

  135.  
    136. 

  136.  static void
    137. 

  137.  nms_adpcm_update (struct nms_adpcm_state *s)
    138. 

  138.  {	/* Variable names from ITU G.726 spec */
    139. 

  139. -	int a1ul ;
    140. 

  140. -	int fa1 ;
    141. 

  141. +	short a1ul, fa1 ;
    142. 

  142. +	int_fast32_t se ;
    143. 

  143.  	int i ;
    144. 

  144.  
    145. 

  145.  	/* Decay and Modify the scale factor in the log domain based on the codeword. */
    146. 

  146. @@ -222,7 +222,7 @@ nms_adpcm_update (struct nms_adpcm_state *s)
    147. 

  147.  	else if (fa1 > 256)
    148. 

  148.  		fa1 = 256 ;
    149. 

  149.  
    150. 

  150. -	s->a [0] = (0xff * s->a [0]) >> 8 ;
    151. 

  151. +	s->a [0] = (s->a [0] * 0xff) >> 8 ;
    152. 

  152.  	if (s->p [0] != 0 && s->p [1] != 0 && ((s->p [0] ^ s->p [1]) < 0))
    153. 

  153.  		s->a [0] -= 192 ;
    154. 

  154.  	else
    155. 

  155. @@ -230,7 +230,7 @@ nms_adpcm_update (struct nms_adpcm_state *s)
    156. 

  156.  		fa1 = -fa1 ;
    157. 

  157.  		}
    158. 

  158.  
    159. 

  159. -	s->a [1] = fa1 + ((0xfe * s->a [1]) >> 8) ;
    160. 

  160. +	s->a [1] = fa1 + ((s->a [1] * 0xfe) >> 8) ;
    161. 

  161.  	if (s->p [0] != 0 && s->p [2] != 0 && ((s->p [0] ^ s->p [2]) < 0))
    162. 

  162.  		s->a [1] -= 128 ;
    163. 

  163.  	else
    164. 

  164. @@ -250,19 +250,18 @@ nms_adpcm_update (struct nms_adpcm_state *s)
    165. 

  165.  			s->a [0] = a1ul ;
    166. 

  166.  		} ;
    167. 

  167.  
    168. 

  168. -	/* Compute the zero predictor estimate. Rotate past deltas too. */
    169. 

  169. -	s->s_ez = 0 ;
    170. 

  170. +	/* Compute the zero predictor estimate and rotate past deltas. */
    171. 

  171. +	se = 0 ;
    172. 

  172.  	for (i = 5 ; i >= 0 ; i--)
    173. 

  173. -	{	s->s_ez += s->d_q [i] * s->b [i] ;
    174. 

  174. +	{	se += (int_fast32_t) s->d_q [i] * s->b [i] ;
    175. 

  175.  		s->d_q [i + 1] = s->d_q [i] ;
    176. 

  176.  		} ;
    177. 

  177. +	s->s_ez = se >> 14 ;
    178. 

  178.  
    179. 

  179. -	/* Compute the signal estimate. */
    180. 

  180. -	s->s_e = s->a [0] * s->s_r [0] + s->a [1] * s->s_r [1] + s->s_ez ;
    181. 

  181. -
    182. 

  182. -	/* Return to scale */
    183. 

  183. -	s->s_ez >>= 14 ;
    184. 

  184. -	s->s_e >>= 14 ;
    185. 

  185. +	/* Complete the signal estimate. */
    186. 

  186. +	se += (int_fast32_t) s->a [0] * s->s_r [0] ;
    187. 

  187. +	se += (int_fast32_t) s->a [1] * s->s_r [1] ;
    188. 

  188. +	s->s_e = se >> 14 ;
    189. 

  189.  
    190. 

  190.  	/* Rotate members to prepare for next iteration. */
    191. 

  191.  	s->s_r [1] = s->s_r [0] ;
    192. 

  192. @@ -274,7 +273,7 @@ nms_adpcm_update (struct nms_adpcm_state *s)
    193. 

  193.  static int16_t
    194. 

  194.  nms_adpcm_reconstruct_sample (struct nms_adpcm_state *s, uint8_t I)
    195. 

  195.  {	/* Variable names from ITU G.726 spec */
    196. 

  196. -	int dqx ;
    197. 

  197. +	int_fast32_t dqx ;
    198. 

  198.  
    199. 

  199.  	/*
    200. 

  200.  	** The ordering of the 12-bit right-shift is a precision loss. It agrees
    201. 

  201. @@ -308,17 +307,17 @@ nms_adpcm_codec_init (struct nms_adpcm_state *s, enum nms_enc_type type)
    202. 

  202.  /*
    203. 

  203.  ** nms_adpcm_encode_sample()
    204. 

  204.  **
    205. 

  205. -** Encode a linear 16-bit pcm sample into a 2,3, or 4 bit NMS-ADPCM codeword
    206. 

  206. +** Encode a linear 16-bit pcm sample into a 2, 3, or 4 bit NMS-ADPCM codeword
    207. 

  207.  ** using and updating the predictor state.
    208. 

  208.  */
    209. 

  209.  static uint8_t
    210. 

  210.  nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl)
    211. 

  211.  {	/* Variable names from ITU G.726 spec */
    212. 

  212. -	int d ;
    213. 

  213. +	int_fast32_t d ;
    214. 

  214.  	uint8_t I ;
    215. 

  215.  
    216. 

  216.  	/* Down scale the sample from 16 => ~14 bits. */
    217. 

  217. -	sl = (sl * 0x1fdf) / 0x7fff ;
    218. 

  218. +	sl = ((int_fast32_t) sl * 0x1fdf) / 0x7fff ;
    219. 

  219.  
    220. 

  220.  	/* Compute estimate, and delta from actual value */
    221. 

  221.  	nms_adpcm_update (s) ;
    222. 

  222. @@ -407,7 +406,7 @@ nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl)
    223. 

  223.  */
    224. 

  224.  static int16_t
    225. 

  225.  nms_adpcm_decode_sample (struct nms_adpcm_state *s, uint8_t I)
    226. 

  226. -{	int sl ;
    227. 

  227. +{	int_fast32_t sl ;
    228. 

  228.  
    229. 

  229.  	nms_adpcm_update (s) ;
    230. 

  230.  	sl = nms_adpcm_reconstruct_sample (s, I) ;
    231. 

  231. -- 
    232. 

  232. 2.39.5
    233. 

  233.