!15 Fix cves

From: @yaqiangchen 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge

CVE-2017-18189.patch

@@ -0,0 +1,27 @@
+A corrupt header specifying zero channels would send read_channels()
+into an infinite loop.  Prevent this by sanity checking the channel
+count in open_read().  Also add an upper bound to prevent overflow
+in multiplication.
+---
+ src/xa.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+ 
+diff --git a/src/xa.c b/src/xa.c
+index 81a767720d93..9fc086eca2b2 100644
+--- a/src/xa.c
++++ b/src/xa.c
+@@ -143,6 +143,12 @@ static int startread(sox_format_t * ft)
+         lsx_report("User options overriding rate read in .xa header");
+     }
+ 
++    if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) {
++        lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d",
++                       ft->signal.channels);
++        return SOX_EOF;
++    }
++
+     /* Check for supported formats */
+     if (ft->encoding.bits_per_sample != 16) {
+         lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.",
+-- 
+2.17.0

CVE-2021-23159.patch

@@ -0,0 +1,23 @@
+From: Helmut Grohne <helmut@subdivi.de>
+Subject: hcom: validate dictsize
+Bug: https://sourceforge.net/p/sox/bugs/350/
+Bug: https://sourceforge.net/p/sox/bugs/352/
+Bug-Debian: https://bugs.debian.org/1021133
+Bug-Debian: https://bugs.debian.org/1021134
+
+This patch fixes both CVE-2021-23159 and CVE-2021-23172.
+
+--- a/src/hcom.c
++++ b/src/hcom.c
+@@ -134,6 +134,11 @@
+                 return (SOX_EOF);
+         }
+         lsx_readw(ft, &dictsize);
++        if (dictsize == 0 || dictsize > 511)
++        {
++                lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header");
++                return SOX_EOF;
++        }
+ 
+         /* Translate to sox parameters */
+         ft->encoding.encoding = SOX_ENCODING_HCOM;

CVE-2021-33844.patch

@@ -0,0 +1,28 @@
+From: Helmut Grohne <helmut@subdivi.de>
+Subject: wav: reject 0 bits per sample to avoid division by zero
+Bug: https://sourceforge.net/p/sox/bugs/349/
+Bug-Debian: https://bugs.debian.org/1021135
+
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -506,7 +506,7 @@
+     unsigned short wChannels;       /* number of channels */
+     uint32_t      dwSamplesPerSecond; /* samples per second per channel */
+     uint32_t      dwAvgBytesPerSec;/* estimate of bytes per second needed */
+-    uint16_t wBitsPerSample;  /* bits per sample */
++    uint16_t wBitsPerSample = 0;  /* bits per sample */
+     uint32_t wFmtSize;
+     uint16_t wExtSize = 0;    /* extended field for non-PCM */
+ 
+@@ -587,6 +587,11 @@
+     lsx_readdw(ft, &dwAvgBytesPerSec);   /* Average bytes/second */
+     lsx_readw(ft, &(wav->blockAlign));   /* Block align */
+     lsx_readw(ft, &wBitsPerSample);      /* bits per sample per channel */
++    if (wBitsPerSample == 0)
++    {
++        lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
++        return SOX_EOF;
++    }
+     len -= 16;
+ 
+     if (wav->formatTag == WAVE_FORMAT_EXTENSIBLE)

CVE-2021-3643.patch

@@ -0,0 +1,27 @@
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sat, 11 Nov 2023 18:18:40 +0100
+Subject: voc: word width should never be 0 to avoid division by zero
+
+Bug: https://sourceforge.net/p/sox/bugs/351/
+Bug-Debian: https://bugs.debian.org/1010374
+
+This patch fixes both CVE-2021-3643 and CVE-2021-23210.
+---
+ src/voc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/voc.c b/src/voc.c
+index f026178..f44933d 100644
+--- a/src/voc.c
++++ b/src/voc.c
+@@ -614,6 +614,10 @@ static int getblock(sox_format_t * ft)
+         v->rate = new_rate_32;
+         ft->signal.rate = new_rate_32;
+         lsx_readb(ft, &uc);
++        if (uc <= 1) {
++          lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required");
++          return (SOX_EOF);
++        }
+         v->size = uc;
+         lsx_readb(ft, &(v->channels));
+         lsx_readw(ft, &(v->format));    /* ANN: added format */

CVE-2021-40426.patch

@@ -0,0 +1,35 @@
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sat, 11 Nov 2023 18:18:40 +0100
+Subject: sphere: avoid integer underflow
+
+Link: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434
+Bug: https://sourceforge.net/p/sox/bugs/362/
+Bug-Debian: https://bugs.debian.org/1012138
+---
+ src/sphere.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/sphere.c b/src/sphere.c
+index a3fd1c6..9544d16 100644
+--- a/src/sphere.c
++++ b/src/sphere.c
+@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft)
+     return (SOX_EOF);
+   }
+ 
+-  header_size -= (strlen(buf) + 1);
++  bytes_read = strlen(buf);
++  header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
+ 
+   while (strncmp(buf, "end_head", (size_t)8) != 0) {
+     if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0)
+@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft)
+       return (SOX_EOF);
+     }
+ 
+-    header_size -= (strlen(buf) + 1);
++    bytes_read = strlen(buf);
++    header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
+   }
+ 
+   if (!bytes_per_sample)

CVE-2022-31650.patch

@@ -0,0 +1,56 @@
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sat, 11 Nov 2023 18:18:40 +0100
+Subject: formats+aiff: reject implausibly large number of channels
+
+Bug: https://sourceforge.net/p/sox/bugs/360/
+Bug-Debian: https://bugs.debian.org/1012516
+---
+ src/aiff.c      |  5 +++++
+ src/formats_i.c | 10 ++++++++--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/aiff.c b/src/aiff.c
+index 11ddb54..1476778 100644
+--- a/src/aiff.c
++++ b/src/aiff.c
+@@ -609,6 +609,11 @@ int lsx_aiffstartwrite(sox_format_t * ft)
+            At 48 kHz, 16 bits stereo, this gives ~3 hours of audio.
+            Sorry, the AIFF format does not provide for an indefinite
+            number of samples. */
++        if (ft->signal.channels >= (0x7f000000 / (ft->encoding.bits_per_sample >> 3)))
++        {
++                lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF header");
++                return SOX_EOF;
++        }
+         return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / ((ft->encoding.bits_per_sample>>3)*ft->signal.channels)));
+ }
+ 
+diff --git a/src/formats_i.c b/src/formats_i.c
+index 5e264f8..602e044 100644
+--- a/src/formats_i.c
++++ b/src/formats_i.c
+@@ -19,6 +19,7 @@
+  */
+ 
+ #include "sox_i.h"
++#include <limits.h>
+ #include <string.h>
+ #include <sys/stat.h>
+ #include <stdarg.h>
+@@ -60,9 +61,14 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels,
+   if (ft->seekable)
+     ft->data_start = lsx_tell(ft);
+ 
+-  if (channels && ft->signal.channels && ft->signal.channels != channels)
++  if (channels && ft->signal.channels && ft->signal.channels != channels) {
+     lsx_warn("`%s': overriding number of channels", ft->filename);
+-  else ft->signal.channels = channels;
++  } else if (channels > SHRT_MAX) {
++    lsx_fail_errno(ft, EINVAL, "implausibly large number of channels");
++    return SOX_EOF;
++  } else {
++    ft->signal.channels = channels;
++  }
+ 
+   if (rate && ft->signal.rate && ft->signal.rate != rate)
+     lsx_warn("`%s': overriding sample rate", ft->filename);

CVE-2022-31651.patch

@@ -0,0 +1,32 @@
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sat, 11 Nov 2023 18:18:40 +0100
+Subject: formats: reject implausible rate
+
+Bug: https://sourceforge.net/p/sox/bugs/360/
+Bug-Debian: https://bugs.debian.org/1012516
+---
+ src/formats_i.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/formats_i.c b/src/formats_i.c
+index 602e044..63f8797 100644
+--- a/src/formats_i.c
++++ b/src/formats_i.c
+@@ -70,9 +70,15 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels,
+     ft->signal.channels = channels;
+   }
+ 
+-  if (rate && ft->signal.rate && ft->signal.rate != rate)
++  if (rate && ft->signal.rate && ft->signal.rate != rate) {
+     lsx_warn("`%s': overriding sample rate", ft->filename);
+-  else ft->signal.rate = rate;
++  /* Since NaN comparisons yield false, the negation rejects them. */
++  } else if (!(rate > 0)) {
++    lsx_fail_errno(ft, EINVAL, "invalid rate value");
++    return SOX_EOF;
++  } else {
++    ft->signal.rate = rate;
++  }
+ 
+   if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding)
+     lsx_warn("`%s': overriding encoding type", ft->filename);

CVE-2023-32627.patch

@@ -0,0 +1,31 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sun, 13 Aug 2023 14:14:09 +0000
+Subject: CVE-2023-32627 Filter null sampling rate in VOC coder
+
+Avoid a divide by zero and out of bound read by rejecting null sampling rate in VOC file
+
+bug: https://sourceforge.net/p/sox/bugs/369/
+bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2212282
+bug-debian: https://bugs.debian.org/1041112
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-32627
+---
+ src/voc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/voc.c b/src/voc.c
+index f44933d..cad32fa 100644
+--- a/src/voc.c
++++ b/src/voc.c
+@@ -351,6 +351,11 @@ static size_t read_samples(sox_format_t * ft, sox_sample_t * buf,
+             v->block_remaining = 0;
+             return done;
+           }
++          if(uc == 0) {
++            lsx_fail_errno(ft, EINVAL, "invalid rate value");
++            v->block_remaining = 0;
++            return done;
++          }
+           *buf = SOX_UNSIGNED_8BIT_TO_SAMPLE(uc,);
+           lsx_adpcm_init(&v->adpcm, 6 - v->size, SOX_SAMPLE_TO_SIGNED_16BIT(*buf, ft->clips));
+           ++buf;
+

sox.spec

@@ -1,6 +1,6 @@
 Name: sox
 Version: 14.4.2.0
-Release: 28
+Release: 29
 Summary: A general purpose sound file conversion tool
 License: GPLv2+ and LGPLv2+ and MIT
 URL: http://sox.sourceforge.net/
@@ -17,13 +17,29 @@ Patch1003: sox-14.4.2-bug_1510923_fix.patch
 Patch1004: sox-14.4.2-hcom_stopwrite_big_endian_bug_fix.patch
 Patch1005: sox-14.4.2-bug_1226675_fix.patch
 Patch1006: sox-14.4.2-bug_1480678_fix.patch
+# - upstream patch: https://sourceforge.net/p/sox/mailman/sox-devel/thread/20180426131552.29249-9-mans@mansr.com/#msg36303839
+Patch1007: CVE-2017-18189.patch
+# https://sources.debian.org/src/sox/14.4.2%252Bgit20190427-4/debian/patches/
+Patch1008: CVE-2021-33844.patch
+Patch1009: CVE-2023-32627.patch
+# CVE-2021-23159 is the same as CVE-2023-34432,CVE-2023-34318,CVE-2021-23172
+Patch1010: CVE-2021-23159.patch
+# CVE-2021-3643 is the same as CVE-2021-23210
+Patch1011: CVE-2021-3643.patch
+# CVE-2022-31650 is the same as CVE-2023-26590
+Patch1012: CVE-2022-31650.patch
+Patch1013: CVE-2022-31651.patch
+Patch1014: CVE-2023-32627.patch
+
+# Tests:
 Patch9000: sox-14.4.2-installcheck_fix.patch
+
 BuildRequires: gcc, libvorbis-devel, alsa-lib-devel, libtool-ltdl-devel
 BuildRequires: gsm-devel, wavpack-devel, ladspa-devel, libpng-devel
 BuildRequires: flac-devel, libao-devel, libsndfile-devel, libid3tag-devel
 BuildRequires: pulseaudio-libs-devel, opusfile-devel
 BuildRequires: libtool, libmad-devel, lame-devel, twolame-devel
-BuildRequires: python3, time, libsamplerate-devel, 
+BuildRequires: python3, time, libsamplerate-devel
 
 %description
 SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility
@@ -50,7 +66,7 @@ cp ${RPM_SOURCE_DIR}/binpatch.py binpatch.py
 %build
 CFLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64"
 %configure --without-lpc10 --with-gsm --includedir=%{_includedir}/sox \
-           --disable-static --with-distro=openEuler --with-dyn-default
+           --disable-static --with-distro=%{_vendor} --with-dyn-default
 make V=1 %{?_smp_mflags}
 
 %install
@@ -115,6 +131,12 @@ mv $libsox_so.orig $libsox_so
 %{_mandir}/man3/*
 
 %changelog
+* Thu Dec 07 2023 yaqiangchen <chenyaqiang@huawei.com> - 14.4.2.0-29
+- Fix CVE-2021-33844,CVE-2023-32627,CVE-2021-23159,CVE-2023-34432
+- CVE-2023-34318,CVE-2021-23172,CVE-2021-3643,CVE-2021-23210
+- CVE-2022-31650,CVE-2023-26590,CVE-2022-31651,CVE-2023-32627
+- CVE-2017-18189
+
 * Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 14.4.2.0-28
 - DESC: delete -Sgit from %autosetup, and delete BuildRequires git