sox: patch CVE-2021-33844

Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-33844.patch Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-04-02 02:49:12 +00:00 · 2025-03-16 23:53:53 +01:00 · 2025-03-16 23:53:53 +01:00 · 59085af7b2
commit 59085af7b2
parent 777186c4fb
2 changed files with 41 additions and 0 deletions
--- a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch
@ -0,0 +1,40 @@
+From f2597e433afeee8ab00cf6368ec8519df34aa031 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 23:19:43 +0100
+Subject: [PATCH] wav: reject 0 bits per sample to avoid division by zero
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-33844.patch
+
+CVE: CVE-2021-33844
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/testall.sh | 1 +
+ src/wav.c      | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/testall.sh b/src/testall.sh
+index e7398377..e1454c21 100755
+--- a/src/testall.sh
+++ b/src/testall.sh
+@@ -67,3 +67,4 @@ t voc
+ t vox -r 8130
+ t wav
+ t wve
+t wav -e gsm-full-rate
+diff --git a/src/wav.c b/src/wav.c
+index 3f6beb45..16f0bff8 100644
+--- a/src/wav.c
+++ b/src/wav.c
+@@ -963,6 +963,11 @@ static int startread(sox_format_t *ft)
+ #endif
+     }
+ 
+    if (ft->encoding.bits_per_sample == 0)
+    {
+        lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
+        return SOX_EOF;
+    }
+     if (!wav->numSamples)
+         wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample)
+             / ft->signal.channels;
--- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
+++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
@ -31,6 +31,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \
           file://0001-remove-the-error-line-and-live-without-file-type-det.patch \
           file://CVE-2021-3643_CVE-2021-23210.patch \
           file://CVE-2021-23159_CVE-2021-2317.patch \
+           file://CVE-2021-33844.patch \
           "

 # last release was in 2015, use latest hash from 2024-05-30