From 7d597d848e24cd0162354dd1394f373731915c12 Mon Sep 17 00:00:00 2001 From: Dominyk Tiller Date: Sat, 15 Apr 2017 19:58:18 +0100 Subject: [PATCH] audiofile: apply CVE patches Closes #12478. Signed-off-by: ilovezfs --- Formula/audiofile.rb | 64 ++++++++++++++++++++++++++++++-------------- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/Formula/audiofile.rb b/Formula/audiofile.rb index 174c9304bf..41ccc40811 100644 --- a/Formula/audiofile.rb +++ b/Formula/audiofile.rb @@ -1,8 +1,21 @@ class Audiofile < Formula desc "Reads and writes many common audio file formats" homepage "https://audiofile.68k.org/" - url "https://audiofile.68k.org/audiofile-0.3.6.tar.gz" - sha256 "cdc60df19ab08bfe55344395739bb08f50fc15c92da3962fac334d3bff116965" + revision 1 + + stable do + url "https://audiofile.68k.org/audiofile-0.3.6.tar.gz" + sha256 "cdc60df19ab08bfe55344395739bb08f50fc15c92da3962fac334d3bff116965" + + # Fixes CVE-2015-7747. Fixed upstream but doesn't apply cleanly. + # https://github.com/mpruett/audiofile/commit/b62c902dd258125cac86cd2df21fc898035a43d3 + patch do + url "https://mirrors.ocf.berkeley.edu/debian/pool/main/a/audiofile/audiofile_0.3.6-4.debian.tar.xz" + mirror "https://mirrorservice.org/sites/ftp.debian.org/debian/pool/main/a/audiofile/audiofile_0.3.6-4.debian.tar.xz" + sha256 "0620675a52bdb40b775980cc1820e308df329348bb847f9a4a8361b3799fa241" + apply "patches/03_CVE-2015-7747.patch" + end + end bottle do cellar :any @@ -28,6 +41,33 @@ class Audiofile < Formula depends_on "lcov" => :optional + # These have all been reported upstream but beside + # 03_CVE-2015-7747 not yet merged or fixed. + # https://github.com/mpruett/audiofile/issues/31 + # https://github.com/mpruett/audiofile/issues/32 + # https://github.com/mpruett/audiofile/issues/33 + # https://github.com/mpruett/audiofile/issues/34 + # https://github.com/mpruett/audiofile/issues/35 + # https://github.com/mpruett/audiofile/issues/36 + # https://github.com/mpruett/audiofile/issues/37 + # https://github.com/mpruett/audiofile/issues/38 + # https://github.com/mpruett/audiofile/issues/39 + # https://github.com/mpruett/audiofile/issues/40 + # https://github.com/mpruett/audiofile/issues/41 + # https://github.com/mpruett/audiofile/pull/42 + patch do + url "https://mirrors.ocf.berkeley.edu/debian/pool/main/a/audiofile/audiofile_0.3.6-4.debian.tar.xz" + mirror "https://mirrorservice.org/sites/ftp.debian.org/debian/pool/main/a/audiofile/audiofile_0.3.6-4.debian.tar.xz" + sha256 "0620675a52bdb40b775980cc1820e308df329348bb847f9a4a8361b3799fa241" + apply "patches/04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch", + "patches/05_Always-check-the-number-of-coefficients.patch", + "patches/06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch", + "patches/07_Check-for-multiplication-overflow-in-sfconvert.patch", + "patches/08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch", + "patches/09_Actually-fail-when-error-occurs-in-parseFormat.patch", + "patches/10_Check-for-division-by-zero-in-BlockCodec-runPull.patch" + end + def install if build.head? inreplace "autogen.sh", "libtool", "glibtool" @@ -46,24 +86,8 @@ class Audiofile < Formula test do inn = "/System/Library/Sounds/Glass.aiff" out = "Glass.wav" - conv_bin = "#{bin}/sfconvert" - info_bin = "#{bin}/sfinfo" - unless File.exist?(conv_bin) && File.exist?(inn) && File.exist?(info_bin) - opoo <<-EOS.undent - One of the following files could not be located, and so - the test was not executed: - #{inn} - #{conv_bin} - #{info_bin} - - Audiofile can also be tested at build-time: - brew install -v audiofile --with-check - EOS - return - end - - system conv_bin, inn, out, "format", "wave" - system info_bin, "--short", "--reporterror", out + system bin/"sfconvert", inn, out, "format", "wave" + system bin/"sfinfo", "--short", "--reporterror", out end end