sox: patch CVE-2022-31651

Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31651.patch Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-01-04 16:10:10 +00:00 · 2025-03-16 23:53:56 +01:00 · 2025-03-16 23:53:56 +01:00 · 89c017821a
commit 89c017821a
parent 545ab1a7ad
2 changed files with 37 additions and 0 deletions
--- a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch
@ -0,0 +1,36 @@
+From db9641ce748bdfb465fdfa9b7794de2f8da0a249 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 20:08:13 +0100
+Subject: [PATCH] formats: reject implausible rate
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31651.patch
+
+CVE: CVE-2022-31651
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/formats_i.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/formats_i.c b/src/formats_i.c
+index 6a7c27e3..5f5ef979 100644
+--- a/src/formats_i.c
+++ b/src/formats_i.c
+@@ -70,9 +70,15 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels,
+     ft->signal.channels = channels;
+   }
+ 
+-  if (rate && ft->signal.rate && ft->signal.rate != rate)
+  if (rate && ft->signal.rate && ft->signal.rate != rate) {
+     lsx_warn("`%s': overriding sample rate", ft->filename);
+-  else ft->signal.rate = rate;
+  /* Since NaN comparisons yield false, the negation rejects them. */
+  } else if (!(rate > 0)) {
+    lsx_fail_errno(ft, EINVAL, "invalid rate value");
+    return SOX_EOF;
+  } else {
+    ft->signal.rate = rate;
+  }
+ 
+   if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding)
+     lsx_warn("`%s': overriding encoding type", ft->filename);
--- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
+++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
@ -34,6 +34,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \
           file://CVE-2021-33844.patch \
           file://CVE-2021-40426.patch \
           file://CVE-2022-31650.patch \
+           file://CVE-2022-31651.patch \
           "

 # last release was in 2015, use latest hash from 2024-05-30