gnu: audiofile: Update to 0.3.6 [security-fix].

* gnu/packages/audio.scm (audiofile): Update to 0.3.6.

Change-Id: I2dda621f60c27e02b1513e2d89a138136a1633ca
Signed-off-by: Ludovic Courtès <ludo@gnu.org>

gnu/local.mk

@@ -1012,6 +1012,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/audiofile-CVE-2015-7747.patch		\
   %D%/packages/patches/audiofile-CVE-2018-13440.patch		\
   %D%/packages/patches/audiofile-CVE-2018-17095.patch		\
+  %D%/packages/patches/audiofile-CVE-2022-24599.patch		\
   %D%/packages/patches/audiofile-check-number-of-coefficients.patch \
   %D%/packages/patches/audiofile-Fail-on-error-in-parseFormat.patch \
   %D%/packages/patches/audiofile-Fix-index-overflow-in-IMA.cpp.patch \

gnu/packages/audio.scm

@@ -1444,7 +1444,8 @@ tools.")
          ;; CVE-2017-6833:
          "audiofile-division-by-zero.patch"
          "audiofile-CVE-2018-13440.patch"
-         "audiofile-CVE-2018-17095.patch"))))
+         "audiofile-CVE-2018-17095.patch"
+         "audiofile-CVE-2022-24599.patch"))))
     (properties `((lint-hidden-cve . ("CVE-2017-6829"
 
                                       "CVE-2017-6827" "CVE-2017-6828"

gnu/packages/patches/audiofile-CVE-2022-24599.patch

@@ -0,0 +1,83 @@
+commit 4d3238843385b9929d7a1ab9034a6fc13949c7b4
+Author: Bastien Roucariès <rouca@debian.org>
+Date:   Sat Nov 11 15:58:50 2023 +0000
+
+    Fix CVE-2022-24599
+    
+    Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer
+    with a user declared string.
+    
+    Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0'
+    for printf
+    
+    Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1.
+    
+    Before under valgrind:
+    libtool --mode=execute valgrind --track-origins=yes  ./sfinfo heapleak_poc.aiff
+    
+    Duration       -inf seconds
+    ==896222== Invalid read of size 1
+    ==896222==    at 0x4846794: strlen (vg_replace_strmem.c:494)
+    ==896222==    by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435)
+    ==896222==    by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459)
+    ==896222==    by 0x49DE986: __printf_chk (printf_chk.c:33)
+    ==896222==    by 0x10985C: printf (stdio2.h:86)
+    ==896222==    by 0x10985C: printfileinfo (printinfo.c:134)
+    ==896222==    by 0x10930A: main (sfinfo.c:113)
+    ==896222==  Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd
+    ==896222==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
+    ==896222==    by 0x109825: copyrightstring (printinfo.c:163)
+    ==896222==    by 0x109825: printfileinfo (printinfo.c:131)
+    ==896222==    by 0x10930A: main (sfinfo.c:113)
+    ==896222==
+    Copyright      C
+    
+    After:
+    Duration       -inf seconds
+    Copyright      C
+
+diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c
+index 60e6947..f5cf925 100644
+--- a/sfcommands/printinfo.c
++++ b/sfcommands/printinfo.c
+@@ -37,6 +37,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+ 
+ static char *copyrightstring (AFfilehandle file);
+ 
+@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file)
+ 	int		i, misccount;
+ 
+ 	misccount = afGetMiscIDs(file, NULL);
+-	miscids = (int *) malloc(sizeof (int) * misccount);
++	if(!misccount)
++		return NULL;
++	miscids = (int *) calloc(misccount, sizeof(int));
++	if(!miscids)
++		return NULL;
+ 	afGetMiscIDs(file, miscids);
+ 
+ 	for (i=0; i<misccount; i++)
+@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file)
+ 			If this code executes, the miscellaneous chunk is a
+ 			copyright chunk.
+ 		*/
+-		int datasize = afGetMiscSize(file, miscids[i]);
+-		char *data = (char *) malloc(datasize);
++		size_t datasize = afGetMiscSize(file, miscids[i]);
++		if(datasize >= INT_MAX -1 ) {
++			goto error;
++		}
++		char *data = (char *) calloc(datasize + 1, 1);
+ 		afReadMisc(file, miscids[i], data, datasize);
+ 		copyright = data;
+ 		break;
+ 	}
+-
++error:
+ 	free(miscids);
+ 
+ 	return copyright;