cherry-pick sox 14.4.2 commits from master to scarthgap-next for CVE fixes

meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch

@@ -15,7 +15,7 @@ diff --git a/src/formats.c b/src/formats.c
 index 724a4cda..f683a922 100644
 --- a/src/formats.c
 +++ b/src/formats.c
-@@ -422,7 +422,6 @@ static void UNUSED rewind_pipe(FILE * fp)
+@@ -477,7 +477,6 @@ static void UNUSED rewind_pipe(FILE * fp)
    /* To fix this #error, either simply remove the #error line and live without
     * file-type detection with pipes, or add support for your compiler in the
     * lines above.  Test with cat monkey.wav | ./sox --info - */

meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch

@@ -0,0 +1,32 @@
+From 8eb3afb37f80d7231a998e3074e6fc5f7bdfe4d5 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 20:28:15 +0100
+Subject: [PATCH] hcom: validate dictsize
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-23159.patch
+
+CVE: CVE-2021-23159
+CVE: CVE-2021-23172
+CVE: CVE-2023-34432
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/hcom.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/hcom.c b/src/hcom.c
+index 594c8706..9e8b03c6 100644
+--- a/src/hcom.c
++++ b/src/hcom.c
+@@ -141,6 +141,11 @@ static int startread(sox_format_t * ft)
+                 return (SOX_EOF);
+         }
+         lsx_readw(ft, &dictsize);
++        if (dictsize == 0 || dictsize > 511)
++        {
++                lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header");
++                return SOX_EOF;
++        }
+
+         /* Translate to sox parameters */
+         ft->encoding.encoding = SOX_ENCODING_HCOM;

meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch

@@ -0,0 +1,40 @@
+From f2597e433afeee8ab00cf6368ec8519df34aa031 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 23:19:43 +0100
+Subject: [PATCH] wav: reject 0 bits per sample to avoid division by zero
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-33844.patch
+
+CVE: CVE-2021-33844
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/testall.sh | 1 +
+ src/wav.c      | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/testall.sh b/src/testall.sh
+index e7398377..e1454c21 100755
+--- a/src/testall.sh
++++ b/src/testall.sh
+@@ -67,3 +67,4 @@ t voc
+ t vox -r 8130
+ t wav
+ t wve
++t wav -e gsm-full-rate
+diff --git a/src/wav.c b/src/wav.c
+index 3f6beb45..16f0bff8 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -963,6 +963,11 @@ static int startread(sox_format_t *ft)
+ #endif
+     }
+
++    if (ft->encoding.bits_per_sample == 0)
++    {
++        lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
++        return SOX_EOF;
++    }
+     if (!wav->numSamples)
+         wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample)
+             / ft->signal.channels;

meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch

@@ -0,0 +1,30 @@
+From 5b9a7c0fc7054b4f16a5058eef721470e9adcfcc Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 21:16:40 +0100
+Subject: [PATCH] voc: word width should never be 0 to avoid division by zero
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-3643.patch
+
+CVE: CVE-2021-3643
+CVE: CVE-2021-23210
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/voc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/voc.c b/src/voc.c
+index a75639e9..0ca07f94 100644
+--- a/src/voc.c
++++ b/src/voc.c
+@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft)
+         v->rate = new_rate_32;
+         ft->signal.rate = new_rate_32;
+         lsx_readb(ft, &uc);
++        if (uc <= 1) {
++          lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required");
++          return (SOX_EOF);
++        }
+         v->size = uc;
+         lsx_readb(ft, &uc);
+         if (v->channels != -1 && uc != v->channels) {

meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch

@@ -0,0 +1,38 @@
+From 25f686e0da423326a74fe16c603b6b6b75857fa4 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 20:07:19 +0100
+Subject: [PATCH] sphere: avoid integer underflow
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-40426.patch
+
+CVE: CVE-2021-40426
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/sphere.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/sphere.c b/src/sphere.c
+index a3fd1c64..9544d160 100644
+--- a/src/sphere.c
++++ b/src/sphere.c
+@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft)
+     return (SOX_EOF);
+   }
+
+-  header_size -= (strlen(buf) + 1);
++  bytes_read = strlen(buf);
++  header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
+
+   while (strncmp(buf, "end_head", (size_t)8) != 0) {
+     if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0)
+@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft)
+       return (SOX_EOF);
+     }
+
+-    header_size -= (strlen(buf) + 1);
++    bytes_read = strlen(buf);
++    header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
+   }
+
+   if (!bytes_per_sample)

meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch

@@ -0,0 +1,60 @@
+From 3a8e783c58499bb52052c671b9161c43e011a508 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 20:08:04 +0100
+Subject: [PATCH] formats+aiff: reject implausibly large number of channels
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31650.patch
+
+CVE: CVE-2022-31650
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/aiff.c      |  5 +++++
+ src/formats_i.c | 10 ++++++++--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/aiff.c b/src/aiff.c
+index 3a152c58..6de94f32 100644
+--- a/src/aiff.c
++++ b/src/aiff.c
+@@ -619,6 +619,11 @@ int lsx_aiffstartwrite(sox_format_t * ft)
+            At 48 kHz, 16 bits stereo, this gives ~3 hours of audio.
+            Sorry, the AIFF format does not provide for an indefinite
+            number of samples. */
++        if (ft->signal.channels >= (0x7f000000 / (ft->encoding.bits_per_sample >> 3)))
++        {
++                lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF header");
++                return SOX_EOF;
++        }
+         return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / ((ft->encoding.bits_per_sample>>3)*ft->signal.channels)));
+ }
+
+diff --git a/src/formats_i.c b/src/formats_i.c
+index 7048040d..6a7c27e3 100644
+--- a/src/formats_i.c
++++ b/src/formats_i.c
+@@ -19,6 +19,7 @@
+  */
+
+ #include "sox_i.h"
++#include <limits.h>
+ #include <string.h>
+ #include <sys/stat.h>
+ #include <stdarg.h>
+@@ -60,9 +61,14 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels,
+   if (ft->seekable)
+     ft->data_start = lsx_tell(ft);
+
+-  if (channels && ft->signal.channels && ft->signal.channels != channels)
++  if (channels && ft->signal.channels && ft->signal.channels != channels) {
+     lsx_warn("`%s': overriding number of channels", ft->filename);
+-  else ft->signal.channels = channels;
++  } else if (channels > SHRT_MAX) {
++    lsx_fail_errno(ft, EINVAL, "implausibly large number of channels");
++    return SOX_EOF;
++  } else {
++    ft->signal.channels = channels;
++  }
+
+   if (rate && ft->signal.rate && ft->signal.rate != rate)
+     lsx_warn("`%s': overriding sample rate", ft->filename);

meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch

@@ -0,0 +1,36 @@
+From db9641ce748bdfb465fdfa9b7794de2f8da0a249 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 20:08:13 +0100
+Subject: [PATCH] formats: reject implausible rate
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31651.patch
+
+CVE: CVE-2022-31651
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/formats_i.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/formats_i.c b/src/formats_i.c
+index 6a7c27e3..5f5ef979 100644
+--- a/src/formats_i.c
++++ b/src/formats_i.c
+@@ -70,9 +70,15 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels,
+     ft->signal.channels = channels;
+   }
+
+-  if (rate && ft->signal.rate && ft->signal.rate != rate)
++  if (rate && ft->signal.rate && ft->signal.rate != rate) {
+     lsx_warn("`%s': overriding sample rate", ft->filename);
+-  else ft->signal.rate = rate;
++  /* Since NaN comparisons yield false, the negation rejects them. */
++  } else if (!(rate > 0)) {
++    lsx_fail_errno(ft, EINVAL, "invalid rate value");
++    return SOX_EOF;
++  } else {
++    ft->signal.rate = rate;
++  }
+
+   if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding)
+     lsx_warn("`%s': overriding encoding type", ft->filename);

meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch

@@ -0,0 +1,30 @@
+From b0b7e7fa7a48485c4d6b0ae64bfddedd519716f5 Mon Sep 17 00:00:00 2001
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sun, 16 Mar 2025 23:25:15 +0100
+Subject: [PATCH] CVE-2023-32627 Filter null sampling rate in VOC coder
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/0028-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
+
+CVE: CVE-2023-32627
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/voc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/voc.c b/src/voc.c
+index 0ca07f94..d8b982c5 100644
+--- a/src/voc.c
++++ b/src/voc.c
+@@ -353,6 +353,11 @@ static size_t read_samples(sox_format_t * ft, sox_sample_t * buf,
+             v->block_remaining = 0;
+             return done;
+           }
++          if(uc == 0) {
++            lsx_fail_errno(ft, EINVAL, "invalid rate value");
++            v->block_remaining = 0;
++            return done;
++          }
+           *buf = SOX_UNSIGNED_8BIT_TO_SAMPLE(uc,);
+           lsx_adpcm_init(&v->adpcm, 6 - v->size, SOX_SAMPLE_TO_SIGNED_16BIT(*buf, ft->clips));
+           ++buf;

meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb

@@ -4,35 +4,54 @@ and can apply different effects and filters to the audio data."
 HOMEPAGE = "http://sox.sourceforge.net"
 SECTION = "audio"
 
-DEPENDS = "libpng libsndfile1 libtool"
+DEPENDS = "autoconf-archive-native libpng libsndfile1 libtool"
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'alsa pulseaudio', d)} \
                    magic \
 "
-PACKAGECONFIG[pulseaudio] = "--with-pulseaudio=dyn,--with-pulseaudio=no,pulseaudio,"
-PACKAGECONFIG[alsa] = "--with-alsa=dyn,--with-alsa=no,alsa-lib,"
-PACKAGECONFIG[wavpack] = "--with-wavpack=dyn,--with-wavpack=no,wavpack,"
-PACKAGECONFIG[flac] = "--with-flac=dyn,--with-flac=no,flac,"
-PACKAGECONFIG[amrwb] = "--with-amrwb=dyn,--with-amrwb=no,opencore-amr,"
-PACKAGECONFIG[amrnb] = "--with-amrnb=dyn,--with-amrnb=no,opencore-amr,"
-PACKAGECONFIG[oggvorbis] = "--with-oggvorbis=dyn,--with-oggvorbis=no,libvorbis"
-PACKAGECONFIG[opus] = "--with-opus=dyn,--with-opus=no,opusfile"
+PACKAGECONFIG[pulseaudio] = "--enable-pulseaudio=dyn,--disable-pulseaudio,pulseaudio,"
+PACKAGECONFIG[alsa] = "--enable-alsa=dyn,--disable-alsa,alsa-lib,"
+PACKAGECONFIG[wavpack] = "--enable-wavpack=dyn,--disable-wavpack,wavpack,"
+PACKAGECONFIG[flac] = "--enable-flac=dyn,--disable-flac,flac,"
+PACKAGECONFIG[amrwb] = "--enable-amrwb=dyn,--disable-amrwb,opencore-amr,"
+PACKAGECONFIG[amrnb] = "--enable-amrnb=dyn,--disable-amrnb,opencore-amr,"
+PACKAGECONFIG[oggvorbis] = "--enable-oggvorbis=dyn,--disable-oggvorbis,libvorbis"
+PACKAGECONFIG[opus] = "--enable-opus=dyn,--disable-opus,opusfile"
 PACKAGECONFIG[magic] = "--with-magic,--without-magic,file,"
 PACKAGECONFIG[mad] = "--with-mad,--without-mad,libmad,"
 PACKAGECONFIG[id3tag] = "--with-id3tag,--without-id3tag,libid3tag,"
 PACKAGECONFIG[lame] = "--with-lame,--without-lame,lame,"
-PACKAGECONFIG[ao] = "--with-ao,--without-ao,libao,"
+PACKAGECONFIG[ao] = "--enable-ao,--disable-ao,libao,"
 
 LICENSE = "GPL-2.0-only & LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \
                     file://LICENSE.LGPL;md5=fbc093901857fcd118f065f900982c24"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \
+SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \
            file://0001-remove-the-error-line-and-live-without-file-type-det.patch \
-           file://0001-Update-exported-symbol-list.patch \
+           file://CVE-2021-3643_CVE-2021-23210.patch \
+           file://CVE-2021-23159_CVE-2021-2317.patch \
+           file://CVE-2021-33844.patch \
+           file://CVE-2021-40426.patch \
+           file://CVE-2022-31650.patch \
+           file://CVE-2022-31651.patch \
+           file://CVE-2023-32627.patch \
            "
-SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33"
-SRC_URI[sha256sum] = "b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c"
+
+# last release was in 2015, use latest hash from 2024-05-30
+PV .= "+git"
+SRCREV = "f3094754a7c2a7e55c35621d20fa9945736e72df"
+S = "${WORKDIR}/git"
+
+CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange"
+
+CVE_STATUS_GROUPS += "CVE_STATUS_HASH_UPDATE"
+CVE_STATUS_HASH_UPDATE = " \
+    CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 \
+    CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-13590 CVE-2019-8354 \
+    CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 CVE-2019-1010004 \
+"
+CVE_STATUS_HASH_UPDATE[status] = "fixed-version: patched in current git hash"
 
 inherit autotools pkgconfig