diff --git a/CVE-2021-21417-1.patch b/CVE-2021-21417-1.patch new file mode 100644 index 0000000..064f524 --- /dev/null +++ b/CVE-2021-21417-1.patch @@ -0,0 +1,94 @@ +From 67596a87731dc593551975ca0268a438ab7410a2 Mon Sep 17 00:00:00 2001 +From: derselbst +Date: Sun, 14 Mar 2021 10:58:13 +0100 +Subject: [PATCH] Invalid generator were not removed from list + +fluid_list_remove() should receive the beginning of a list, so it can +adjust the predecessor of the ele +ment to be removed. Otherwise the element would remain in the list, +which in this case led to a use-aft +er-free afterwards. + +--- + src/sfloader/fluid_defsfont.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/src/sfloader/fluid_defsfont.c b/src/sfloader/fluid_defsfont.c +index 0330de5..fc68d34 100644 +--- a/src/sfloader/fluid_defsfont.c ++++ b/src/sfloader/fluid_defsfont.c +@@ -2706,7 +2706,7 @@ load_pmod (int size, SFData * sf, FILE * fd) + static int + load_pgen (int size, SFData * sf, FILE * fd) + { +- fluid_list_t *p, *p2, *p3, *dup, **hz = NULL; ++ fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list; + SFZone *z; + SFGen *g; + SFGenAmount genval; +@@ -2718,7 +2718,7 @@ load_pgen (int size, SFData * sf, FILE * fd) + { /* traverse through all presets */ + gzone = FALSE; + discarded = FALSE; +- p2 = ((SFPreset *) (p->data))->zone; ++ start_of_zone_list = p2 = ((SFPreset *) (p->data))->zone; + if (p2) + hz = &p2; + while (p2) +@@ -2828,12 +2828,14 @@ load_pgen (int size, SFData * sf, FILE * fd) + } + } + else +- { /* previous global zone exists, discard */ ++ { ++ SFZone * pzone = fluid_list_get(p2); ++ /* previous global zone exists, discard */ + FLUID_LOG (FLUID_WARN, + _("Preset \"%s\": Discarding invalid global zone"), + ((SFPreset *) (p->data))->name); +- *hz = fluid_list_remove(*hz, p2->data); +- sfont_free_zone((SFZone *)fluid_list_get(p2)); ++ *hz = fluid_list_remove(start_of_zone_list, pzone); ++ sfont_free_zone(pzone); + } + } + +@@ -3058,7 +3060,7 @@ load_imod (int size, SFData * sf, FILE * fd) + static int + load_igen (int size, SFData * sf, FILE * fd) + { +- fluid_list_t *p, *p2, *p3, *dup, **hz = NULL; ++ fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list; + SFZone *z; + SFGen *g; + SFGenAmount genval; +@@ -3070,7 +3072,7 @@ load_igen (int size, SFData * sf, FILE * fd) + { /* traverse through all instruments */ + gzone = FALSE; + discarded = FALSE; +- p2 = ((SFInst *) (p->data))->zone; ++ start_of_zone_list = p2 = ((SFInst *) (p->data))->zone; + if (p2) + hz = &p2; + while (p2) +@@ -3179,12 +3181,14 @@ load_igen (int size, SFData * sf, FILE * fd) + } + } + else +- { /* previous global zone exists, discard */ ++ { ++ SFZone * izone = fluid_list_get(p2); ++ /* previous global zone exists, discard */ + FLUID_LOG (FLUID_WARN, + _("Instrument \"%s\": Discarding invalid global zone"), + ((SFInst *) (p->data))->name); +- *hz = fluid_list_remove(*hz, p2->data); +- sfont_free_zone((SFZone *)fluid_list_get(p2)); ++ *hz = fluid_list_remove(start_of_zone_list, izone); ++ sfont_free_zone(izone); + } + } + +-- +2.23.0 + diff --git a/CVE-2021-21417-2.patch b/CVE-2021-21417-2.patch new file mode 100644 index 0000000..15ebdbd --- /dev/null +++ b/CVE-2021-21417-2.patch @@ -0,0 +1,52 @@ +From 6673a5f73c0484f8462b4b33860d2b1c68c24684 Mon Sep 17 00:00:00 2001 +From: Tom M +Date: Sun, 14 Mar 2021 20:23:38 +0100 +Subject: [PATCH] Update fluid_sffile.c + +--- + src/sfloader/fluid_defsfont.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/sfloader/fluid_defsfont.c b/src/sfloader/fluid_defsfont.c +index fc68d34..9663a40 100644 +--- a/src/sfloader/fluid_defsfont.c ++++ b/src/sfloader/fluid_defsfont.c +@@ -2829,13 +2829,14 @@ load_pgen (int size, SFData * sf, FILE * fd) + } + else + { +- SFZone * pzone = fluid_list_get(p2); ++ p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */ + /* previous global zone exists, discard */ + FLUID_LOG (FLUID_WARN, + _("Preset \"%s\": Discarding invalid global zone"), + ((SFPreset *) (p->data))->name); +- *hz = fluid_list_remove(start_of_zone_list, pzone); +- sfont_free_zone(pzone); ++ fluid_list_remove(start_of_zone_list, z); ++ sfont_free_zone(z); ++ continue; + } + } + +@@ -3182,13 +3183,14 @@ load_igen (int size, SFData * sf, FILE * fd) + } + else + { +- SFZone * izone = fluid_list_get(p2); ++ p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */ + /* previous global zone exists, discard */ + FLUID_LOG (FLUID_WARN, + _("Instrument \"%s\": Discarding invalid global zone"), + ((SFInst *) (p->data))->name); +- *hz = fluid_list_remove(start_of_zone_list, izone); +- sfont_free_zone(izone); ++ fluid_list_remove(start_of_zone_list, z); ++ sfont_free_zone(z); ++ continue; + } + } + +-- +2.23.0 + diff --git a/CVE-2021-21417-pre.patch b/CVE-2021-21417-pre.patch new file mode 100644 index 0000000..df4c279 --- /dev/null +++ b/CVE-2021-21417-pre.patch @@ -0,0 +1,66 @@ +From f83c49d6fa7f1ec4818cb9e920e30adc827d28bf Mon Sep 17 00:00:00 2001 +From: Marcus Weseloh +Date: Wed, 4 Apr 2018 11:03:47 +0200 +Subject: [PATCH] Remove sfont_zone_delete, replace with direct +invocations instead + +--- + src/sfloader/fluid_defsfont.c | 14 ++++---------- + src/sfloader/fluid_defsfont.h | 2 -- + 2 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/src/sfloader/fluid_defsfont.c b/src/sfloader/fluid_defsfont.c +index 231d248..0330de5 100644 +--- a/src/sfloader/fluid_defsfont.c ++++ b/src/sfloader/fluid_defsfont.c +@@ -2832,7 +2832,8 @@ load_pgen (int size, SFData * sf, FILE * fd) + FLUID_LOG (FLUID_WARN, + _("Preset \"%s\": Discarding invalid global zone"), + ((SFPreset *) (p->data))->name); +- sfont_zone_delete (sf, hz, (SFZone *) (p2->data)); ++ *hz = fluid_list_remove(*hz, p2->data); ++ sfont_free_zone((SFZone *)fluid_list_get(p2)); + } + } + +@@ -3182,7 +3183,8 @@ load_igen (int size, SFData * sf, FILE * fd) + FLUID_LOG (FLUID_WARN, + _("Instrument \"%s\": Discarding invalid global zone"), + ((SFInst *) (p->data))->name); +- sfont_zone_delete (sf, hz, (SFZone *) (p2->data)); ++ *hz = fluid_list_remove(*hz, p2->data); ++ sfont_free_zone((SFZone *)fluid_list_get(p2)); + } + } + +@@ -3566,14 +3568,6 @@ sfont_preset_compare_func (void* a, void* b) + return (aval - bval); + } + +-/* delete zone from zone list */ +-void +-sfont_zone_delete (SFData * sf, fluid_list_t ** zlist, SFZone * zone) +-{ +- *zlist = fluid_list_remove (*zlist, (void*) zone); +- sfont_free_zone (zone); +-} +- + /* Find generator in gen list */ + fluid_list_t * + gen_inlist (int gen, fluid_list_t * genlist) +diff --git a/src/sfloader/fluid_defsfont.h b/src/sfloader/fluid_defsfont.h +index 0d5c6c0..d1ceac1 100644 +--- a/src/sfloader/fluid_defsfont.h ++++ b/src/sfloader/fluid_defsfont.h +@@ -222,8 +222,6 @@ void sfont_close (SFData * sf); + void sfont_free_zone (SFZone * zone); + int sfont_preset_compare_func (void* a, void* b); + +-void sfont_zone_delete (SFData * sf, fluid_list_t ** zlist, SFZone * zone); +- + fluid_list_t *gen_inlist (int gen, fluid_list_t * genlist); + int gen_valid (int gen); + int gen_validp (int gen); +-- +2.23.0 + diff --git a/fluidsynth.spec b/fluidsynth.spec index c101c0b..6fc87c9 100644 --- a/fluidsynth.spec +++ b/fluidsynth.spec @@ -1,12 +1,15 @@ Name: fluidsynth Version: 1.1.11 -Release: 3 +Release: 4 Summary: Real-time software synthesizer License: LGPLv2+ URL: http://www.fluidsynth.org/ Source0: https://github.com/Fluidsynth/fluidsynth/archive/v%{version}/fluidsynth-%{version}.tar.gz Patch0000: fluidsynth-no_date_footer.patch +Patch0001: CVE-2021-21417-pre.patch +Patch0002: CVE-2021-21417-1.patch +Patch0003: CVE-2021-21417-2.patch BuildRequires: alsa-lib-devel cmake dbus-devel gcc jack-audio-connection-kit-devel readline-devel BuildRequires: ladspa-devel ncurses-devel libsndfile-devel pkgconfig pulseaudio-libs-devel doxygen @@ -63,5 +66,8 @@ make doxygen -C %{_target_platform}/doc %doc NEWS README.md THANKS TODO doc/FluidSynth-LADSPA.pdf %changelog +* Thu May 13 2021 wangxiao - 1.1.11-4 +- Fix CVE-2021-21417 + * Fri Nov 22 2019 sunguoshuai - 1.1.11-3 - Package init.