From 1d1efa6c6a4911ac20e1e3c4fdf0ecb2afb6f54a Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Fri, 24 Oct 2014 03:39:34 -0400
Subject: gnu: pulseaudio: Fix CVE-2014-3970 and intermittent test failures.

* gnu/packages/patches/pulseaudio-CVE-2014-397.patch: New file.
* gnu/packages/patches/pulseaudio-fix-mult-test.patch: New file.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/pulseaudio.scm (pulseaudio): Add patches.
---
 gnu-system.am                                      |  2 +
 .../patches/pulseaudio-CVE-2014-3970.patch         | 57 ++++++++++++++++++++++
 .../patches/pulseaudio-fix-mult-test.patch         | 16 ++++++
 gnu/packages/pulseaudio.scm                        |  4 +-
 4 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/pulseaudio-CVE-2014-3970.patch
 create mode 100644 gnu/packages/patches/pulseaudio-fix-mult-test.patch

diff --git a/gnu-system.am b/gnu-system.am
index e0484d4abc..54b6a782fa 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -395,6 +395,8 @@ dist_patch_DATA =						\
   gnu/packages/patches/pingus-sdl-libs-config.patch		\
   gnu/packages/patches/plotutils-libpng-jmpbuf.patch		\
   gnu/packages/patches/procps-make-3.82.patch			\
+  gnu/packages/patches/pulseaudio-CVE-2014-3970.patch		\
+  gnu/packages/patches/pulseaudio-fix-mult-test.patch		\
   gnu/packages/patches/pybugz-encode-error.patch		\
   gnu/packages/patches/pybugz-stty.patch			\
   gnu/packages/patches/python-fix-tests.patch			\
diff --git a/gnu/packages/patches/pulseaudio-CVE-2014-3970.patch b/gnu/packages/patches/pulseaudio-CVE-2014-3970.patch
new file mode 100644
index 0000000000..073e663112
--- /dev/null
+++ b/gnu/packages/patches/pulseaudio-CVE-2014-3970.patch
@@ -0,0 +1,57 @@
+From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001
+From: "Alexander E. Patrakov" <patrakov@gmail.com>
+Date: Thu, 5 Jun 2014 22:29:25 +0600
+Subject: [PATCH] rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
+
+On FIONREAD returning 0 bytes, we cannot return success, as the caller
+(rtpoll_work_cb in module-rtp-recv.c) would then try to
+pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
+an assertion.
+
+Also we have to read out the possible empty packet from the socket, so
+that the kernel doesn't tell us again and again about it.
+
+Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
+---
+ src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
+index 570737e..7b75e0e 100644
+--- a/src/modules/rtp/rtp.c
++++ b/src/modules/rtp/rtp.c
+@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
+         goto fail;
+     }
+ 
+-    if (size <= 0)
+-        return 0;
++    if (size <= 0) {
++        /* size can be 0 due to any of the following reasons:
++         *
++         * 1. Somebody sent us a perfectly valid zero-length UDP packet.
++         * 2. Somebody sent us a UDP packet with a bad CRC.
++         *
++         * It is unknown whether size can actually be less than zero.
++         *
++         * In the first case, the packet has to be read out, otherwise the
++         * kernel will tell us again and again about it, thus preventing
++         * reception of any further packets. So let's just read it out
++         * now and discard it later, when comparing the number of bytes
++         * received (0) with the number of bytes wanted (1, see below).
++         *
++         * In the second case, recvmsg() will fail, thus allowing us to
++         * return the error.
++         *
++         * Just to avoid passing zero-sized memchunks and NULL pointers to
++         * recvmsg(), let's force allocation of at least one byte by setting
++         * size to 1.
++         */
++        size = 1;
++    }
+ 
+     if (c->memchunk.length < (unsigned) size) {
+         size_t l;
+-- 
+2.0.0
+
diff --git a/gnu/packages/patches/pulseaudio-fix-mult-test.patch b/gnu/packages/patches/pulseaudio-fix-mult-test.patch
new file mode 100644
index 0000000000..7b249645ad
--- /dev/null
+++ b/gnu/packages/patches/pulseaudio-fix-mult-test.patch
@@ -0,0 +1,16 @@
+Avoid signed overflow during mult-s16-test which intermittently
+failed.
+
+Patch by Mark H Weaver <mhw@netris.org>.
+
+--- pulseaudio-5.0/src/tests/mult-s16-test.c.orig	2014-01-23 13:57:55.000000000 -0500
++++ pulseaudio-5.0/src/tests/mult-s16-test.c	2014-10-24 03:13:46.464661815 -0400
+@@ -55,7 +55,7 @@
+ START_TEST (mult_s16_test) {
+     int16_t samples[SAMPLES];
+     int32_t volumes[SAMPLES];
+-    int32_t sum1 = 0, sum2 = 0;
++    uint32_t sum1 = 0, sum2 = 0;
+     int i;
+ 
+     pa_random(samples, sizeof(samples));
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 63f343dc37..61e0d029f5 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -127,7 +127,9 @@ rates. ")
               ;; anyway.
               '(substitute* "src/daemon/default.pa.in"
                  (("load-module module-console-kit" all)
-                  (string-append "#" all "\n"))))))
+                  (string-append "#" all "\n"))))
+             (patches (list (search-patch "pulseaudio-fix-mult-test.patch")
+                            (search-patch "pulseaudio-CVE-2014-3970.patch")))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--localstatedir=/var" ;"--sysconfdir=/etc"
-- 
cgit v1.2.3