speex: upgrade 1.2.0 -> 1.2.1

CVE-2020-23903.patch
removed since it's included in 1.2.1

License-Update:
  Add "Organisation (CSIRO)" to Copyright 2005-2008

Changelog:
===========
 Check for _WIN32 instead of WIN32 in preprocessor checks
 wav_io: check for EOF when seeking in wav (fixes hang discovered by fuzzing, see #9)
 CI: add gitlab CI integration
 fixed-point: make left shift macros use unsigned to avoid undefined behaviour
 math_approx: use unsigned int for LCG pseudorandom generator (avoids integer overflow)
 oss-fuzz: add integration and fuzzing target
 speexenc: guard against invalid channel numbers (see #13)
 speexdec: make left shift macros use unsigned to avoid undefined behaviour
 autotools: do not use deprecated macros

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch
deleted file mode 100644 (file)
index eb16e95..0000000
--- a/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Backport patch to fix CVE-2020-23903.
-
-CVE: CVE-2020-23903
-Upstream-Status: Backport [https://github.com/xiph/speex/commit/870ff84]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 870ff845b32f314aec0036641ffe18aba4916887 Mon Sep 17 00:00:00 2001
-From: Tristan Matthews <tmatth@videolan.org>
-Date: Mon, 13 Jul 2020 23:25:03 -0400
-Subject: [PATCH] wav_io: guard against invalid channel numbers
-
-Fixes #13
----
- src/wav_io.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/wav_io.c b/src/wav_io.c
-index b5183015..09d62eb0 100644
---- a/src/wav_io.c
-+++ b/src/wav_io.c
-@@ -111,7 +111,7 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32
-    stmp = le_short(stmp);
-    *channels = stmp;
- 
--   if (stmp>2)
-+   if (stmp>2 || stmp<1)
-    {
-       fprintf (stderr, "Only mono and (intensity) stereo supported\n");
-       return -1;

diff --git a/meta/recipes-multimedia/speex/speex_1.2.0.bb b/meta/recipes-multimedia/speex/speex_1.2.1.bb
similarity index 65%
rename from meta/recipes-multimedia/speex/speex_1.2.0.bb
rename to meta/recipes-multimedia/speex/speex_1.2.1.bb
index ea475f0f1baeae80743cddb23f8f9e3df5f0d277..c40198fa8f30522427ecff9d4a33d225fc7c276c 100644 (file)
--- a/meta/recipes-multimedia/speex/speex_1.2.0.bb
+++ b/meta/recipes-multimedia/speex/speex_1.2.1.bb
@@ -3,17 +3,15 @@ DESCRIPTION = "Speex is an Open Source/Free Software patent-free audio compressi
 HOMEPAGE = "http://www.speex.org"
 SECTION = "libs"
 LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://COPYING;md5=314649d8ba9dd7045dfb6683f298d0a8 \
-                    file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50"
+LIC_FILES_CHKSUM = "file://COPYING;md5=eff3f76350f52a99a3df5eec6b79c02a \
+                    file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50 \
+                    "
 DEPENDS = "libogg speexdsp"
 
-SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz \
-           file://CVE-2020-23903.patch \
-           "
+SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz"
 UPSTREAM_CHECK_REGEX = "speex-(?P<pver>\d+(\.\d+)+)\.tar"
 
-SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c"
-SRC_URI[sha256sum] = "eaae8af0ac742dc7d542c9439ac72f1f385ce838392dc849cae4536af9210094"
+SRC_URI[sha256sum] = "4b44d4f2b38a370a2d98a78329fefc56a0cf93d1c1be70029217baae6628feea"
 
 inherit autotools pkgconfig lib_package