media-sound/milkytracker: Add 1.02.00 (security)

Bug: https://bugs.gentoo.org/711280
Closes: https://bugs.gentoo.org/711564
Package-Manager: Portage-2.3.103, Repoman-2.3.23
Signed-off-by: John Helmert III <jchelmert3@posteo.net>
Signed-off-by: Sam James <sam@gentoo.org>

5 files changed, 220 insertions, 0 deletions

diff --git a/media-sound/milkytracker/Manifest b/media-sound/milkytracker/Manifest
index 1400b0f2a7e1..34a0214ebc13 100644
--- a/media-sound/milkytracker/Manifest
+++ b/media-sound/milkytracker/Manifest
@@ -1 +1,3 @@
 DIST milkytracker-1.0.0.tar.gz 3749140 BLAKE2B 5bf1e374c8d51e7f65a222c46b4cb3e26dd88ba5be304af540d3af4f5123179a2496d0b5eb87021d2dc0f12e7fab3f55e9ad06573aa5fb3a8842d9b743e6c948 SHA512 a96e8b015a4e3b38f3ad44756fc79cb062f91ab193b7428a6abde042aa4e51c8fb45757cba0504283410d714eefffdee57d3e3bf42e7991d1f9581ab8d2ab1c4
+DIST milkytracker-1.02.00-cmake.patch 40073 BLAKE2B cef8fc7efff9324c1d628026d650c79e11950b53481686e5dd35ace483839fbdd6b2b1f8ccce2f688beec2c7c28b0fe3b60d0e8d540d6cd163927f4bacf9d396 SHA512 bd4ca0d092229722ca81addaf9eec3ff1b176061da7b44fe3f02fbe020c3820778ed973dde95588b4c9f918728e2c69c24ac23083a2f48c0cbad2e854eeff5ba
+DIST milkytracker-1.02.00.tar.gz 3753882 BLAKE2B e9bb4341e016d2a9c518835e8b4620f748da60bca7205302e7500f14f3294e7fa9a20fef203226fffbe22a11a3b4978ea928f0f544eb70e99b5998ecc7c45611 SHA512 479a7b3198d97c68dca4fa772a2aa64d7f740957f5d8038fabfb303e724c85aec0865746a0a5c3ef6b9599b78892dcda22727ab2bb80ae38764bcf81b249e134
diff --git a/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-14464.patch b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-14464.patch
new file mode 100644
index 000000000000..d59522d6d1d0
--- /dev/null
+++ b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-14464.patch
@@ -0,0 +1,26 @@
+This patch is from upstream:
+https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34
+
+commit fd607a3439fcdd0992e5efded3c16fc79c804e34
+Author: Christopher O'Neill <code@chrisoneill.co.uk>
+Date:   Tue Jul 30 19:11:58 2019 +0100
+
+    Fix #184: Heap overflow in S3M loader
+
+diff --git a/src/milkyplay/LoaderS3M.cpp b/src/milkyplay/LoaderS3M.cpp
+index 5abf211..edf0fd5 100644
+--- a/src/milkyplay/LoaderS3M.cpp
++++ b/src/milkyplay/LoaderS3M.cpp
+@@ -340,7 +340,11 @@ mp_sint32 LoaderS3M::load(XMFileBase& f, XModule* module)
+ 		return MP_OUT_OF_MEMORY;
+ 	
+ 	header->insnum = f.readWord(); // number of instruments
+-	header->patnum = f.readWord(); // number of patterns	
++	if (header->insnum > MP_MAXINS)
++		return MP_LOADER_FAILED;
++	header->patnum = f.readWord(); // number of patterns
++	if (header->patnum > 256)
++		return MP_LOADER_FAILED;
+ 	
+ 	mp_sint32 flags = f.readWord(); // st3 flags	
+ 
diff --git a/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-1449x.patch b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-1449x.patch
new file mode 100644
index 000000000000..0560cd2b825b
--- /dev/null
+++ b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-1449x.patch
@@ -0,0 +1,104 @@
+This patch is from upstream:
+https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7
+
+commit ea7772a3fae0a9dd0a322e8fec441d15843703b7
+Author: Christopher O'Neill <code@chrisoneill.co.uk>
+Date:   Tue Jul 30 18:40:03 2019 +0100
+
+    Fixes for buffer overflow issues #182 & #183
+
+diff --git a/src/milkyplay/LoaderXM.cpp b/src/milkyplay/LoaderXM.cpp
+index 108d915..f87f5c1 100644
+--- a/src/milkyplay/LoaderXM.cpp
++++ b/src/milkyplay/LoaderXM.cpp
+@@ -63,8 +63,8 @@ const char* LoaderXM::identifyModule(const mp_ubyte* buffer)
+ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ {
+ 	mp_ubyte insData[230];		
+-	mp_sint32 smpReloc[96];
+-	mp_ubyte nbu[96];
++	mp_sint32 smpReloc[MP_MAXINSSAMPS];
++	mp_ubyte nbu[MP_MAXINSSAMPS];
+ 	mp_uint32 fileSize = 0;
+ 			
+ 	module->cleanUp();
+@@ -117,6 +117,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 	memcpy(header->ord, hdrBuff+16, 256);
+ 	if(header->ordnum > MP_MAXORDERS)
+ 		header->ordnum = MP_MAXORDERS;
++	if(header->insnum > MP_MAXINS)
++		return MP_LOADER_FAILED;
+ 
+ 	delete[] hdrBuff;
+ 	
+@@ -143,7 +145,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 			f.read(&instr[y].type,1,1);
+ 			mp_uword numSamples = 0;
+ 			f.readWords(&numSamples,1);
+-			if(numSamples > 96)
++			if(numSamples > MP_MAXINSSAMPS)
+ 				return MP_LOADER_FAILED;
+ 			instr[y].samp = numSamples;
+ 
+@@ -169,8 +171,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 			if (instr[y].samp) {
+ 				mp_ubyte* insDataPtr = insData;
+ 				
+-				memcpy(nbu, insDataPtr, 96);
+-				insDataPtr+=96;
++				memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
++				insDataPtr+=MP_MAXINSSAMPS;
+ 				
+ 				TEnvelope venv;
+ 				TEnvelope penv;
+@@ -285,7 +287,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 
+ 				instr[y].samp = g;
+ 
+-				for (sc = 0; sc < 96; sc++) {
++				for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
+ 					if (smpReloc[nbu[sc]] == -1)
+ 						instr[y].snum[sc] = -1;
+ 					else
+@@ -491,6 +493,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 				f.read(&instr[y].type,1,1);
+ 				f.readWords(&instr[y].samp,1);
+ 			}
++			if (instr[y].samp > MP_MAXINSSAMPS)
++				return MP_LOADER_FAILED;
+ 
+ 			//printf("%i, %i\n", instr[y].size, instr[y].samp);
+ 
+@@ -532,8 +536,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 				
+ 				//f.read(&nbu,1,96);
+ 				
+-				memcpy(nbu, insDataPtr, 96);
+-				insDataPtr+=96;
++				memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
++				insDataPtr+=MP_MAXINSSAMPS;
+ 				
+ 				TEnvelope venv;
+ 				TEnvelope penv;
+@@ -650,7 +654,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 
+ 				instr[y].samp = g;
+ 
+-				for (sc = 0; sc < 96; sc++) {					
++				for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {					
+ 					if (smpReloc[nbu[sc]] == -1)
+ 						instr[y].snum[sc] = -1;
+ 					else
+diff --git a/src/milkyplay/XModule.h b/src/milkyplay/XModule.h
+index f42d04b..4f04a2d 100644
+--- a/src/milkyplay/XModule.h
++++ b/src/milkyplay/XModule.h
+@@ -40,6 +40,8 @@
+ 
+ #define MP_MAXTEXT 32
+ #define MP_MAXORDERS 256
++#define MP_MAXINS 255
++#define MP_MAXINSSAMPS 96
+ 
+ struct TXMHeader 
+ {
diff --git a/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2020-15569.patch b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2020-15569.patch
new file mode 100644
index 000000000000..59c2f9942ae6
--- /dev/null
+++ b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2020-15569.patch
@@ -0,0 +1,35 @@
+Fix is from upstream:
+https://github.com/milkytracker/MilkyTracker/commit/7afd55c42ad80d01a339197a2d8b5461d214edaf
+
+Gentoo Bug: https://bugs.gentoo.org/711280
+
+commit 7afd55c42ad80d01a339197a2d8b5461d214edaf
+Author: Jeremy Clarke <geckojsc@gmail.com>
+Date:   Mon Apr 13 23:53:51 2020 +0100
+
+    Fix use-after-free in PlayerGeneric destructor
+
+diff --git a/src/milkyplay/PlayerGeneric.cpp b/src/milkyplay/PlayerGeneric.cpp
+index 8df2c13..59f7cba 100644
+--- a/src/milkyplay/PlayerGeneric.cpp
++++ b/src/milkyplay/PlayerGeneric.cpp
+@@ -202,15 +202,16 @@ PlayerGeneric::PlayerGeneric(mp_sint32 frequency, AudioDriverInterface* audioDri
+ 	
+ PlayerGeneric::~PlayerGeneric()
+ {
+-	if (mixer)
+-		delete mixer;
+ 
+ 	if (player)
+ 	{
+-		if (mixer->isActive() && !mixer->isDeviceRemoved(player))
++		if (mixer && mixer->isActive() && !mixer->isDeviceRemoved(player))
+ 			mixer->removeDevice(player);
+ 		delete player;
+ 	}
++	
++	if (mixer)
++		delete mixer;
+ 
+ 	delete[] audioDriverName;
+ 	
diff --git a/media-sound/milkytracker/milkytracker-1.02.00.ebuild b/media-sound/milkytracker/milkytracker-1.02.00.ebuild
new file mode 100644
index 000000000000..d9dc64d7f6ee
--- /dev/null
+++ b/media-sound/milkytracker/milkytracker-1.02.00.ebuild
@@ -0,0 +1,53 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit cmake desktop
+
+# This commit is needed so the milkytrace binary is linked properly, bug 711564
+# It is also ~40kb so it is better to fetch it rather than ship it in-tree
+COMMIT="2b145b074581ddf3b4ad78a402cdf5fab500b125"
+
+DESCRIPTION="FastTracker 2 inspired music tracker"
+HOMEPAGE="https://milkytracker.titandemo.org/"
+SRC_URI="https://github.com/milkytracker/MilkyTracker/archive/v${PV}.tar.gz -> ${P}.tar.gz
+	https://github.com/milkytracker/MilkyTracker/commit/${COMMIT}.patch -> ${P}-cmake.patch"
+
+LICENSE="|| ( GPL-3 MPL-1.1 ) AIFFWriter.m BSD GPL-3 GPL-3+ LGPL-2.1+ MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="alsa jack"
+
+RDEPEND="
+	dev-libs/zziplib
+	media-libs/libsdl2[X]
+	sys-libs/zlib
+	alsa? ( media-libs/alsa-lib )
+	jack? ( media-sound/jack-audio-connection-kit )"
+DEPEND="${RDEPEND}"
+
+PATCHES=(
+	"${DISTDIR}/${P}-cmake.patch"
+	"${FILESDIR}/${P}-CVE-2019-14464.patch"
+	"${FILESDIR}/${P}-CVE-2019-1449x.patch"
+	"${FILESDIR}/${P}-CVE-2020-15569.patch"
+)
+
+S="${WORKDIR}/MilkyTracker-${PV}"
+
+src_configure() {
+	local mycmakeargs=(
+		$(cmake_use_find_package alsa ALSA)
+		$(cmake_use_find_package jack JACK)
+	)
+	cmake_src_configure
+}
+
+src_install() {
+	cmake_src_install
+
+	newicon resources/pictures/carton.png ${PN}.png
+	make_desktop_entry ${PN} MilkyTracker ${PN} \
+		"AudioVideo;Audio;Sequencer"
+}