pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/audio/libmad libmad: Add patches for CVE-2017-8372, CV...
details: https://anonhg.NetBSD.org/pkgsrc/rev/dcf07c9edcc2
branches: trunk
changeset: 336284:dcf07c9edcc2
user: nia <nia%pkgsrc.org@localhost>
date: Wed Jul 10 20:01:57 2019 +0000
description:
libmad: Add patches for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
>From Kurt Roeckx / Debian.
Tested with cmus and moc.
diffstat:
audio/libmad/Makefile | 4 +-
audio/libmad/distinfo | 6 +-
audio/libmad/patches/patch-bit.c | 18 ++
audio/libmad/patches/patch-frame.c | 69 +++++++++
audio/libmad/patches/patch-layer12.c | 262 +++++++++++++++++++++++++++++++++++
audio/libmad/patches/patch-layer3.c | 34 ++++
6 files changed, 390 insertions(+), 3 deletions(-)
diffs (truncated from 429 to 300 lines):
diff -r 3e771be73406 -r dcf07c9edcc2 audio/libmad/Makefile
--- a/audio/libmad/Makefile Wed Jul 10 18:02:59 2019 +0000
+++ b/audio/libmad/Makefile Wed Jul 10 20:01:57 2019 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.21 2017/08/16 20:21:03 wiz Exp $
+# $NetBSD: Makefile,v 1.22 2019/07/10 20:01:57 nia Exp $
#
DISTNAME= libmad-0.15.1b
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= audio
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=mad/}
diff -r 3e771be73406 -r dcf07c9edcc2 audio/libmad/distinfo
--- a/audio/libmad/distinfo Wed Jul 10 18:02:59 2019 +0000
+++ b/audio/libmad/distinfo Wed Jul 10 20:01:57 2019 +0000
@@ -1,7 +1,11 @@
-$NetBSD: distinfo,v 1.4 2015/11/03 01:12:37 agc Exp $
+$NetBSD: distinfo,v 1.5 2019/07/10 20:01:57 nia Exp $
SHA1 (libmad-0.15.1b.tar.gz) = cac19cd00e1a907f3150cc040ccc077783496d76
RMD160 (libmad-0.15.1b.tar.gz) = 0f3415ee10b188681e282ca69dec74c46ca73b0f
SHA512 (libmad-0.15.1b.tar.gz) = 2cad30347fb310dc605c46bacd9da117f447a5cabedd8fefdb24ab5de641429e5ec5ce8af7aefa6a75a3f545d3adfa255e3fa0a2d50971f76bc0c4fc0400cc45
Size (libmad-0.15.1b.tar.gz) = 502379 bytes
SHA1 (patch-aa) = 82271980d28d151b6b85987e075ad15dace4ed3b
+SHA1 (patch-bit.c) = 2dedd19cd385a0ae578fa3d72399dbb6c9ebf453
+SHA1 (patch-frame.c) = 87c97a6ce7688e7a3a227876f8bcf81e2c8425f8
+SHA1 (patch-layer12.c) = 7fbfd6939715adac7269c6d083ea5f0202abbfba
+SHA1 (patch-layer3.c) = cbf34e24ba21ef7d0f1e469c9569313d6b266658
diff -r 3e771be73406 -r dcf07c9edcc2 audio/libmad/patches/patch-bit.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/libmad/patches/patch-bit.c Wed Jul 10 20:01:57 2019 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-bit.c,v 1.1 2019/07/10 20:01:57 nia Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- bit.c.orig 2004-01-23 09:41:32.000000000 +0000
++++ bit.c
+@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
+ {
+ register unsigned long value;
+
++ if (len == 0)
++ return 0;
++
+ if (bitptr->left == CHAR_BIT)
+ bitptr->cache = *bitptr->byte;
+
diff -r 3e771be73406 -r dcf07c9edcc2 audio/libmad/patches/patch-frame.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/libmad/patches/patch-frame.c Wed Jul 10 20:01:57 2019 +0000
@@ -0,0 +1,69 @@
+$NetBSD: patch-frame.c,v 1.1 2019/07/10 20:01:57 nia Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- frame.c.orig 2004-02-04 22:59:19.000000000 +0000
++++ frame.c
+@@ -120,11 +120,18 @@ static
+ int decode_header(struct mad_header *header, struct mad_stream *stream)
+ {
+ unsigned int index;
++ struct mad_bitptr bufend_ptr;
+
+ header->flags = 0;
+ header->private_bits = 0;
+
++ mad_bit_init(&bufend_ptr, stream->bufend);
++
+ /* header() */
++ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
++ stream->error = MAD_ERROR_BUFLEN;
++ return -1;
++ }
+
+ /* syncword */
+ mad_bit_skip(&stream->ptr, 11);
+@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
+ /* error_check() */
+
+ /* crc_check */
+- if (header->flags & MAD_FLAG_PROTECTION)
++ if (header->flags & MAD_FLAG_PROTECTION) {
++ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
++ stream->error = MAD_ERROR_BUFLEN;
++ return -1;
++ }
+ header->crc_target = mad_bit_read(&stream->ptr, 16);
++ }
+
+ return 0;
+ }
+@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header
+ stream->error = MAD_ERROR_BUFLEN;
+ goto fail;
+ }
+- else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++ else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ /* mark point where frame sync word was expected */
+ stream->this_frame = ptr;
+ stream->next_frame = ptr + 1;
+@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header
+ ptr = mad_bit_nextbyte(&stream->ptr);
+ }
+
++ stream->error = MAD_ERROR_NONE;
++
+ /* begin processing */
+ stream->this_frame = ptr;
+ stream->next_frame = ptr + 1; /* possibly bogus sync word */
+@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header
+ /* check that a valid frame header follows this frame */
+
+ ptr = stream->next_frame;
+- if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++ if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ ptr = stream->next_frame = stream->this_frame + 1;
+ goto sync;
+ }
diff -r 3e771be73406 -r dcf07c9edcc2 audio/libmad/patches/patch-layer12.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/libmad/patches/patch-layer12.c Wed Jul 10 20:01:57 2019 +0000
@@ -0,0 +1,262 @@
+$NetBSD: patch-layer12.c,v 1.1 2019/07/10 20:01:57 nia Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- layer12.c.orig 2004-02-05 09:02:39.000000000 +0000
++++ layer12.c
+@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
+ * DESCRIPTION: decode one requantized Layer I sample from a bitstream
+ */
+ static
+-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
++mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
+ {
+ mad_fixed_t sample;
++ struct mad_bitptr frameend_ptr;
+
++ mad_bit_init(&frameend_ptr, stream->next_frame);
++
++ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return 0;
++ }
+ sample = mad_bit_read(ptr, nb);
+
+ /* invert most significant bit, extend sign, then scale to fixed format */
+@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
+ struct mad_header *header = &frame->header;
+ unsigned int nch, bound, ch, s, sb, nb;
+ unsigned char allocation[2][32], scalefactor[2][32];
++ struct mad_bitptr bufend_ptr, frameend_ptr;
++
++ mad_bit_init(&bufend_ptr, stream->bufend);
++ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ nch = MAD_NCHANNELS(header);
+
+@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
+ /* check CRC word */
+
+ if (header->flags & MAD_FLAG_PROTECTION) {
++ if (mad_bit_length(&stream->ptr, &bufend_ptr)
++ < 4 * (bound * nch + (32 - bound))) {
++ stream->error = MAD_ERROR_BADCRC;
++ return -1;
++ }
+ header->crc_check =
+ mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
+ header->crc_check);
+@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
+
+ for (sb = 0; sb < bound; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ nb = mad_bit_read(&stream->ptr, 4);
+
+ if (nb == 15) {
+@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
+ }
+
+ for (sb = bound; sb < 32; ++sb) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ nb = mad_bit_read(&stream->ptr, 4);
+
+ if (nb == 15) {
+@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
+ for (sb = 0; sb < 32; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
+ if (allocation[ch][sb]) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
+
+ # if defined(OPT_STRICT)
+@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
+ for (ch = 0; ch < nch; ++ch) {
+ nb = allocation[ch][sb];
+ frame->sbsample[ch][s][sb] = nb ?
+- mad_f_mul(I_sample(&stream->ptr, nb),
++ mad_f_mul(I_sample(&stream->ptr, nb, stream),
+ sf_table[scalefactor[ch][sb]]) : 0;
++ if (stream->error != 0)
++ return -1;
+ }
+ }
+
+@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
+ if ((nb = allocation[0][sb])) {
+ mad_fixed_t sample;
+
+- sample = I_sample(&stream->ptr, nb);
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
++ sample = I_sample(&stream->ptr, nb, stream);
++ if (stream->error != 0)
++ return -1;
+
+ for (ch = 0; ch < nch; ++ch) {
+ frame->sbsample[ch][s][sb] =
+@@ -280,13 +321,21 @@ struct quantclass {
+ static
+ void II_samples(struct mad_bitptr *ptr,
+ struct quantclass const *quantclass,
+- mad_fixed_t output[3])
++ mad_fixed_t output[3], struct mad_stream *stream)
+ {
+ unsigned int nb, s, sample[3];
++ struct mad_bitptr frameend_ptr;
++
++ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ if ((nb = quantclass->group)) {
+ unsigned int c, nlevels;
+
++ if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return;
++ }
+ /* degrouping */
+ c = mad_bit_read(ptr, quantclass->bits);
+ nlevels = quantclass->nlevels;
+@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
+ else {
+ nb = quantclass->bits;
+
+- for (s = 0; s < 3; ++s)
++ for (s = 0; s < 3; ++s) {
++ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return;
++ }
+ sample[s] = mad_bit_read(ptr, nb);
++ }
+ }
+
+ for (s = 0; s < 3; ++s) {
+@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
+ unsigned char const *offsets;
+ unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
+ mad_fixed_t samples[3];
++ struct mad_bitptr frameend_ptr;
++
++ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ nch = MAD_NCHANNELS(header);
+
+@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
+ for (sb = 0; sb < bound; ++sb) {
+ nbal = bitalloc_table[offsets[sb]].nbal;
+
+- for (ch = 0; ch < nch; ++ch)
++ for (ch = 0; ch < nch; ++ch) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
Home |
Main Index |
Thread Index |
Old Index