pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2019Q2] pkgsrc/audio/faad2



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sat Jul 13 11:12:03 UTC 2019

Modified Files:
        pkgsrc/audio/faad2 [pkgsrc-2019Q2]: Makefile distinfo
Added Files:
        pkgsrc/audio/faad2/patches [pkgsrc-2019Q2]: patch-CVE-2018-20194
            patch-CVE-2018-20362 patch-libfaad_bits.c

Log Message:
Pullup ticket #5996 - requested by nia
audio/faad2: security fix

Revisions pulled up:
- audio/faad2/Makefile                                          1.53
- audio/faad2/distinfo                                          1.27
- audio/faad2/patches/patch-CVE-2018-20194                      1.1
- audio/faad2/patches/patch-CVE-2018-20362                      1.1
- audio/faad2/patches/patch-libfaad_bits.c                      1.1

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Thu Jul 11 09:03:35 UTC 2019

   Modified Files:
        pkgsrc/audio/faad2: Makefile distinfo
   Added Files:
        pkgsrc/audio/faad2/patches: patch-CVE-2018-20194 patch-CVE-2018-20362
            patch-libfaad_bits.c

   Log Message:
   faad2: Backport some security fixes from upstream.

   CVE-2018-20194:
   https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch

   CVE-2018-20362:
   https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch

   Misc buffer overflows:
   https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch


To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.52.2.1 pkgsrc/audio/faad2/Makefile
cvs rdiff -u -r1.26 -r1.26.2.1 pkgsrc/audio/faad2/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/audio/faad2/patches/patch-CVE-2018-20194 \
    pkgsrc/audio/faad2/patches/patch-CVE-2018-20362 \
    pkgsrc/audio/faad2/patches/patch-libfaad_bits.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/audio/faad2/Makefile
diff -u pkgsrc/audio/faad2/Makefile:1.52 pkgsrc/audio/faad2/Makefile:1.52.2.1
--- pkgsrc/audio/faad2/Makefile:1.52    Mon Jun 17 10:48:32 2019
+++ pkgsrc/audio/faad2/Makefile Sat Jul 13 11:12:03 2019
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.52 2019/06/17 10:48:32 nia Exp $
+# $NetBSD: Makefile,v 1.52.2.1 2019/07/13 11:12:03 bsiegert Exp $
 # IMPORTANT: Do not forget to update audio/xmms-faad
 
 DISTNAME=      faad2-2.8.8
+PKGREVISION=   1
 CATEGORIES=    audio
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=faac/}
 

Index: pkgsrc/audio/faad2/distinfo
diff -u pkgsrc/audio/faad2/distinfo:1.26 pkgsrc/audio/faad2/distinfo:1.26.2.1
--- pkgsrc/audio/faad2/distinfo:1.26    Wed Jun  5 06:07:27 2019
+++ pkgsrc/audio/faad2/distinfo Sat Jul 13 11:12:03 2019
@@ -1,15 +1,18 @@
-$NetBSD: distinfo,v 1.26 2019/06/05 06:07:27 nia Exp $
+$NetBSD: distinfo,v 1.26.2.1 2019/07/13 11:12:03 bsiegert Exp $
 
 SHA1 (faad2-2.8.8.tar.gz) = 0d49c516d4a83c39053a9bd214fddba72cbc34ad
 RMD160 (faad2-2.8.8.tar.gz) = b69349ee69c869ba070f28c58418749d53898985
 SHA512 (faad2-2.8.8.tar.gz) = 3275d292b2a9fe984842962f4d81202894bddd17033f7cd6df95466554cc968dfcbf2890ae8b1df37da0cd25d645cca0a687f07e39b9fc37dd004fd5956a82af
 Size (faad2-2.8.8.tar.gz) = 1069044 bytes
+SHA1 (patch-CVE-2018-20194) = fefaa2cde9cdaff71cfe8e82e9d0e4b791bca015
+SHA1 (patch-CVE-2018-20362) = 00a8cf72f824a3c98d7f20d80542192634a84518
 SHA1 (patch-common_mp4ff_Makefile.am) = a662e6fd841420110c02f85923d022919135be82
 SHA1 (patch-configure.ac) = ed9d4e9d611d27d4add86884996a8e7fc001bc90
 SHA1 (patch-frontend_Makefile.am) = ab3369e67fb5f2842076fb698819936473440de9
 SHA1 (patch-frontend_getopt.c) = 3eaf3e8318887eca49e354696cad1bd2c5bf5504
 SHA1 (patch-frontend_mp4read.c) = 235d69a310bb2cb52cf62479e9254c1d3eb9cef9
 SHA1 (patch-libfaad_Makefile.am) = 4d3b92f54d998bd577641f49e88d0c8bc38f963c
+SHA1 (patch-libfaad_bits.c) = bc21ea92f62a7facbf70df3fe85b852e625efc1c
 SHA1 (patch-libfaad_common.h) = 60eccd8aebeb085760d6866f83ff5a613197918f
 SHA1 (patch-plugins_xmms_src_Makefile.am) = 4ba1dfefe1e351830ee990c711af6ac46db42c14
 SHA1 (patch-plugins_xmms_src_libmp4.c) = 7c6cd667999aab36efc9d713cf967c01b01916bf

Added files:

Index: pkgsrc/audio/faad2/patches/patch-CVE-2018-20194
diff -u /dev/null pkgsrc/audio/faad2/patches/patch-CVE-2018-20194:1.1.2.2
--- /dev/null   Sat Jul 13 11:12:03 2019
+++ pkgsrc/audio/faad2/patches/patch-CVE-2018-20194     Sat Jul 13 11:12:03 2019
@@ -0,0 +1,59 @@
+$NetBSD: patch-CVE-2018-20194,v 1.1.2.2 2019/07/13 11:12:03 bsiegert Exp $
+
+user passed f_table_lim contains frequency band borders. Frequency
+bands are groups of consecutive QMF channels. This means that their
+bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
+number of QMF channels). c.f. ISO/IEC 14496-3:2001
+
+FAAD2 does not verify this, leading to security issues when
+processing files defining f_table_lim with values > MAX_M.
+
+This patch sanitizes the values of f_table_lim so that they can be safely
+used as index for Q_M_lim and G_lim arrays.
+
+Fixes CVE-2018-20194.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch
+
+--- libfaad/sbr_hfadj.c.orig   2017-07-06 19:16:40.000000000 +0000
++++ libfaad/sbr_hfadj.c
+@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr
+             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ 
++            if (ml1 > MAX_M)
++                ml1 = MAX_M;
++
++            if (ml2 > MAX_M)
++                ml2 = MAX_M;
++
+ 
+             /* calculate the accumulated E_orig and E_curr over the limiter band */
+             for (m = ml1; m < ml2; m++)
+@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr
+             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ 
++            if (ml1 > MAX_M)
++                ml1 = MAX_M;
++
++            if (ml2 > MAX_M)
++                ml2 = MAX_M;
++
+ 
+             /* calculate the accumulated E_orig and E_curr over the limiter band */
+             for (m = ml1; m < ml2; m++)
+@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr
+             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ 
++            if (ml1 > MAX_M)
++                ml1 = MAX_M;
++
++            if (ml2 > MAX_M)
++                ml2 = MAX_M;
++
+ 
+             /* calculate the accumulated E_orig and E_curr over the limiter band */
+             for (m = ml1; m < ml2; m++)
Index: pkgsrc/audio/faad2/patches/patch-CVE-2018-20362
diff -u /dev/null pkgsrc/audio/faad2/patches/patch-CVE-2018-20362:1.1.2.2
--- /dev/null   Sat Jul 13 11:12:03 2019
+++ pkgsrc/audio/faad2/patches/patch-CVE-2018-20362     Sat Jul 13 11:12:03 2019
@@ -0,0 +1,63 @@
+$NetBSD: patch-CVE-2018-20362,v 1.1.2.2 2019/07/13 11:12:03 bsiegert Exp $
+
+Implicit channel mapping reconfiguration is explicitely forbidden by
+ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such
+files and reject them. FAAD2 does not perform any kind of checks
+regarding this.
+
+This leads to security vulnerabilities when processing crafted AAC
+files performing such reconfigurations.
+
+Add checks to decode_sce_lfe and decode_cpe to make sure such
+inconsistencies are detected as early as possible.
+
+These checks first read hDecoder->frame: if this is not the first
+frame then we make sure that the syntax element at the same position
+in the previous frame also had element_id id_syn_ele. If not, return
+21 as this is a fatal file structure issue.
+
+This patch addresses CVE-2018-20362 and possibly other related issues.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch
+
+Buffer overflow fix, no CVE, upstream commit:
+https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
+
+--- libfaad/syntax.c.orig      2017-10-30 17:44:16.000000000 +0000
++++ libfaad/syntax.c
+@@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruc
+        can become 2 when some form of Parametric Stereo coding is used
+     */
+ 
++    if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
++        /* element inconsistency */
++        hInfo->error = 21;
++        return;
++    }
++
+     /* save the syntax element id */
+     hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
+ 
+@@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *h
+         return;
+     }
+ 
++    if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
++        /* element inconsistency */
++        hInfo->error = 21;
++        return;
++    }
++
+     /* save the syntax element id */
+     hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
+ 
+@@ -2292,6 +2304,8 @@ static uint8_t excluded_channels(bitfile
+     while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
+         DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
+     {
++        if (i >= MAX_CHANNELS - num_excl_chan - 7)
++            return n;
+         for (i = num_excl_chan; i < num_excl_chan+7; i++)
+         {
+             drc->exclude_mask[i] = faad_get1bit(ld
Index: pkgsrc/audio/faad2/patches/patch-libfaad_bits.c
diff -u /dev/null pkgsrc/audio/faad2/patches/patch-libfaad_bits.c:1.1.2.2
--- /dev/null   Sat Jul 13 11:12:03 2019
+++ pkgsrc/audio/faad2/patches/patch-libfaad_bits.c     Sat Jul 13 11:12:03 2019
@@ -0,0 +1,21 @@
+$NetBSD: patch-libfaad_bits.c,v 1.1.2.2 2019/07/13 11:12:03 bsiegert Exp $
+
+Fix a potential buffer overflow.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
+
+--- libfaad/bits.c.orig        2017-07-06 19:16:40.000000000 +0000
++++ libfaad/bits.c
+@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bit
+     int words = bits >> 5;
+     int remainder = bits & 0x1F;
+ 
+-    ld->bytes_left = ld->buffer_size - words*4;
++    if (ld->buffer_size < words * 4)
++        ld->bytes_left = 0;
++    else
++        ld->bytes_left = ld->buffer_size - words*4;
+ 
+     if (ld->bytes_left >= 4)
+     {



Home | Main Index | Thread Index | Old Index