pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/audio/faad2 faad2: Backport some security fixes from u...
details: https://anonhg.NetBSD.org/pkgsrc/rev/41c385dd49ee
branches: trunk
changeset: 336291:41c385dd49ee
user: nia <nia%pkgsrc.org@localhost>
date: Thu Jul 11 09:03:35 2019 +0000
description:
faad2: Backport some security fixes from upstream.
CVE-2018-20194:
https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch
CVE-2018-20362:
https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch
Misc buffer overflows:
https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
diffstat:
audio/faad2/Makefile | 3 +-
audio/faad2/distinfo | 5 ++-
audio/faad2/patches/patch-CVE-2018-20194 | 59 +++++++++++++++++++++++++++++
audio/faad2/patches/patch-CVE-2018-20362 | 63 ++++++++++++++++++++++++++++++++
audio/faad2/patches/patch-libfaad_bits.c | 21 ++++++++++
5 files changed, 149 insertions(+), 2 deletions(-)
diffs (191 lines):
diff -r 896bc88d90b7 -r 41c385dd49ee audio/faad2/Makefile
--- a/audio/faad2/Makefile Thu Jul 11 04:51:14 2019 +0000
+++ b/audio/faad2/Makefile Thu Jul 11 09:03:35 2019 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.52 2019/06/17 10:48:32 nia Exp $
+# $NetBSD: Makefile,v 1.53 2019/07/11 09:03:35 nia Exp $
# IMPORTANT: Do not forget to update audio/xmms-faad
DISTNAME= faad2-2.8.8
+PKGREVISION= 1
CATEGORIES= audio
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=faac/}
diff -r 896bc88d90b7 -r 41c385dd49ee audio/faad2/distinfo
--- a/audio/faad2/distinfo Thu Jul 11 04:51:14 2019 +0000
+++ b/audio/faad2/distinfo Thu Jul 11 09:03:35 2019 +0000
@@ -1,15 +1,18 @@
-$NetBSD: distinfo,v 1.26 2019/06/05 06:07:27 nia Exp $
+$NetBSD: distinfo,v 1.27 2019/07/11 09:03:35 nia Exp $
SHA1 (faad2-2.8.8.tar.gz) = 0d49c516d4a83c39053a9bd214fddba72cbc34ad
RMD160 (faad2-2.8.8.tar.gz) = b69349ee69c869ba070f28c58418749d53898985
SHA512 (faad2-2.8.8.tar.gz) = 3275d292b2a9fe984842962f4d81202894bddd17033f7cd6df95466554cc968dfcbf2890ae8b1df37da0cd25d645cca0a687f07e39b9fc37dd004fd5956a82af
Size (faad2-2.8.8.tar.gz) = 1069044 bytes
+SHA1 (patch-CVE-2018-20194) = fefaa2cde9cdaff71cfe8e82e9d0e4b791bca015
+SHA1 (patch-CVE-2018-20362) = 00a8cf72f824a3c98d7f20d80542192634a84518
SHA1 (patch-common_mp4ff_Makefile.am) = a662e6fd841420110c02f85923d022919135be82
SHA1 (patch-configure.ac) = ed9d4e9d611d27d4add86884996a8e7fc001bc90
SHA1 (patch-frontend_Makefile.am) = ab3369e67fb5f2842076fb698819936473440de9
SHA1 (patch-frontend_getopt.c) = 3eaf3e8318887eca49e354696cad1bd2c5bf5504
SHA1 (patch-frontend_mp4read.c) = 235d69a310bb2cb52cf62479e9254c1d3eb9cef9
SHA1 (patch-libfaad_Makefile.am) = 4d3b92f54d998bd577641f49e88d0c8bc38f963c
+SHA1 (patch-libfaad_bits.c) = bc21ea92f62a7facbf70df3fe85b852e625efc1c
SHA1 (patch-libfaad_common.h) = 60eccd8aebeb085760d6866f83ff5a613197918f
SHA1 (patch-plugins_xmms_src_Makefile.am) = 4ba1dfefe1e351830ee990c711af6ac46db42c14
SHA1 (patch-plugins_xmms_src_libmp4.c) = 7c6cd667999aab36efc9d713cf967c01b01916bf
diff -r 896bc88d90b7 -r 41c385dd49ee audio/faad2/patches/patch-CVE-2018-20194
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/faad2/patches/patch-CVE-2018-20194 Thu Jul 11 09:03:35 2019 +0000
@@ -0,0 +1,59 @@
+$NetBSD: patch-CVE-2018-20194,v 1.1 2019/07/11 09:03:35 nia Exp $
+
+user passed f_table_lim contains frequency band borders. Frequency
+bands are groups of consecutive QMF channels. This means that their
+bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
+number of QMF channels). c.f. ISO/IEC 14496-3:2001
+
+FAAD2 does not verify this, leading to security issues when
+processing files defining f_table_lim with values > MAX_M.
+
+This patch sanitizes the values of f_table_lim so that they can be safely
+used as index for Q_M_lim and G_lim arrays.
+
+Fixes CVE-2018-20194.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch
+
+--- libfaad/sbr_hfadj.c.orig 2017-07-06 19:16:40.000000000 +0000
++++ libfaad/sbr_hfadj.c
+@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr
+ ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+ ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
++ if (ml1 > MAX_M)
++ ml1 = MAX_M;
++
++ if (ml2 > MAX_M)
++ ml2 = MAX_M;
++
+
+ /* calculate the accumulated E_orig and E_curr over the limiter band */
+ for (m = ml1; m < ml2; m++)
+@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr
+ ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+ ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
++ if (ml1 > MAX_M)
++ ml1 = MAX_M;
++
++ if (ml2 > MAX_M)
++ ml2 = MAX_M;
++
+
+ /* calculate the accumulated E_orig and E_curr over the limiter band */
+ for (m = ml1; m < ml2; m++)
+@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr
+ ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+ ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
++ if (ml1 > MAX_M)
++ ml1 = MAX_M;
++
++ if (ml2 > MAX_M)
++ ml2 = MAX_M;
++
+
+ /* calculate the accumulated E_orig and E_curr over the limiter band */
+ for (m = ml1; m < ml2; m++)
diff -r 896bc88d90b7 -r 41c385dd49ee audio/faad2/patches/patch-CVE-2018-20362
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/faad2/patches/patch-CVE-2018-20362 Thu Jul 11 09:03:35 2019 +0000
@@ -0,0 +1,63 @@
+$NetBSD: patch-CVE-2018-20362,v 1.1 2019/07/11 09:03:35 nia Exp $
+
+Implicit channel mapping reconfiguration is explicitely forbidden by
+ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such
+files and reject them. FAAD2 does not perform any kind of checks
+regarding this.
+
+This leads to security vulnerabilities when processing crafted AAC
+files performing such reconfigurations.
+
+Add checks to decode_sce_lfe and decode_cpe to make sure such
+inconsistencies are detected as early as possible.
+
+These checks first read hDecoder->frame: if this is not the first
+frame then we make sure that the syntax element at the same position
+in the previous frame also had element_id id_syn_ele. If not, return
+21 as this is a fatal file structure issue.
+
+This patch addresses CVE-2018-20362 and possibly other related issues.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch
+
+Buffer overflow fix, no CVE, upstream commit:
+https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
+
+--- libfaad/syntax.c.orig 2017-10-30 17:44:16.000000000 +0000
++++ libfaad/syntax.c
+@@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruc
+ can become 2 when some form of Parametric Stereo coding is used
+ */
+
++ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
++ /* element inconsistency */
++ hInfo->error = 21;
++ return;
++ }
++
+ /* save the syntax element id */
+ hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
+
+@@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *h
+ return;
+ }
+
++ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
++ /* element inconsistency */
++ hInfo->error = 21;
++ return;
++ }
++
+ /* save the syntax element id */
+ hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
+
+@@ -2292,6 +2304,8 @@ static uint8_t excluded_channels(bitfile
+ while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
+ DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
+ {
++ if (i >= MAX_CHANNELS - num_excl_chan - 7)
++ return n;
+ for (i = num_excl_chan; i < num_excl_chan+7; i++)
+ {
+ drc->exclude_mask[i] = faad_get1bit(ld
diff -r 896bc88d90b7 -r 41c385dd49ee audio/faad2/patches/patch-libfaad_bits.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/faad2/patches/patch-libfaad_bits.c Thu Jul 11 09:03:35 2019 +0000
@@ -0,0 +1,21 @@
+$NetBSD: patch-libfaad_bits.c,v 1.1 2019/07/11 09:03:35 nia Exp $
+
+Fix a potential buffer overflow.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
+
+--- libfaad/bits.c.orig 2017-07-06 19:16:40.000000000 +0000
++++ libfaad/bits.c
+@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bit
+ int words = bits >> 5;
+ int remainder = bits & 0x1F;
+
+- ld->bytes_left = ld->buffer_size - words*4;
++ if (ld->buffer_size < words * 4)
++ ld->bytes_left = 0;
++ else
++ ld->bytes_left = ld->buffer_size - words*4;
+
+ if (ld->bytes_left >= 4)
+ {
Home |
Main Index |
Thread Index |
Old Index