pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/audio/faad2 faad2: Backport some security fixes from u...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/41c385dd49ee
branches:  trunk
changeset: 336291:41c385dd49ee
user:      nia <nia%pkgsrc.org@localhost>
date:      Thu Jul 11 09:03:35 2019 +0000

description:
faad2: Backport some security fixes from upstream.

CVE-2018-20194:
https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch

CVE-2018-20362:
https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch

Misc buffer overflows:
https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch

diffstat:

 audio/faad2/Makefile                     |   3 +-
 audio/faad2/distinfo                     |   5 ++-
 audio/faad2/patches/patch-CVE-2018-20194 |  59 +++++++++++++++++++++++++++++
 audio/faad2/patches/patch-CVE-2018-20362 |  63 ++++++++++++++++++++++++++++++++
 audio/faad2/patches/patch-libfaad_bits.c |  21 ++++++++++
 5 files changed, 149 insertions(+), 2 deletions(-)

diffs (191 lines):

diff -r 896bc88d90b7 -r 41c385dd49ee audio/faad2/Makefile
--- a/audio/faad2/Makefile      Thu Jul 11 04:51:14 2019 +0000
+++ b/audio/faad2/Makefile      Thu Jul 11 09:03:35 2019 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.52 2019/06/17 10:48:32 nia Exp $
+# $NetBSD: Makefile,v 1.53 2019/07/11 09:03:35 nia Exp $
 # IMPORTANT: Do not forget to update audio/xmms-faad
 
 DISTNAME=      faad2-2.8.8
+PKGREVISION=   1
 CATEGORIES=    audio
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=faac/}
 
diff -r 896bc88d90b7 -r 41c385dd49ee audio/faad2/distinfo
--- a/audio/faad2/distinfo      Thu Jul 11 04:51:14 2019 +0000
+++ b/audio/faad2/distinfo      Thu Jul 11 09:03:35 2019 +0000
@@ -1,15 +1,18 @@
-$NetBSD: distinfo,v 1.26 2019/06/05 06:07:27 nia Exp $
+$NetBSD: distinfo,v 1.27 2019/07/11 09:03:35 nia Exp $
 
 SHA1 (faad2-2.8.8.tar.gz) = 0d49c516d4a83c39053a9bd214fddba72cbc34ad
 RMD160 (faad2-2.8.8.tar.gz) = b69349ee69c869ba070f28c58418749d53898985
 SHA512 (faad2-2.8.8.tar.gz) = 3275d292b2a9fe984842962f4d81202894bddd17033f7cd6df95466554cc968dfcbf2890ae8b1df37da0cd25d645cca0a687f07e39b9fc37dd004fd5956a82af
 Size (faad2-2.8.8.tar.gz) = 1069044 bytes
+SHA1 (patch-CVE-2018-20194) = fefaa2cde9cdaff71cfe8e82e9d0e4b791bca015
+SHA1 (patch-CVE-2018-20362) = 00a8cf72f824a3c98d7f20d80542192634a84518
 SHA1 (patch-common_mp4ff_Makefile.am) = a662e6fd841420110c02f85923d022919135be82
 SHA1 (patch-configure.ac) = ed9d4e9d611d27d4add86884996a8e7fc001bc90
 SHA1 (patch-frontend_Makefile.am) = ab3369e67fb5f2842076fb698819936473440de9
 SHA1 (patch-frontend_getopt.c) = 3eaf3e8318887eca49e354696cad1bd2c5bf5504
 SHA1 (patch-frontend_mp4read.c) = 235d69a310bb2cb52cf62479e9254c1d3eb9cef9
 SHA1 (patch-libfaad_Makefile.am) = 4d3b92f54d998bd577641f49e88d0c8bc38f963c
+SHA1 (patch-libfaad_bits.c) = bc21ea92f62a7facbf70df3fe85b852e625efc1c
 SHA1 (patch-libfaad_common.h) = 60eccd8aebeb085760d6866f83ff5a613197918f
 SHA1 (patch-plugins_xmms_src_Makefile.am) = 4ba1dfefe1e351830ee990c711af6ac46db42c14
 SHA1 (patch-plugins_xmms_src_libmp4.c) = 7c6cd667999aab36efc9d713cf967c01b01916bf
diff -r 896bc88d90b7 -r 41c385dd49ee audio/faad2/patches/patch-CVE-2018-20194
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/faad2/patches/patch-CVE-2018-20194  Thu Jul 11 09:03:35 2019 +0000
@@ -0,0 +1,59 @@
+$NetBSD: patch-CVE-2018-20194,v 1.1 2019/07/11 09:03:35 nia Exp $
+
+user passed f_table_lim contains frequency band borders. Frequency
+bands are groups of consecutive QMF channels. This means that their
+bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
+number of QMF channels). c.f. ISO/IEC 14496-3:2001
+
+FAAD2 does not verify this, leading to security issues when
+processing files defining f_table_lim with values > MAX_M.
+
+This patch sanitizes the values of f_table_lim so that they can be safely
+used as index for Q_M_lim and G_lim arrays.
+
+Fixes CVE-2018-20194.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch
+
+--- libfaad/sbr_hfadj.c.orig   2017-07-06 19:16:40.000000000 +0000
++++ libfaad/sbr_hfadj.c
+@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr
+             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ 
++            if (ml1 > MAX_M)
++                ml1 = MAX_M;
++
++            if (ml2 > MAX_M)
++                ml2 = MAX_M;
++
+ 
+             /* calculate the accumulated E_orig and E_curr over the limiter band */
+             for (m = ml1; m < ml2; m++)
+@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr
+             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ 
++            if (ml1 > MAX_M)
++                ml1 = MAX_M;
++
++            if (ml2 > MAX_M)
++                ml2 = MAX_M;
++
+ 
+             /* calculate the accumulated E_orig and E_curr over the limiter band */
+             for (m = ml1; m < ml2; m++)
+@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr
+             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ 
++            if (ml1 > MAX_M)
++                ml1 = MAX_M;
++
++            if (ml2 > MAX_M)
++                ml2 = MAX_M;
++
+ 
+             /* calculate the accumulated E_orig and E_curr over the limiter band */
+             for (m = ml1; m < ml2; m++)
diff -r 896bc88d90b7 -r 41c385dd49ee audio/faad2/patches/patch-CVE-2018-20362
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/faad2/patches/patch-CVE-2018-20362  Thu Jul 11 09:03:35 2019 +0000
@@ -0,0 +1,63 @@
+$NetBSD: patch-CVE-2018-20362,v 1.1 2019/07/11 09:03:35 nia Exp $
+
+Implicit channel mapping reconfiguration is explicitely forbidden by
+ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such
+files and reject them. FAAD2 does not perform any kind of checks
+regarding this.
+
+This leads to security vulnerabilities when processing crafted AAC
+files performing such reconfigurations.
+
+Add checks to decode_sce_lfe and decode_cpe to make sure such
+inconsistencies are detected as early as possible.
+
+These checks first read hDecoder->frame: if this is not the first
+frame then we make sure that the syntax element at the same position
+in the previous frame also had element_id id_syn_ele. If not, return
+21 as this is a fatal file structure issue.
+
+This patch addresses CVE-2018-20362 and possibly other related issues.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch
+
+Buffer overflow fix, no CVE, upstream commit:
+https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
+
+--- libfaad/syntax.c.orig      2017-10-30 17:44:16.000000000 +0000
++++ libfaad/syntax.c
+@@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruc
+        can become 2 when some form of Parametric Stereo coding is used
+     */
+ 
++    if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
++        /* element inconsistency */
++        hInfo->error = 21;
++        return;
++    }
++
+     /* save the syntax element id */
+     hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
+ 
+@@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *h
+         return;
+     }
+ 
++    if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
++        /* element inconsistency */
++        hInfo->error = 21;
++        return;
++    }
++
+     /* save the syntax element id */
+     hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
+ 
+@@ -2292,6 +2304,8 @@ static uint8_t excluded_channels(bitfile
+     while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
+         DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
+     {
++        if (i >= MAX_CHANNELS - num_excl_chan - 7)
++            return n;
+         for (i = num_excl_chan; i < num_excl_chan+7; i++)
+         {
+             drc->exclude_mask[i] = faad_get1bit(ld
diff -r 896bc88d90b7 -r 41c385dd49ee audio/faad2/patches/patch-libfaad_bits.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/faad2/patches/patch-libfaad_bits.c  Thu Jul 11 09:03:35 2019 +0000
@@ -0,0 +1,21 @@
+$NetBSD: patch-libfaad_bits.c,v 1.1 2019/07/11 09:03:35 nia Exp $
+
+Fix a potential buffer overflow.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
+
+--- libfaad/bits.c.orig        2017-07-06 19:16:40.000000000 +0000
++++ libfaad/bits.c
+@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bit
+     int words = bits >> 5;
+     int remainder = bits & 0x1F;
+ 
+-    ld->bytes_left = ld->buffer_size - words*4;
++    if (ld->buffer_size < words * 4)
++        ld->bytes_left = 0;
++    else
++        ld->bytes_left = ld->buffer_size - words*4;
+ 
+     if (ld->bytes_left >= 4)
+     {



Home | Main Index | Thread Index | Old Index