pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2019Q2]: pkgsrc/audio/libmad Pullup ticket #5995 - requested b...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/09224d952381
branches:  pkgsrc-2019Q2
changeset: 408155:09224d952381
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sat Jul 13 11:09:45 2019 +0000

description:
Pullup ticket #5995 - requested by nia
audio/libmad: security fix

Revisions pulled up:
- audio/libmad/Makefile                                         1.22
- audio/libmad/distinfo                                         1.5
- audio/libmad/patches/patch-bit.c                              1.1
- audio/libmad/patches/patch-frame.c                            1.1
- audio/libmad/patches/patch-layer12.c                          1.1
- audio/libmad/patches/patch-layer3.c                           1.1

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Wed Jul 10 20:01:57 UTC 2019

   Modified Files:
        pkgsrc/audio/libmad: Makefile distinfo
   Added Files:
        pkgsrc/audio/libmad/patches: patch-bit.c patch-frame.c patch-layer12.c
            patch-layer3.c

   Log Message:
   libmad: Add patches for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.

   >From Kurt Roeckx / Debian.

   Tested with cmus and moc.

diffstat:

 audio/libmad/Makefile                |    4 +-
 audio/libmad/distinfo                |    6 +-
 audio/libmad/patches/patch-bit.c     |   18 ++
 audio/libmad/patches/patch-frame.c   |   69 +++++++++
 audio/libmad/patches/patch-layer12.c |  262 +++++++++++++++++++++++++++++++++++
 audio/libmad/patches/patch-layer3.c  |   34 ++++
 6 files changed, 390 insertions(+), 3 deletions(-)

diffs (truncated from 429 to 300 lines):

diff -r a0ed3b395fdc -r 09224d952381 audio/libmad/Makefile
--- a/audio/libmad/Makefile     Sat Jul 13 10:00:44 2019 +0000
+++ b/audio/libmad/Makefile     Sat Jul 13 11:09:45 2019 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.21 2017/08/16 20:21:03 wiz Exp $
+# $NetBSD: Makefile,v 1.21.18.1 2019/07/13 11:09:45 bsiegert Exp $
 #
 
 DISTNAME=      libmad-0.15.1b
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    audio
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=mad/}
 
diff -r a0ed3b395fdc -r 09224d952381 audio/libmad/distinfo
--- a/audio/libmad/distinfo     Sat Jul 13 10:00:44 2019 +0000
+++ b/audio/libmad/distinfo     Sat Jul 13 11:09:45 2019 +0000
@@ -1,7 +1,11 @@
-$NetBSD: distinfo,v 1.4 2015/11/03 01:12:37 agc Exp $
+$NetBSD: distinfo,v 1.4.32.1 2019/07/13 11:09:45 bsiegert Exp $
 
 SHA1 (libmad-0.15.1b.tar.gz) = cac19cd00e1a907f3150cc040ccc077783496d76
 RMD160 (libmad-0.15.1b.tar.gz) = 0f3415ee10b188681e282ca69dec74c46ca73b0f
 SHA512 (libmad-0.15.1b.tar.gz) = 2cad30347fb310dc605c46bacd9da117f447a5cabedd8fefdb24ab5de641429e5ec5ce8af7aefa6a75a3f545d3adfa255e3fa0a2d50971f76bc0c4fc0400cc45
 Size (libmad-0.15.1b.tar.gz) = 502379 bytes
 SHA1 (patch-aa) = 82271980d28d151b6b85987e075ad15dace4ed3b
+SHA1 (patch-bit.c) = 2dedd19cd385a0ae578fa3d72399dbb6c9ebf453
+SHA1 (patch-frame.c) = 87c97a6ce7688e7a3a227876f8bcf81e2c8425f8
+SHA1 (patch-layer12.c) = 7fbfd6939715adac7269c6d083ea5f0202abbfba
+SHA1 (patch-layer3.c) = cbf34e24ba21ef7d0f1e469c9569313d6b266658
diff -r a0ed3b395fdc -r 09224d952381 audio/libmad/patches/patch-bit.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/libmad/patches/patch-bit.c  Sat Jul 13 11:09:45 2019 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-bit.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- bit.c.orig 2004-01-23 09:41:32.000000000 +0000
++++ bit.c
+@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
+ {
+   register unsigned long value;
+ 
++  if (len == 0)
++    return 0;
++
+   if (bitptr->left == CHAR_BIT)
+     bitptr->cache = *bitptr->byte;
+ 
diff -r a0ed3b395fdc -r 09224d952381 audio/libmad/patches/patch-frame.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/libmad/patches/patch-frame.c        Sat Jul 13 11:09:45 2019 +0000
@@ -0,0 +1,69 @@
+$NetBSD: patch-frame.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- frame.c.orig       2004-02-04 22:59:19.000000000 +0000
++++ frame.c
+@@ -120,11 +120,18 @@ static
+ int decode_header(struct mad_header *header, struct mad_stream *stream)
+ {
+   unsigned int index;
++  struct mad_bitptr bufend_ptr;
+ 
+   header->flags        = 0;
+   header->private_bits = 0;
+ 
++  mad_bit_init(&bufend_ptr, stream->bufend);
++
+   /* header() */
++  if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
++    stream->error = MAD_ERROR_BUFLEN;
++    return -1;
++  }
+ 
+   /* syncword */
+   mad_bit_skip(&stream->ptr, 11);
+@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
+   /* error_check() */
+ 
+   /* crc_check */
+-  if (header->flags & MAD_FLAG_PROTECTION)
++  if (header->flags & MAD_FLAG_PROTECTION) {
++    if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
++      stream->error = MAD_ERROR_BUFLEN;
++      return -1;
++    }
+     header->crc_target = mad_bit_read(&stream->ptr, 16);
++  }
+ 
+   return 0;
+ }
+@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header 
+       stream->error = MAD_ERROR_BUFLEN;
+       goto fail;
+     }
+-    else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++    else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+       /* mark point where frame sync word was expected */
+       stream->this_frame = ptr;
+       stream->next_frame = ptr + 1;
+@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header 
+     ptr = mad_bit_nextbyte(&stream->ptr);
+   }
+ 
++  stream->error = MAD_ERROR_NONE;
++
+   /* begin processing */
+   stream->this_frame = ptr;
+   stream->next_frame = ptr + 1;  /* possibly bogus sync word */
+@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header 
+     /* check that a valid frame header follows this frame */
+ 
+     ptr = stream->next_frame;
+-    if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++    if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+       ptr = stream->next_frame = stream->this_frame + 1;
+       goto sync;
+     }
diff -r a0ed3b395fdc -r 09224d952381 audio/libmad/patches/patch-layer12.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/libmad/patches/patch-layer12.c      Sat Jul 13 11:09:45 2019 +0000
@@ -0,0 +1,262 @@
+$NetBSD: patch-layer12.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- layer12.c.orig     2004-02-05 09:02:39.000000000 +0000
++++ layer12.c
+@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
+  * DESCRIPTION:       decode one requantized Layer I sample from a bitstream
+  */
+ static
+-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
++mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
+ {
+   mad_fixed_t sample;
++  struct mad_bitptr frameend_ptr;
+ 
++  mad_bit_init(&frameend_ptr, stream->next_frame);
++
++  if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++    stream->error = MAD_ERROR_LOSTSYNC;
++    stream->sync = 0;
++    return 0;
++  }
+   sample = mad_bit_read(ptr, nb);
+ 
+   /* invert most significant bit, extend sign, then scale to fixed format */
+@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
+   struct mad_header *header = &frame->header;
+   unsigned int nch, bound, ch, s, sb, nb;
+   unsigned char allocation[2][32], scalefactor[2][32];
++  struct mad_bitptr bufend_ptr, frameend_ptr;
++
++  mad_bit_init(&bufend_ptr, stream->bufend);
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   nch = MAD_NCHANNELS(header);
+ 
+@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
+   /* check CRC word */
+ 
+   if (header->flags & MAD_FLAG_PROTECTION) {
++    if (mad_bit_length(&stream->ptr, &bufend_ptr)
++              < 4 * (bound * nch + (32 - bound))) {
++      stream->error = MAD_ERROR_BADCRC;
++      return -1;
++    }
+     header->crc_check =
+       mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
+                 header->crc_check);
+@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
+ 
+   for (sb = 0; sb < bound; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return -1;
++      }
+       nb = mad_bit_read(&stream->ptr, 4);
+ 
+       if (nb == 15) {
+@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
+   }
+ 
+   for (sb = bound; sb < 32; ++sb) {
++    if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return -1;
++    }
+     nb = mad_bit_read(&stream->ptr, 4);
+ 
+     if (nb == 15) {
+@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
+   for (sb = 0; sb < 32; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
+       if (allocation[ch][sb]) {
++        if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++        stream->error = MAD_ERROR_LOSTSYNC;
++        stream->sync = 0;
++        return -1;
++      }
+       scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
+ 
+ # if defined(OPT_STRICT)
+@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
+       for (ch = 0; ch < nch; ++ch) {
+       nb = allocation[ch][sb];
+       frame->sbsample[ch][s][sb] = nb ?
+-        mad_f_mul(I_sample(&stream->ptr, nb),
++        mad_f_mul(I_sample(&stream->ptr, nb, stream),
+                   sf_table[scalefactor[ch][sb]]) : 0;
++      if (stream->error != 0)
++        return -1;
+       }
+     }
+ 
+@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
+       if ((nb = allocation[0][sb])) {
+       mad_fixed_t sample;
+ 
+-      sample = I_sample(&stream->ptr, nb);
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
++        stream->error = MAD_ERROR_LOSTSYNC;
++        stream->sync = 0;
++          return -1;
++      }
++      sample = I_sample(&stream->ptr, nb, stream);
++        if (stream->error != 0)
++        return -1;
+ 
+       for (ch = 0; ch < nch; ++ch) {
+         frame->sbsample[ch][s][sb] =
+@@ -280,13 +321,21 @@ struct quantclass {
+ static
+ void II_samples(struct mad_bitptr *ptr,
+               struct quantclass const *quantclass,
+-              mad_fixed_t output[3])
++              mad_fixed_t output[3], struct mad_stream *stream)
+ {
+   unsigned int nb, s, sample[3];
++  struct mad_bitptr frameend_ptr;
++
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   if ((nb = quantclass->group)) {
+     unsigned int c, nlevels;
+ 
++    if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return;
++    }
+     /* degrouping */
+     c = mad_bit_read(ptr, quantclass->bits);
+     nlevels = quantclass->nlevels;
+@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
+   else {
+     nb = quantclass->bits;
+ 
+-    for (s = 0; s < 3; ++s)
++    for (s = 0; s < 3; ++s) {
++      if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return;
++      }
+       sample[s] = mad_bit_read(ptr, nb);
++    }
+   }
+ 
+   for (s = 0; s < 3; ++s) {
+@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
+   unsigned char const *offsets;
+   unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
+   mad_fixed_t samples[3];
++  struct mad_bitptr frameend_ptr;
++
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   nch = MAD_NCHANNELS(header);
+ 
+@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
+   for (sb = 0; sb < bound; ++sb) {
+     nbal = bitalloc_table[offsets[sb]].nbal;
+ 
+-    for (ch = 0; ch < nch; ++ch)
++    for (ch = 0; ch < nch; ++ch) {
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {



Home | Main Index | Thread Index | Old Index