pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2019Q2] pkgsrc/audio/libmad



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sat Jul 13 11:09:46 UTC 2019

Modified Files:
        pkgsrc/audio/libmad [pkgsrc-2019Q2]: Makefile distinfo
Added Files:
        pkgsrc/audio/libmad/patches [pkgsrc-2019Q2]: patch-bit.c patch-frame.c
            patch-layer12.c patch-layer3.c

Log Message:
Pullup ticket #5995 - requested by nia
audio/libmad: security fix

Revisions pulled up:
- audio/libmad/Makefile                                         1.22
- audio/libmad/distinfo                                         1.5
- audio/libmad/patches/patch-bit.c                              1.1
- audio/libmad/patches/patch-frame.c                            1.1
- audio/libmad/patches/patch-layer12.c                          1.1
- audio/libmad/patches/patch-layer3.c                           1.1

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Wed Jul 10 20:01:57 UTC 2019

   Modified Files:
        pkgsrc/audio/libmad: Makefile distinfo
   Added Files:
        pkgsrc/audio/libmad/patches: patch-bit.c patch-frame.c patch-layer12.c
            patch-layer3.c

   Log Message:
   libmad: Add patches for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.

   >From Kurt Roeckx / Debian.

   Tested with cmus and moc.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.18.1 pkgsrc/audio/libmad/Makefile
cvs rdiff -u -r1.4 -r1.4.32.1 pkgsrc/audio/libmad/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/audio/libmad/patches/patch-bit.c \
    pkgsrc/audio/libmad/patches/patch-frame.c \
    pkgsrc/audio/libmad/patches/patch-layer12.c \
    pkgsrc/audio/libmad/patches/patch-layer3.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/audio/libmad/Makefile
diff -u pkgsrc/audio/libmad/Makefile:1.21 pkgsrc/audio/libmad/Makefile:1.21.18.1
--- pkgsrc/audio/libmad/Makefile:1.21   Wed Aug 16 20:21:03 2017
+++ pkgsrc/audio/libmad/Makefile        Sat Jul 13 11:09:45 2019
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.21 2017/08/16 20:21:03 wiz Exp $
+# $NetBSD: Makefile,v 1.21.18.1 2019/07/13 11:09:45 bsiegert Exp $
 #
 
 DISTNAME=      libmad-0.15.1b
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    audio
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=mad/}
 

Index: pkgsrc/audio/libmad/distinfo
diff -u pkgsrc/audio/libmad/distinfo:1.4 pkgsrc/audio/libmad/distinfo:1.4.32.1
--- pkgsrc/audio/libmad/distinfo:1.4    Tue Nov  3 01:12:37 2015
+++ pkgsrc/audio/libmad/distinfo        Sat Jul 13 11:09:45 2019
@@ -1,7 +1,11 @@
-$NetBSD: distinfo,v 1.4 2015/11/03 01:12:37 agc Exp $
+$NetBSD: distinfo,v 1.4.32.1 2019/07/13 11:09:45 bsiegert Exp $
 
 SHA1 (libmad-0.15.1b.tar.gz) = cac19cd00e1a907f3150cc040ccc077783496d76
 RMD160 (libmad-0.15.1b.tar.gz) = 0f3415ee10b188681e282ca69dec74c46ca73b0f
 SHA512 (libmad-0.15.1b.tar.gz) = 2cad30347fb310dc605c46bacd9da117f447a5cabedd8fefdb24ab5de641429e5ec5ce8af7aefa6a75a3f545d3adfa255e3fa0a2d50971f76bc0c4fc0400cc45
 Size (libmad-0.15.1b.tar.gz) = 502379 bytes
 SHA1 (patch-aa) = 82271980d28d151b6b85987e075ad15dace4ed3b
+SHA1 (patch-bit.c) = 2dedd19cd385a0ae578fa3d72399dbb6c9ebf453
+SHA1 (patch-frame.c) = 87c97a6ce7688e7a3a227876f8bcf81e2c8425f8
+SHA1 (patch-layer12.c) = 7fbfd6939715adac7269c6d083ea5f0202abbfba
+SHA1 (patch-layer3.c) = cbf34e24ba21ef7d0f1e469c9569313d6b266658

Added files:

Index: pkgsrc/audio/libmad/patches/patch-bit.c
diff -u /dev/null pkgsrc/audio/libmad/patches/patch-bit.c:1.1.2.2
--- /dev/null   Sat Jul 13 11:09:46 2019
+++ pkgsrc/audio/libmad/patches/patch-bit.c     Sat Jul 13 11:09:45 2019
@@ -0,0 +1,18 @@
+$NetBSD: patch-bit.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- bit.c.orig 2004-01-23 09:41:32.000000000 +0000
++++ bit.c
+@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
+ {
+   register unsigned long value;
+ 
++  if (len == 0)
++    return 0;
++
+   if (bitptr->left == CHAR_BIT)
+     bitptr->cache = *bitptr->byte;
+ 
Index: pkgsrc/audio/libmad/patches/patch-frame.c
diff -u /dev/null pkgsrc/audio/libmad/patches/patch-frame.c:1.1.2.2
--- /dev/null   Sat Jul 13 11:09:46 2019
+++ pkgsrc/audio/libmad/patches/patch-frame.c   Sat Jul 13 11:09:45 2019
@@ -0,0 +1,69 @@
+$NetBSD: patch-frame.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- frame.c.orig       2004-02-04 22:59:19.000000000 +0000
++++ frame.c
+@@ -120,11 +120,18 @@ static
+ int decode_header(struct mad_header *header, struct mad_stream *stream)
+ {
+   unsigned int index;
++  struct mad_bitptr bufend_ptr;
+ 
+   header->flags        = 0;
+   header->private_bits = 0;
+ 
++  mad_bit_init(&bufend_ptr, stream->bufend);
++
+   /* header() */
++  if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
++    stream->error = MAD_ERROR_BUFLEN;
++    return -1;
++  }
+ 
+   /* syncword */
+   mad_bit_skip(&stream->ptr, 11);
+@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
+   /* error_check() */
+ 
+   /* crc_check */
+-  if (header->flags & MAD_FLAG_PROTECTION)
++  if (header->flags & MAD_FLAG_PROTECTION) {
++    if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
++      stream->error = MAD_ERROR_BUFLEN;
++      return -1;
++    }
+     header->crc_target = mad_bit_read(&stream->ptr, 16);
++  }
+ 
+   return 0;
+ }
+@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header 
+       stream->error = MAD_ERROR_BUFLEN;
+       goto fail;
+     }
+-    else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++    else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+       /* mark point where frame sync word was expected */
+       stream->this_frame = ptr;
+       stream->next_frame = ptr + 1;
+@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header 
+     ptr = mad_bit_nextbyte(&stream->ptr);
+   }
+ 
++  stream->error = MAD_ERROR_NONE;
++
+   /* begin processing */
+   stream->this_frame = ptr;
+   stream->next_frame = ptr + 1;  /* possibly bogus sync word */
+@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header 
+     /* check that a valid frame header follows this frame */
+ 
+     ptr = stream->next_frame;
+-    if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++    if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+       ptr = stream->next_frame = stream->this_frame + 1;
+       goto sync;
+     }
Index: pkgsrc/audio/libmad/patches/patch-layer12.c
diff -u /dev/null pkgsrc/audio/libmad/patches/patch-layer12.c:1.1.2.2
--- /dev/null   Sat Jul 13 11:09:46 2019
+++ pkgsrc/audio/libmad/patches/patch-layer12.c Sat Jul 13 11:09:45 2019
@@ -0,0 +1,262 @@
+$NetBSD: patch-layer12.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- layer12.c.orig     2004-02-05 09:02:39.000000000 +0000
++++ layer12.c
+@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
+  * DESCRIPTION:       decode one requantized Layer I sample from a bitstream
+  */
+ static
+-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
++mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
+ {
+   mad_fixed_t sample;
++  struct mad_bitptr frameend_ptr;
+ 
++  mad_bit_init(&frameend_ptr, stream->next_frame);
++
++  if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++    stream->error = MAD_ERROR_LOSTSYNC;
++    stream->sync = 0;
++    return 0;
++  }
+   sample = mad_bit_read(ptr, nb);
+ 
+   /* invert most significant bit, extend sign, then scale to fixed format */
+@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
+   struct mad_header *header = &frame->header;
+   unsigned int nch, bound, ch, s, sb, nb;
+   unsigned char allocation[2][32], scalefactor[2][32];
++  struct mad_bitptr bufend_ptr, frameend_ptr;
++
++  mad_bit_init(&bufend_ptr, stream->bufend);
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   nch = MAD_NCHANNELS(header);
+ 
+@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
+   /* check CRC word */
+ 
+   if (header->flags & MAD_FLAG_PROTECTION) {
++    if (mad_bit_length(&stream->ptr, &bufend_ptr)
++              < 4 * (bound * nch + (32 - bound))) {
++      stream->error = MAD_ERROR_BADCRC;
++      return -1;
++    }
+     header->crc_check =
+       mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
+                 header->crc_check);
+@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
+ 
+   for (sb = 0; sb < bound; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return -1;
++      }
+       nb = mad_bit_read(&stream->ptr, 4);
+ 
+       if (nb == 15) {
+@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
+   }
+ 
+   for (sb = bound; sb < 32; ++sb) {
++    if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return -1;
++    }
+     nb = mad_bit_read(&stream->ptr, 4);
+ 
+     if (nb == 15) {
+@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
+   for (sb = 0; sb < 32; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
+       if (allocation[ch][sb]) {
++        if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++        stream->error = MAD_ERROR_LOSTSYNC;
++        stream->sync = 0;
++        return -1;
++      }
+       scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
+ 
+ # if defined(OPT_STRICT)
+@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
+       for (ch = 0; ch < nch; ++ch) {
+       nb = allocation[ch][sb];
+       frame->sbsample[ch][s][sb] = nb ?
+-        mad_f_mul(I_sample(&stream->ptr, nb),
++        mad_f_mul(I_sample(&stream->ptr, nb, stream),
+                   sf_table[scalefactor[ch][sb]]) : 0;
++      if (stream->error != 0)
++        return -1;
+       }
+     }
+ 
+@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
+       if ((nb = allocation[0][sb])) {
+       mad_fixed_t sample;
+ 
+-      sample = I_sample(&stream->ptr, nb);
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
++        stream->error = MAD_ERROR_LOSTSYNC;
++        stream->sync = 0;
++          return -1;
++      }
++      sample = I_sample(&stream->ptr, nb, stream);
++        if (stream->error != 0)
++        return -1;
+ 
+       for (ch = 0; ch < nch; ++ch) {
+         frame->sbsample[ch][s][sb] =
+@@ -280,13 +321,21 @@ struct quantclass {
+ static
+ void II_samples(struct mad_bitptr *ptr,
+               struct quantclass const *quantclass,
+-              mad_fixed_t output[3])
++              mad_fixed_t output[3], struct mad_stream *stream)
+ {
+   unsigned int nb, s, sample[3];
++  struct mad_bitptr frameend_ptr;
++
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   if ((nb = quantclass->group)) {
+     unsigned int c, nlevels;
+ 
++    if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return;
++    }
+     /* degrouping */
+     c = mad_bit_read(ptr, quantclass->bits);
+     nlevels = quantclass->nlevels;
+@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
+   else {
+     nb = quantclass->bits;
+ 
+-    for (s = 0; s < 3; ++s)
++    for (s = 0; s < 3; ++s) {
++      if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return;
++      }
+       sample[s] = mad_bit_read(ptr, nb);
++    }
+   }
+ 
+   for (s = 0; s < 3; ++s) {
+@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
+   unsigned char const *offsets;
+   unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
+   mad_fixed_t samples[3];
++  struct mad_bitptr frameend_ptr;
++
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   nch = MAD_NCHANNELS(header);
+ 
+@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
+   for (sb = 0; sb < bound; ++sb) {
+     nbal = bitalloc_table[offsets[sb]].nbal;
+ 
+-    for (ch = 0; ch < nch; ++ch)
++    for (ch = 0; ch < nch; ++ch) {
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return -1;
++      }
+       allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
++    }
+   }
+ 
+   for (sb = bound; sb < sblimit; ++sb) {
+     nbal = bitalloc_table[offsets[sb]].nbal;
+ 
++    if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return -1;
++    }
+     allocation[0][sb] =
+     allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
+   }
+@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre
+ 
+   for (sb = 0; sb < sblimit; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
+-      if (allocation[ch][sb])
++      if (allocation[ch][sb]) {
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
++        stream->error = MAD_ERROR_LOSTSYNC;
++        stream->sync = 0;
++        return -1;
++      }
+       scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
++      }
+     }
+   }
+ 
+@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre
+   for (sb = 0; sb < sblimit; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
+       if (allocation[ch][sb]) {
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++        stream->error = MAD_ERROR_LOSTSYNC;
++        stream->sync = 0;
++        return -1;
++      }
+       scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
+ 
+       switch (scfsi[ch][sb]) {
+@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre
+         break;
+ 
+       case 0:
++        if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++          stream->error = MAD_ERROR_LOSTSYNC;
++          stream->sync = 0;
++          return -1;
++        }
+         scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
+         /* fall through */
+ 
+       case 1:
+       case 3:
++        if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++          stream->error = MAD_ERROR_LOSTSYNC;
++          stream->sync = 0;
++          return -1;
++        }
+         scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
+       }
+ 
+@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre
+       if ((index = allocation[ch][sb])) {
+         index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+ 
+-        II_samples(&stream->ptr, &qc_table[index], samples);
++        II_samples(&stream->ptr, &qc_table[index], samples, stream);
++        if (stream->error != 0)
++            return -1;
+ 
+         for (s = 0; s < 3; ++s) {
+           frame->sbsample[ch][3 * gr + s][sb] =
+@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre
+       if ((index = allocation[0][sb])) {
+       index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+ 
+-      II_samples(&stream->ptr, &qc_table[index], samples);
++      II_samples(&stream->ptr, &qc_table[index], samples, stream);
++      if (stream->error != 0)
++          return -1;
+ 
+       for (ch = 0; ch < nch; ++ch) {
+         for (s = 0; s < 3; ++s) {
Index: pkgsrc/audio/libmad/patches/patch-layer3.c
diff -u /dev/null pkgsrc/audio/libmad/patches/patch-layer3.c:1.1.2.2
--- /dev/null   Sat Jul 13 11:09:46 2019
+++ pkgsrc/audio/libmad/patches/patch-layer3.c  Sat Jul 13 11:09:45 2019
@@ -0,0 +1,34 @@
+$NetBSD: patch-layer3.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- layer3.c.orig      2019-07-10 19:49:26.252016169 +0000
++++ layer3.c
+@@ -2688,6 +2688,11 @@ int mad_layer_III(struct mad_stream *str
+     next_md_begin = 0;
+ 
+   md_len = si.main_data_begin + frame_space - next_md_begin;
++  if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) {
++    stream->error = MAD_ERROR_LOSTSYNC;
++    stream->sync = 0;
++    return -1;
++  }
+ 
+   frame_used = 0;
+ 
+@@ -2705,8 +2710,11 @@ int mad_layer_III(struct mad_stream *str
+       }
+     }
+     else {
+-      mad_bit_init(&ptr,
+-                 *stream->main_data + stream->md_len - si.main_data_begin);
++      memmove(stream->main_data,
++      *stream->main_data + stream->md_len - si.main_data_begin,
++      si.main_data_begin);
++      stream->md_len = si.main_data_begin;
++      mad_bit_init(&ptr, *stream->main_data);
+ 
+       if (md_len > si.main_data_begin) {
+       assert(stream->md_len + md_len -



Home | Main Index | Thread Index | Old Index