pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2019Q2] pkgsrc/audio/libmad
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Jul 13 11:09:46 UTC 2019
Modified Files:
pkgsrc/audio/libmad [pkgsrc-2019Q2]: Makefile distinfo
Added Files:
pkgsrc/audio/libmad/patches [pkgsrc-2019Q2]: patch-bit.c patch-frame.c
patch-layer12.c patch-layer3.c
Log Message:
Pullup ticket #5995 - requested by nia
audio/libmad: security fix
Revisions pulled up:
- audio/libmad/Makefile 1.22
- audio/libmad/distinfo 1.5
- audio/libmad/patches/patch-bit.c 1.1
- audio/libmad/patches/patch-frame.c 1.1
- audio/libmad/patches/patch-layer12.c 1.1
- audio/libmad/patches/patch-layer3.c 1.1
---
Module Name: pkgsrc
Committed By: nia
Date: Wed Jul 10 20:01:57 UTC 2019
Modified Files:
pkgsrc/audio/libmad: Makefile distinfo
Added Files:
pkgsrc/audio/libmad/patches: patch-bit.c patch-frame.c patch-layer12.c
patch-layer3.c
Log Message:
libmad: Add patches for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
>From Kurt Roeckx / Debian.
Tested with cmus and moc.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.18.1 pkgsrc/audio/libmad/Makefile
cvs rdiff -u -r1.4 -r1.4.32.1 pkgsrc/audio/libmad/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/audio/libmad/patches/patch-bit.c \
pkgsrc/audio/libmad/patches/patch-frame.c \
pkgsrc/audio/libmad/patches/patch-layer12.c \
pkgsrc/audio/libmad/patches/patch-layer3.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/audio/libmad/Makefile
diff -u pkgsrc/audio/libmad/Makefile:1.21 pkgsrc/audio/libmad/Makefile:1.21.18.1
--- pkgsrc/audio/libmad/Makefile:1.21 Wed Aug 16 20:21:03 2017
+++ pkgsrc/audio/libmad/Makefile Sat Jul 13 11:09:45 2019
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.21 2017/08/16 20:21:03 wiz Exp $
+# $NetBSD: Makefile,v 1.21.18.1 2019/07/13 11:09:45 bsiegert Exp $
#
DISTNAME= libmad-0.15.1b
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= audio
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=mad/}
Index: pkgsrc/audio/libmad/distinfo
diff -u pkgsrc/audio/libmad/distinfo:1.4 pkgsrc/audio/libmad/distinfo:1.4.32.1
--- pkgsrc/audio/libmad/distinfo:1.4 Tue Nov 3 01:12:37 2015
+++ pkgsrc/audio/libmad/distinfo Sat Jul 13 11:09:45 2019
@@ -1,7 +1,11 @@
-$NetBSD: distinfo,v 1.4 2015/11/03 01:12:37 agc Exp $
+$NetBSD: distinfo,v 1.4.32.1 2019/07/13 11:09:45 bsiegert Exp $
SHA1 (libmad-0.15.1b.tar.gz) = cac19cd00e1a907f3150cc040ccc077783496d76
RMD160 (libmad-0.15.1b.tar.gz) = 0f3415ee10b188681e282ca69dec74c46ca73b0f
SHA512 (libmad-0.15.1b.tar.gz) = 2cad30347fb310dc605c46bacd9da117f447a5cabedd8fefdb24ab5de641429e5ec5ce8af7aefa6a75a3f545d3adfa255e3fa0a2d50971f76bc0c4fc0400cc45
Size (libmad-0.15.1b.tar.gz) = 502379 bytes
SHA1 (patch-aa) = 82271980d28d151b6b85987e075ad15dace4ed3b
+SHA1 (patch-bit.c) = 2dedd19cd385a0ae578fa3d72399dbb6c9ebf453
+SHA1 (patch-frame.c) = 87c97a6ce7688e7a3a227876f8bcf81e2c8425f8
+SHA1 (patch-layer12.c) = 7fbfd6939715adac7269c6d083ea5f0202abbfba
+SHA1 (patch-layer3.c) = cbf34e24ba21ef7d0f1e469c9569313d6b266658
Added files:
Index: pkgsrc/audio/libmad/patches/patch-bit.c
diff -u /dev/null pkgsrc/audio/libmad/patches/patch-bit.c:1.1.2.2
--- /dev/null Sat Jul 13 11:09:46 2019
+++ pkgsrc/audio/libmad/patches/patch-bit.c Sat Jul 13 11:09:45 2019
@@ -0,0 +1,18 @@
+$NetBSD: patch-bit.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- bit.c.orig 2004-01-23 09:41:32.000000000 +0000
++++ bit.c
+@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
+ {
+ register unsigned long value;
+
++ if (len == 0)
++ return 0;
++
+ if (bitptr->left == CHAR_BIT)
+ bitptr->cache = *bitptr->byte;
+
Index: pkgsrc/audio/libmad/patches/patch-frame.c
diff -u /dev/null pkgsrc/audio/libmad/patches/patch-frame.c:1.1.2.2
--- /dev/null Sat Jul 13 11:09:46 2019
+++ pkgsrc/audio/libmad/patches/patch-frame.c Sat Jul 13 11:09:45 2019
@@ -0,0 +1,69 @@
+$NetBSD: patch-frame.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- frame.c.orig 2004-02-04 22:59:19.000000000 +0000
++++ frame.c
+@@ -120,11 +120,18 @@ static
+ int decode_header(struct mad_header *header, struct mad_stream *stream)
+ {
+ unsigned int index;
++ struct mad_bitptr bufend_ptr;
+
+ header->flags = 0;
+ header->private_bits = 0;
+
++ mad_bit_init(&bufend_ptr, stream->bufend);
++
+ /* header() */
++ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
++ stream->error = MAD_ERROR_BUFLEN;
++ return -1;
++ }
+
+ /* syncword */
+ mad_bit_skip(&stream->ptr, 11);
+@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
+ /* error_check() */
+
+ /* crc_check */
+- if (header->flags & MAD_FLAG_PROTECTION)
++ if (header->flags & MAD_FLAG_PROTECTION) {
++ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
++ stream->error = MAD_ERROR_BUFLEN;
++ return -1;
++ }
+ header->crc_target = mad_bit_read(&stream->ptr, 16);
++ }
+
+ return 0;
+ }
+@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header
+ stream->error = MAD_ERROR_BUFLEN;
+ goto fail;
+ }
+- else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++ else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ /* mark point where frame sync word was expected */
+ stream->this_frame = ptr;
+ stream->next_frame = ptr + 1;
+@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header
+ ptr = mad_bit_nextbyte(&stream->ptr);
+ }
+
++ stream->error = MAD_ERROR_NONE;
++
+ /* begin processing */
+ stream->this_frame = ptr;
+ stream->next_frame = ptr + 1; /* possibly bogus sync word */
+@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header
+ /* check that a valid frame header follows this frame */
+
+ ptr = stream->next_frame;
+- if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++ if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ ptr = stream->next_frame = stream->this_frame + 1;
+ goto sync;
+ }
Index: pkgsrc/audio/libmad/patches/patch-layer12.c
diff -u /dev/null pkgsrc/audio/libmad/patches/patch-layer12.c:1.1.2.2
--- /dev/null Sat Jul 13 11:09:46 2019
+++ pkgsrc/audio/libmad/patches/patch-layer12.c Sat Jul 13 11:09:45 2019
@@ -0,0 +1,262 @@
+$NetBSD: patch-layer12.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- layer12.c.orig 2004-02-05 09:02:39.000000000 +0000
++++ layer12.c
+@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
+ * DESCRIPTION: decode one requantized Layer I sample from a bitstream
+ */
+ static
+-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
++mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
+ {
+ mad_fixed_t sample;
++ struct mad_bitptr frameend_ptr;
+
++ mad_bit_init(&frameend_ptr, stream->next_frame);
++
++ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return 0;
++ }
+ sample = mad_bit_read(ptr, nb);
+
+ /* invert most significant bit, extend sign, then scale to fixed format */
+@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
+ struct mad_header *header = &frame->header;
+ unsigned int nch, bound, ch, s, sb, nb;
+ unsigned char allocation[2][32], scalefactor[2][32];
++ struct mad_bitptr bufend_ptr, frameend_ptr;
++
++ mad_bit_init(&bufend_ptr, stream->bufend);
++ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ nch = MAD_NCHANNELS(header);
+
+@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
+ /* check CRC word */
+
+ if (header->flags & MAD_FLAG_PROTECTION) {
++ if (mad_bit_length(&stream->ptr, &bufend_ptr)
++ < 4 * (bound * nch + (32 - bound))) {
++ stream->error = MAD_ERROR_BADCRC;
++ return -1;
++ }
+ header->crc_check =
+ mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
+ header->crc_check);
+@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
+
+ for (sb = 0; sb < bound; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ nb = mad_bit_read(&stream->ptr, 4);
+
+ if (nb == 15) {
+@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
+ }
+
+ for (sb = bound; sb < 32; ++sb) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ nb = mad_bit_read(&stream->ptr, 4);
+
+ if (nb == 15) {
+@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
+ for (sb = 0; sb < 32; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
+ if (allocation[ch][sb]) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
+
+ # if defined(OPT_STRICT)
+@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
+ for (ch = 0; ch < nch; ++ch) {
+ nb = allocation[ch][sb];
+ frame->sbsample[ch][s][sb] = nb ?
+- mad_f_mul(I_sample(&stream->ptr, nb),
++ mad_f_mul(I_sample(&stream->ptr, nb, stream),
+ sf_table[scalefactor[ch][sb]]) : 0;
++ if (stream->error != 0)
++ return -1;
+ }
+ }
+
+@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
+ if ((nb = allocation[0][sb])) {
+ mad_fixed_t sample;
+
+- sample = I_sample(&stream->ptr, nb);
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
++ sample = I_sample(&stream->ptr, nb, stream);
++ if (stream->error != 0)
++ return -1;
+
+ for (ch = 0; ch < nch; ++ch) {
+ frame->sbsample[ch][s][sb] =
+@@ -280,13 +321,21 @@ struct quantclass {
+ static
+ void II_samples(struct mad_bitptr *ptr,
+ struct quantclass const *quantclass,
+- mad_fixed_t output[3])
++ mad_fixed_t output[3], struct mad_stream *stream)
+ {
+ unsigned int nb, s, sample[3];
++ struct mad_bitptr frameend_ptr;
++
++ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ if ((nb = quantclass->group)) {
+ unsigned int c, nlevels;
+
++ if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return;
++ }
+ /* degrouping */
+ c = mad_bit_read(ptr, quantclass->bits);
+ nlevels = quantclass->nlevels;
+@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
+ else {
+ nb = quantclass->bits;
+
+- for (s = 0; s < 3; ++s)
++ for (s = 0; s < 3; ++s) {
++ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return;
++ }
+ sample[s] = mad_bit_read(ptr, nb);
++ }
+ }
+
+ for (s = 0; s < 3; ++s) {
+@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
+ unsigned char const *offsets;
+ unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
+ mad_fixed_t samples[3];
++ struct mad_bitptr frameend_ptr;
++
++ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ nch = MAD_NCHANNELS(header);
+
+@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
+ for (sb = 0; sb < bound; ++sb) {
+ nbal = bitalloc_table[offsets[sb]].nbal;
+
+- for (ch = 0; ch < nch; ++ch)
++ for (ch = 0; ch < nch; ++ch) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
++ }
+ }
+
+ for (sb = bound; sb < sblimit; ++sb) {
+ nbal = bitalloc_table[offsets[sb]].nbal;
+
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ allocation[0][sb] =
+ allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
+ }
+@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre
+
+ for (sb = 0; sb < sblimit; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
+- if (allocation[ch][sb])
++ if (allocation[ch][sb]) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
++ }
+ }
+ }
+
+@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre
+ for (sb = 0; sb < sblimit; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
+ if (allocation[ch][sb]) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
+
+ switch (scfsi[ch][sb]) {
+@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre
+ break;
+
+ case 0:
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
+ /* fall through */
+
+ case 1:
+ case 3:
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
+ }
+
+@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre
+ if ((index = allocation[ch][sb])) {
+ index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+
+- II_samples(&stream->ptr, &qc_table[index], samples);
++ II_samples(&stream->ptr, &qc_table[index], samples, stream);
++ if (stream->error != 0)
++ return -1;
+
+ for (s = 0; s < 3; ++s) {
+ frame->sbsample[ch][3 * gr + s][sb] =
+@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre
+ if ((index = allocation[0][sb])) {
+ index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+
+- II_samples(&stream->ptr, &qc_table[index], samples);
++ II_samples(&stream->ptr, &qc_table[index], samples, stream);
++ if (stream->error != 0)
++ return -1;
+
+ for (ch = 0; ch < nch; ++ch) {
+ for (s = 0; s < 3; ++s) {
Index: pkgsrc/audio/libmad/patches/patch-layer3.c
diff -u /dev/null pkgsrc/audio/libmad/patches/patch-layer3.c:1.1.2.2
--- /dev/null Sat Jul 13 11:09:46 2019
+++ pkgsrc/audio/libmad/patches/patch-layer3.c Sat Jul 13 11:09:45 2019
@@ -0,0 +1,34 @@
+$NetBSD: patch-layer3.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
+
+Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
+
+From Kurt Roeckx / Debian.
+
+--- layer3.c.orig 2019-07-10 19:49:26.252016169 +0000
++++ layer3.c
+@@ -2688,6 +2688,11 @@ int mad_layer_III(struct mad_stream *str
+ next_md_begin = 0;
+
+ md_len = si.main_data_begin + frame_space - next_md_begin;
++ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+
+ frame_used = 0;
+
+@@ -2705,8 +2710,11 @@ int mad_layer_III(struct mad_stream *str
+ }
+ }
+ else {
+- mad_bit_init(&ptr,
+- *stream->main_data + stream->md_len - si.main_data_begin);
++ memmove(stream->main_data,
++ *stream->main_data + stream->md_len - si.main_data_begin,
++ si.main_data_begin);
++ stream->md_len = si.main_data_begin;
++ mad_bit_init(&ptr, *stream->main_data);
+
+ if (md_len > si.main_data_begin) {
+ assert(stream->md_len + md_len -
Home |
Main Index |
Thread Index |
Old Index