Thu Jul 11 09:03:35 2019 UTC ()
faad2: Backport some security fixes from upstream.
CVE-2018-20194:
https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch
CVE-2018-20362:
https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch
Misc buffer overflows:
https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
(nia)
diff -r1.52 -r1.53 pkgsrc/audio/faad2/Makefile
diff -r1.26 -r1.27 pkgsrc/audio/faad2/distinfo
diff -r0 -r1.1 pkgsrc/audio/faad2/patches/patch-CVE-2018-20194
diff -r0 -r1.1 pkgsrc/audio/faad2/patches/patch-CVE-2018-20362
diff -r0 -r1.1 pkgsrc/audio/faad2/patches/patch-libfaad_bits.c
--- pkgsrc/audio/faad2/Makefile 2019/06/17 10:48:32 1.52
+++ pkgsrc/audio/faad2/Makefile 2019/07/11 09:03:35 1.53
| @@ -1,17 +1,18 @@ | | | @@ -1,17 +1,18 @@ |
1 | # $NetBSD: Makefile,v 1.52 2019/06/17 10:48:32 nia Exp $ | | 1 | # $NetBSD: Makefile,v 1.53 2019/07/11 09:03:35 nia Exp $ |
2 | # IMPORTANT: Do not forget to update audio/xmms-faad | | 2 | # IMPORTANT: Do not forget to update audio/xmms-faad |
3 | | | 3 | |
4 | DISTNAME= faad2-2.8.8 | | 4 | DISTNAME= faad2-2.8.8 |
| | | 5 | PKGREVISION= 1 |
5 | CATEGORIES= audio | | 6 | CATEGORIES= audio |
6 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=faac/} | | 7 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=faac/} |
7 | | | 8 | |
8 | MAINTAINER= pkgsrc-users@NetBSD.org | | 9 | MAINTAINER= pkgsrc-users@NetBSD.org |
9 | HOMEPAGE= https://www.audiocoding.com/ | | 10 | HOMEPAGE= https://www.audiocoding.com/ |
10 | COMMENT= AAC decoding library | | 11 | COMMENT= AAC decoding library |
11 | LICENSE= gnu-gpl-v2 | | 12 | LICENSE= gnu-gpl-v2 |
12 | | | 13 | |
13 | USE_LANGUAGES= c c++ | | 14 | USE_LANGUAGES= c c++ |
14 | USE_LIBTOOL= yes | | 15 | USE_LIBTOOL= yes |
15 | USE_TOOLS+= autoconf automake autoreconf gmake | | 16 | USE_TOOLS+= autoconf automake autoreconf gmake |
16 | GNU_CONFIGURE= yes | | 17 | GNU_CONFIGURE= yes |
17 | CONFIGURE_ARGS+= --includedir=${PREFIX}/include/faad2 | | 18 | CONFIGURE_ARGS+= --includedir=${PREFIX}/include/faad2 |
--- pkgsrc/audio/faad2/distinfo 2019/06/05 06:07:27 1.26
+++ pkgsrc/audio/faad2/distinfo 2019/07/11 09:03:35 1.27
| @@ -1,15 +1,18 @@ | | | @@ -1,15 +1,18 @@ |
1 | $NetBSD: distinfo,v 1.26 2019/06/05 06:07:27 nia Exp $ | | 1 | $NetBSD: distinfo,v 1.27 2019/07/11 09:03:35 nia Exp $ |
2 | | | 2 | |
3 | SHA1 (faad2-2.8.8.tar.gz) = 0d49c516d4a83c39053a9bd214fddba72cbc34ad | | 3 | SHA1 (faad2-2.8.8.tar.gz) = 0d49c516d4a83c39053a9bd214fddba72cbc34ad |
4 | RMD160 (faad2-2.8.8.tar.gz) = b69349ee69c869ba070f28c58418749d53898985 | | 4 | RMD160 (faad2-2.8.8.tar.gz) = b69349ee69c869ba070f28c58418749d53898985 |
5 | SHA512 (faad2-2.8.8.tar.gz) = 3275d292b2a9fe984842962f4d81202894bddd17033f7cd6df95466554cc968dfcbf2890ae8b1df37da0cd25d645cca0a687f07e39b9fc37dd004fd5956a82af | | 5 | SHA512 (faad2-2.8.8.tar.gz) = 3275d292b2a9fe984842962f4d81202894bddd17033f7cd6df95466554cc968dfcbf2890ae8b1df37da0cd25d645cca0a687f07e39b9fc37dd004fd5956a82af |
6 | Size (faad2-2.8.8.tar.gz) = 1069044 bytes | | 6 | Size (faad2-2.8.8.tar.gz) = 1069044 bytes |
| | | 7 | SHA1 (patch-CVE-2018-20194) = fefaa2cde9cdaff71cfe8e82e9d0e4b791bca015 |
| | | 8 | SHA1 (patch-CVE-2018-20362) = 00a8cf72f824a3c98d7f20d80542192634a84518 |
7 | SHA1 (patch-common_mp4ff_Makefile.am) = a662e6fd841420110c02f85923d022919135be82 | | 9 | SHA1 (patch-common_mp4ff_Makefile.am) = a662e6fd841420110c02f85923d022919135be82 |
8 | SHA1 (patch-configure.ac) = ed9d4e9d611d27d4add86884996a8e7fc001bc90 | | 10 | SHA1 (patch-configure.ac) = ed9d4e9d611d27d4add86884996a8e7fc001bc90 |
9 | SHA1 (patch-frontend_Makefile.am) = ab3369e67fb5f2842076fb698819936473440de9 | | 11 | SHA1 (patch-frontend_Makefile.am) = ab3369e67fb5f2842076fb698819936473440de9 |
10 | SHA1 (patch-frontend_getopt.c) = 3eaf3e8318887eca49e354696cad1bd2c5bf5504 | | 12 | SHA1 (patch-frontend_getopt.c) = 3eaf3e8318887eca49e354696cad1bd2c5bf5504 |
11 | SHA1 (patch-frontend_mp4read.c) = 235d69a310bb2cb52cf62479e9254c1d3eb9cef9 | | 13 | SHA1 (patch-frontend_mp4read.c) = 235d69a310bb2cb52cf62479e9254c1d3eb9cef9 |
12 | SHA1 (patch-libfaad_Makefile.am) = 4d3b92f54d998bd577641f49e88d0c8bc38f963c | | 14 | SHA1 (patch-libfaad_Makefile.am) = 4d3b92f54d998bd577641f49e88d0c8bc38f963c |
| | | 15 | SHA1 (patch-libfaad_bits.c) = bc21ea92f62a7facbf70df3fe85b852e625efc1c |
13 | SHA1 (patch-libfaad_common.h) = 60eccd8aebeb085760d6866f83ff5a613197918f | | 16 | SHA1 (patch-libfaad_common.h) = 60eccd8aebeb085760d6866f83ff5a613197918f |
14 | SHA1 (patch-plugins_xmms_src_Makefile.am) = 4ba1dfefe1e351830ee990c711af6ac46db42c14 | | 17 | SHA1 (patch-plugins_xmms_src_Makefile.am) = 4ba1dfefe1e351830ee990c711af6ac46db42c14 |
15 | SHA1 (patch-plugins_xmms_src_libmp4.c) = 7c6cd667999aab36efc9d713cf967c01b01916bf | | 18 | SHA1 (patch-plugins_xmms_src_libmp4.c) = 7c6cd667999aab36efc9d713cf967c01b01916bf |
$NetBSD: patch-CVE-2018-20194,v 1.1 2019/07/11 09:03:35 nia Exp $
user passed f_table_lim contains frequency band borders. Frequency
bands are groups of consecutive QMF channels. This means that their
bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
number of QMF channels). c.f. ISO/IEC 14496-3:2001
FAAD2 does not verify this, leading to security issues when
processing files defining f_table_lim with values > MAX_M.
This patch sanitizes the values of f_table_lim so that they can be safely
used as index for Q_M_lim and G_lim arrays.
Fixes CVE-2018-20194.
Upstream commit:
https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch
--- libfaad/sbr_hfadj.c.orig 2017-07-06 19:16:40.000000000 +0000
+++ libfaad/sbr_hfadj.c
@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr
ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ if (ml1 > MAX_M)
+ ml1 = MAX_M;
+
+ if (ml2 > MAX_M)
+ ml2 = MAX_M;
+
/* calculate the accumulated E_orig and E_curr over the limiter band */
for (m = ml1; m < ml2; m++)
@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr
ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ if (ml1 > MAX_M)
+ ml1 = MAX_M;
+
+ if (ml2 > MAX_M)
+ ml2 = MAX_M;
+
/* calculate the accumulated E_orig and E_curr over the limiter band */
for (m = ml1; m < ml2; m++)
@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr
ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ if (ml1 > MAX_M)
+ ml1 = MAX_M;
+
+ if (ml2 > MAX_M)
+ ml2 = MAX_M;
+
/* calculate the accumulated E_orig and E_curr over the limiter band */
for (m = ml1; m < ml2; m++)
$NetBSD: patch-CVE-2018-20362,v 1.1 2019/07/11 09:03:35 nia Exp $
Implicit channel mapping reconfiguration is explicitely forbidden by
ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such
files and reject them. FAAD2 does not perform any kind of checks
regarding this.
This leads to security vulnerabilities when processing crafted AAC
files performing such reconfigurations.
Add checks to decode_sce_lfe and decode_cpe to make sure such
inconsistencies are detected as early as possible.
These checks first read hDecoder->frame: if this is not the first
frame then we make sure that the syntax element at the same position
in the previous frame also had element_id id_syn_ele. If not, return
21 as this is a fatal file structure issue.
This patch addresses CVE-2018-20362 and possibly other related issues.
Upstream commit:
https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch
Buffer overflow fix, no CVE, upstream commit:
https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
--- libfaad/syntax.c.orig 2017-10-30 17:44:16.000000000 +0000
+++ libfaad/syntax.c
@@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruc
can become 2 when some form of Parametric Stereo coding is used
*/
+ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
+ /* element inconsistency */
+ hInfo->error = 21;
+ return;
+ }
+
/* save the syntax element id */
hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
@@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *h
return;
}
+ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
+ /* element inconsistency */
+ hInfo->error = 21;
+ return;
+ }
+
/* save the syntax element id */
hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
@@ -2292,6 +2304,8 @@ static uint8_t excluded_channels(bitfile
while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
{
+ if (i >= MAX_CHANNELS - num_excl_chan - 7)
+ return n;
for (i = num_excl_chan; i < num_excl_chan+7; i++)
{
drc->exclude_mask[i] = faad_get1bit(ld
$NetBSD: patch-libfaad_bits.c,v 1.1 2019/07/11 09:03:35 nia Exp $
Fix a potential buffer overflow.
Upstream commit:
https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
--- libfaad/bits.c.orig 2017-07-06 19:16:40.000000000 +0000
+++ libfaad/bits.c
@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bit
int words = bits >> 5;
int remainder = bits & 0x1F;
- ld->bytes_left = ld->buffer_size - words*4;
+ if (ld->buffer_size < words * 4)
+ ld->bytes_left = 0;
+ else
+ ld->bytes_left = ld->buffer_size - words*4;
if (ld->bytes_left >= 4)
{