Sat Jul 13 11:09:46 2019 UTC ()
Pullup ticket #5995 - requested by nia
audio/libmad: security fix
Revisions pulled up:
- audio/libmad/Makefile 1.22
- audio/libmad/distinfo 1.5
- audio/libmad/patches/patch-bit.c 1.1
- audio/libmad/patches/patch-frame.c 1.1
- audio/libmad/patches/patch-layer12.c 1.1
- audio/libmad/patches/patch-layer3.c 1.1
---
Module Name: pkgsrc
Committed By: nia
Date: Wed Jul 10 20:01:57 UTC 2019
Modified Files:
pkgsrc/audio/libmad: Makefile distinfo
Added Files:
pkgsrc/audio/libmad/patches: patch-bit.c patch-frame.c patch-layer12.c
patch-layer3.c
Log Message:
libmad: Add patches for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
>From Kurt Roeckx / Debian.
Tested with cmus and moc.
(bsiegert)
diff -r1.21 -r1.21.18.1 pkgsrc/audio/libmad/Makefile
diff -r1.4 -r1.4.32.1 pkgsrc/audio/libmad/distinfo
diff -r0 -r1.1.2.2 pkgsrc/audio/libmad/patches/patch-bit.c
diff -r0 -r1.1.2.2 pkgsrc/audio/libmad/patches/patch-frame.c
diff -r0 -r1.1.2.2 pkgsrc/audio/libmad/patches/patch-layer12.c
diff -r0 -r1.1.2.2 pkgsrc/audio/libmad/patches/patch-layer3.c
--- pkgsrc/audio/libmad/Makefile 2017/08/16 20:21:03 1.21
+++ pkgsrc/audio/libmad/Makefile 2019/07/13 11:09:45 1.21.18.1
| @@ -1,18 +1,18 @@ | | | @@ -1,18 +1,18 @@ |
1 | # $NetBSD: Makefile,v 1.21 2017/08/16 20:21:03 wiz Exp $ | | 1 | # $NetBSD: Makefile,v 1.21.18.1 2019/07/13 11:09:45 bsiegert Exp $ |
2 | # | | 2 | # |
3 | | | 3 | |
4 | DISTNAME= libmad-0.15.1b | | 4 | DISTNAME= libmad-0.15.1b |
5 | PKGREVISION= 1 | | 5 | PKGREVISION= 2 |
6 | CATEGORIES= audio | | 6 | CATEGORIES= audio |
7 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=mad/} | | 7 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=mad/} |
8 | | | 8 | |
9 | MAINTAINER= simonb@NetBSD.org | | 9 | MAINTAINER= simonb@NetBSD.org |
10 | HOMEPAGE= https://sourceforge.net/projects/mad/ | | 10 | HOMEPAGE= https://sourceforge.net/projects/mad/ |
11 | COMMENT= High-quality MPEG audio decoder | | 11 | COMMENT= High-quality MPEG audio decoder |
12 | LICENSE= gnu-gpl-v2 | | 12 | LICENSE= gnu-gpl-v2 |
13 | | | 13 | |
14 | CONFLICTS= mad<0.15 | | 14 | CONFLICTS= mad<0.15 |
15 | | | 15 | |
16 | GNU_CONFIGURE= YES | | 16 | GNU_CONFIGURE= YES |
17 | USE_LIBTOOL= YES | | 17 | USE_LIBTOOL= YES |
18 | USE_TOOLS+= pkg-config | | 18 | USE_TOOLS+= pkg-config |
--- pkgsrc/audio/libmad/distinfo 2015/11/03 01:12:37 1.4
+++ pkgsrc/audio/libmad/distinfo 2019/07/13 11:09:45 1.4.32.1
| @@ -1,7 +1,11 @@ | | | @@ -1,7 +1,11 @@ |
1 | $NetBSD: distinfo,v 1.4 2015/11/03 01:12:37 agc Exp $ | | 1 | $NetBSD: distinfo,v 1.4.32.1 2019/07/13 11:09:45 bsiegert Exp $ |
2 | | | 2 | |
3 | SHA1 (libmad-0.15.1b.tar.gz) = cac19cd00e1a907f3150cc040ccc077783496d76 | | 3 | SHA1 (libmad-0.15.1b.tar.gz) = cac19cd00e1a907f3150cc040ccc077783496d76 |
4 | RMD160 (libmad-0.15.1b.tar.gz) = 0f3415ee10b188681e282ca69dec74c46ca73b0f | | 4 | RMD160 (libmad-0.15.1b.tar.gz) = 0f3415ee10b188681e282ca69dec74c46ca73b0f |
5 | SHA512 (libmad-0.15.1b.tar.gz) = 2cad30347fb310dc605c46bacd9da117f447a5cabedd8fefdb24ab5de641429e5ec5ce8af7aefa6a75a3f545d3adfa255e3fa0a2d50971f76bc0c4fc0400cc45 | | 5 | SHA512 (libmad-0.15.1b.tar.gz) = 2cad30347fb310dc605c46bacd9da117f447a5cabedd8fefdb24ab5de641429e5ec5ce8af7aefa6a75a3f545d3adfa255e3fa0a2d50971f76bc0c4fc0400cc45 |
6 | Size (libmad-0.15.1b.tar.gz) = 502379 bytes | | 6 | Size (libmad-0.15.1b.tar.gz) = 502379 bytes |
7 | SHA1 (patch-aa) = 82271980d28d151b6b85987e075ad15dace4ed3b | | 7 | SHA1 (patch-aa) = 82271980d28d151b6b85987e075ad15dace4ed3b |
| | | 8 | SHA1 (patch-bit.c) = 2dedd19cd385a0ae578fa3d72399dbb6c9ebf453 |
| | | 9 | SHA1 (patch-frame.c) = 87c97a6ce7688e7a3a227876f8bcf81e2c8425f8 |
| | | 10 | SHA1 (patch-layer12.c) = 7fbfd6939715adac7269c6d083ea5f0202abbfba |
| | | 11 | SHA1 (patch-layer3.c) = cbf34e24ba21ef7d0f1e469c9569313d6b266658 |
$NetBSD: patch-bit.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
From Kurt Roeckx / Debian.
--- bit.c.orig 2004-01-23 09:41:32.000000000 +0000
+++ bit.c
@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
{
register unsigned long value;
+ if (len == 0)
+ return 0;
+
if (bitptr->left == CHAR_BIT)
bitptr->cache = *bitptr->byte;
$NetBSD: patch-frame.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
From Kurt Roeckx / Debian.
--- frame.c.orig 2004-02-04 22:59:19.000000000 +0000
+++ frame.c
@@ -120,11 +120,18 @@ static
int decode_header(struct mad_header *header, struct mad_stream *stream)
{
unsigned int index;
+ struct mad_bitptr bufend_ptr;
header->flags = 0;
header->private_bits = 0;
+ mad_bit_init(&bufend_ptr, stream->bufend);
+
/* header() */
+ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
+ stream->error = MAD_ERROR_BUFLEN;
+ return -1;
+ }
/* syncword */
mad_bit_skip(&stream->ptr, 11);
@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
/* error_check() */
/* crc_check */
- if (header->flags & MAD_FLAG_PROTECTION)
+ if (header->flags & MAD_FLAG_PROTECTION) {
+ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
+ stream->error = MAD_ERROR_BUFLEN;
+ return -1;
+ }
header->crc_target = mad_bit_read(&stream->ptr, 16);
+ }
return 0;
}
@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header
stream->error = MAD_ERROR_BUFLEN;
goto fail;
}
- else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
/* mark point where frame sync word was expected */
stream->this_frame = ptr;
stream->next_frame = ptr + 1;
@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header
ptr = mad_bit_nextbyte(&stream->ptr);
}
+ stream->error = MAD_ERROR_NONE;
+
/* begin processing */
stream->this_frame = ptr;
stream->next_frame = ptr + 1; /* possibly bogus sync word */
@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header
/* check that a valid frame header follows this frame */
ptr = stream->next_frame;
- if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
ptr = stream->next_frame = stream->this_frame + 1;
goto sync;
}
$NetBSD: patch-layer12.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
From Kurt Roeckx / Debian.
--- layer12.c.orig 2004-02-05 09:02:39.000000000 +0000
+++ layer12.c
@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
* DESCRIPTION: decode one requantized Layer I sample from a bitstream
*/
static
-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
+mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
{
mad_fixed_t sample;
+ struct mad_bitptr frameend_ptr;
+ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return 0;
+ }
sample = mad_bit_read(ptr, nb);
/* invert most significant bit, extend sign, then scale to fixed format */
@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
struct mad_header *header = &frame->header;
unsigned int nch, bound, ch, s, sb, nb;
unsigned char allocation[2][32], scalefactor[2][32];
+ struct mad_bitptr bufend_ptr, frameend_ptr;
+
+ mad_bit_init(&bufend_ptr, stream->bufend);
+ mad_bit_init(&frameend_ptr, stream->next_frame);
nch = MAD_NCHANNELS(header);
@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
/* check CRC word */
if (header->flags & MAD_FLAG_PROTECTION) {
+ if (mad_bit_length(&stream->ptr, &bufend_ptr)
+ < 4 * (bound * nch + (32 - bound))) {
+ stream->error = MAD_ERROR_BADCRC;
+ return -1;
+ }
header->crc_check =
mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
header->crc_check);
@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
for (sb = 0; sb < bound; ++sb) {
for (ch = 0; ch < nch; ++ch) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
nb = mad_bit_read(&stream->ptr, 4);
if (nb == 15) {
@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
}
for (sb = bound; sb < 32; ++sb) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
nb = mad_bit_read(&stream->ptr, 4);
if (nb == 15) {
@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
for (sb = 0; sb < 32; ++sb) {
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb]) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
# if defined(OPT_STRICT)
@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
for (ch = 0; ch < nch; ++ch) {
nb = allocation[ch][sb];
frame->sbsample[ch][s][sb] = nb ?
- mad_f_mul(I_sample(&stream->ptr, nb),
+ mad_f_mul(I_sample(&stream->ptr, nb, stream),
sf_table[scalefactor[ch][sb]]) : 0;
+ if (stream->error != 0)
+ return -1;
}
}
@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
if ((nb = allocation[0][sb])) {
mad_fixed_t sample;
- sample = I_sample(&stream->ptr, nb);
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
+ sample = I_sample(&stream->ptr, nb, stream);
+ if (stream->error != 0)
+ return -1;
for (ch = 0; ch < nch; ++ch) {
frame->sbsample[ch][s][sb] =
@@ -280,13 +321,21 @@ struct quantclass {
static
void II_samples(struct mad_bitptr *ptr,
struct quantclass const *quantclass,
- mad_fixed_t output[3])
+ mad_fixed_t output[3], struct mad_stream *stream)
{
unsigned int nb, s, sample[3];
+ struct mad_bitptr frameend_ptr;
+
+ mad_bit_init(&frameend_ptr, stream->next_frame);
if ((nb = quantclass->group)) {
unsigned int c, nlevels;
+ if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return;
+ }
/* degrouping */
c = mad_bit_read(ptr, quantclass->bits);
nlevels = quantclass->nlevels;
@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
else {
nb = quantclass->bits;
- for (s = 0; s < 3; ++s)
+ for (s = 0; s < 3; ++s) {
+ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return;
+ }
sample[s] = mad_bit_read(ptr, nb);
+ }
}
for (s = 0; s < 3; ++s) {
@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
unsigned char const *offsets;
unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
mad_fixed_t samples[3];
+ struct mad_bitptr frameend_ptr;
+
+ mad_bit_init(&frameend_ptr, stream->next_frame);
nch = MAD_NCHANNELS(header);
@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
for (sb = 0; sb < bound; ++sb) {
nbal = bitalloc_table[offsets[sb]].nbal;
- for (ch = 0; ch < nch; ++ch)
+ for (ch = 0; ch < nch; ++ch) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
+ }
}
for (sb = bound; sb < sblimit; ++sb) {
nbal = bitalloc_table[offsets[sb]].nbal;
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
allocation[0][sb] =
allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
}
@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre
for (sb = 0; sb < sblimit; ++sb) {
for (ch = 0; ch < nch; ++ch) {
- if (allocation[ch][sb])
+ if (allocation[ch][sb]) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
+ }
}
}
@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre
for (sb = 0; sb < sblimit; ++sb) {
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb]) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
switch (scfsi[ch][sb]) {
@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre
break;
case 0:
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
/* fall through */
case 1:
case 3:
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
}
@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre
if ((index = allocation[ch][sb])) {
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
- II_samples(&stream->ptr, &qc_table[index], samples);
+ II_samples(&stream->ptr, &qc_table[index], samples, stream);
+ if (stream->error != 0)
+ return -1;
for (s = 0; s < 3; ++s) {
frame->sbsample[ch][3 * gr + s][sb] =
@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre
if ((index = allocation[0][sb])) {
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
- II_samples(&stream->ptr, &qc_table[index], samples);
+ II_samples(&stream->ptr, &qc_table[index], samples, stream);
+ if (stream->error != 0)
+ return -1;
for (ch = 0; ch < nch; ++ch) {
for (s = 0; s < 3; ++s) {
$NetBSD: patch-layer3.c,v 1.1.2.2 2019/07/13 11:09:45 bsiegert Exp $
Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
From Kurt Roeckx / Debian.
--- layer3.c.orig 2019-07-10 19:49:26.252016169 +0000
+++ layer3.c
@@ -2688,6 +2688,11 @@ int mad_layer_III(struct mad_stream *str
next_md_begin = 0;
md_len = si.main_data_begin + frame_space - next_md_begin;
+ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
frame_used = 0;
@@ -2705,8 +2710,11 @@ int mad_layer_III(struct mad_stream *str
}
}
else {
- mad_bit_init(&ptr,
- *stream->main_data + stream->md_len - si.main_data_begin);
+ memmove(stream->main_data,
+ *stream->main_data + stream->md_len - si.main_data_begin,
+ si.main_data_begin);
+ stream->md_len = si.main_data_begin;
+ mad_bit_init(&ptr, *stream->main_data);
if (md_len > si.main_data_begin) {
assert(stream->md_len + md_len -