diff options
author | bsiegert <bsiegert@pkgsrc.org> | 2019-07-13 11:12:03 +0000 |
---|---|---|
committer | bsiegert <bsiegert@pkgsrc.org> | 2019-07-13 11:12:03 +0000 |
commit | e3ef81acfd28b7571e41736bca3264668273a519 (patch) | |
tree | d5261cd037e6003197104a1fe181d01fb710c14e | |
parent | 4bf1eae793a704672c3f129c256ce280aa7dccc2 (diff) | |
download | pkgsrc-e3ef81acfd28b7571e41736bca3264668273a519.tar.gz |
Pullup ticket #5996 - requested by nia
audio/faad2: security fix
Revisions pulled up:
- audio/faad2/Makefile 1.53
- audio/faad2/distinfo 1.27
- audio/faad2/patches/patch-CVE-2018-20194 1.1
- audio/faad2/patches/patch-CVE-2018-20362 1.1
- audio/faad2/patches/patch-libfaad_bits.c 1.1
---
Module Name: pkgsrc
Committed By: nia
Date: Thu Jul 11 09:03:35 UTC 2019
Modified Files:
pkgsrc/audio/faad2: Makefile distinfo
Added Files:
pkgsrc/audio/faad2/patches: patch-CVE-2018-20194 patch-CVE-2018-20362
patch-libfaad_bits.c
Log Message:
faad2: Backport some security fixes from upstream.
CVE-2018-20194:
https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch
CVE-2018-20362:
https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch
Misc buffer overflows:
https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
-rw-r--r-- | audio/faad2/Makefile | 3 | ||||
-rw-r--r-- | audio/faad2/distinfo | 5 | ||||
-rw-r--r-- | audio/faad2/patches/patch-CVE-2018-20194 | 59 | ||||
-rw-r--r-- | audio/faad2/patches/patch-CVE-2018-20362 | 63 | ||||
-rw-r--r-- | audio/faad2/patches/patch-libfaad_bits.c | 21 |
5 files changed, 149 insertions, 2 deletions
diff --git a/audio/faad2/Makefile b/audio/faad2/Makefile index d2e7ce10114..2c6842356d4 100644 --- a/audio/faad2/Makefile +++ b/audio/faad2/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.52 2019/06/17 10:48:32 nia Exp $ +# $NetBSD: Makefile,v 1.52.2.1 2019/07/13 11:12:03 bsiegert Exp $ # IMPORTANT: Do not forget to update audio/xmms-faad DISTNAME= faad2-2.8.8 +PKGREVISION= 1 CATEGORIES= audio MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=faac/} diff --git a/audio/faad2/distinfo b/audio/faad2/distinfo index ccfacd9d107..38170e66cad 100644 --- a/audio/faad2/distinfo +++ b/audio/faad2/distinfo @@ -1,15 +1,18 @@ -$NetBSD: distinfo,v 1.26 2019/06/05 06:07:27 nia Exp $ +$NetBSD: distinfo,v 1.26.2.1 2019/07/13 11:12:03 bsiegert Exp $ SHA1 (faad2-2.8.8.tar.gz) = 0d49c516d4a83c39053a9bd214fddba72cbc34ad RMD160 (faad2-2.8.8.tar.gz) = b69349ee69c869ba070f28c58418749d53898985 SHA512 (faad2-2.8.8.tar.gz) = 3275d292b2a9fe984842962f4d81202894bddd17033f7cd6df95466554cc968dfcbf2890ae8b1df37da0cd25d645cca0a687f07e39b9fc37dd004fd5956a82af Size (faad2-2.8.8.tar.gz) = 1069044 bytes +SHA1 (patch-CVE-2018-20194) = fefaa2cde9cdaff71cfe8e82e9d0e4b791bca015 +SHA1 (patch-CVE-2018-20362) = 00a8cf72f824a3c98d7f20d80542192634a84518 SHA1 (patch-common_mp4ff_Makefile.am) = a662e6fd841420110c02f85923d022919135be82 SHA1 (patch-configure.ac) = ed9d4e9d611d27d4add86884996a8e7fc001bc90 SHA1 (patch-frontend_Makefile.am) = ab3369e67fb5f2842076fb698819936473440de9 SHA1 (patch-frontend_getopt.c) = 3eaf3e8318887eca49e354696cad1bd2c5bf5504 SHA1 (patch-frontend_mp4read.c) = 235d69a310bb2cb52cf62479e9254c1d3eb9cef9 SHA1 (patch-libfaad_Makefile.am) = 4d3b92f54d998bd577641f49e88d0c8bc38f963c +SHA1 (patch-libfaad_bits.c) = bc21ea92f62a7facbf70df3fe85b852e625efc1c SHA1 (patch-libfaad_common.h) = 60eccd8aebeb085760d6866f83ff5a613197918f SHA1 (patch-plugins_xmms_src_Makefile.am) = 4ba1dfefe1e351830ee990c711af6ac46db42c14 SHA1 (patch-plugins_xmms_src_libmp4.c) = 7c6cd667999aab36efc9d713cf967c01b01916bf diff --git a/audio/faad2/patches/patch-CVE-2018-20194 b/audio/faad2/patches/patch-CVE-2018-20194 new file mode 100644 index 00000000000..689bc98fe3d --- /dev/null +++ b/audio/faad2/patches/patch-CVE-2018-20194 @@ -0,0 +1,59 @@ +$NetBSD: patch-CVE-2018-20194,v 1.1.2.2 2019/07/13 11:12:03 bsiegert Exp $ + +user passed f_table_lim contains frequency band borders. Frequency +bands are groups of consecutive QMF channels. This means that their +bounds, as provided by f_table_lim, should never exceed MAX_M (maximum +number of QMF channels). c.f. ISO/IEC 14496-3:2001 + +FAAD2 does not verify this, leading to security issues when +processing files defining f_table_lim with values > MAX_M. + +This patch sanitizes the values of f_table_lim so that they can be safely +used as index for Q_M_lim and G_lim arrays. + +Fixes CVE-2018-20194. + +Upstream commit: +https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch + +--- libfaad/sbr_hfadj.c.orig 2017-07-06 19:16:40.000000000 +0000 ++++ libfaad/sbr_hfadj.c +@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr + ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; + ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; + ++ if (ml1 > MAX_M) ++ ml1 = MAX_M; ++ ++ if (ml2 > MAX_M) ++ ml2 = MAX_M; ++ + + /* calculate the accumulated E_orig and E_curr over the limiter band */ + for (m = ml1; m < ml2; m++) +@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr + ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; + ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; + ++ if (ml1 > MAX_M) ++ ml1 = MAX_M; ++ ++ if (ml2 > MAX_M) ++ ml2 = MAX_M; ++ + + /* calculate the accumulated E_orig and E_curr over the limiter band */ + for (m = ml1; m < ml2; m++) +@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr + ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; + ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; + ++ if (ml1 > MAX_M) ++ ml1 = MAX_M; ++ ++ if (ml2 > MAX_M) ++ ml2 = MAX_M; ++ + + /* calculate the accumulated E_orig and E_curr over the limiter band */ + for (m = ml1; m < ml2; m++) diff --git a/audio/faad2/patches/patch-CVE-2018-20362 b/audio/faad2/patches/patch-CVE-2018-20362 new file mode 100644 index 00000000000..ec729d4cf4f --- /dev/null +++ b/audio/faad2/patches/patch-CVE-2018-20362 @@ -0,0 +1,63 @@ +$NetBSD: patch-CVE-2018-20362,v 1.1.2.2 2019/07/13 11:12:03 bsiegert Exp $ + +Implicit channel mapping reconfiguration is explicitely forbidden by +ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such +files and reject them. FAAD2 does not perform any kind of checks +regarding this. + +This leads to security vulnerabilities when processing crafted AAC +files performing such reconfigurations. + +Add checks to decode_sce_lfe and decode_cpe to make sure such +inconsistencies are detected as early as possible. + +These checks first read hDecoder->frame: if this is not the first +frame then we make sure that the syntax element at the same position +in the previous frame also had element_id id_syn_ele. If not, return +21 as this is a fatal file structure issue. + +This patch addresses CVE-2018-20362 and possibly other related issues. + +Upstream commit: +https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch + +Buffer overflow fix, no CVE, upstream commit: +https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch + +--- libfaad/syntax.c.orig 2017-10-30 17:44:16.000000000 +0000 ++++ libfaad/syntax.c +@@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruc + can become 2 when some form of Parametric Stereo coding is used + */ + ++ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { ++ /* element inconsistency */ ++ hInfo->error = 21; ++ return; ++ } ++ + /* save the syntax element id */ + hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; + +@@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *h + return; + } + ++ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { ++ /* element inconsistency */ ++ hInfo->error = 21; ++ return; ++ } ++ + /* save the syntax element id */ + hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; + +@@ -2292,6 +2304,8 @@ static uint8_t excluded_channels(bitfile + while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld + DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1) + { ++ if (i >= MAX_CHANNELS - num_excl_chan - 7) ++ return n; + for (i = num_excl_chan; i < num_excl_chan+7; i++) + { + drc->exclude_mask[i] = faad_get1bit(ld diff --git a/audio/faad2/patches/patch-libfaad_bits.c b/audio/faad2/patches/patch-libfaad_bits.c new file mode 100644 index 00000000000..baecd8cc5e8 --- /dev/null +++ b/audio/faad2/patches/patch-libfaad_bits.c @@ -0,0 +1,21 @@ +$NetBSD: patch-libfaad_bits.c,v 1.1.2.2 2019/07/13 11:12:03 bsiegert Exp $ + +Fix a potential buffer overflow. + +Upstream commit: +https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch + +--- libfaad/bits.c.orig 2017-07-06 19:16:40.000000000 +0000 ++++ libfaad/bits.c +@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bit + int words = bits >> 5; + int remainder = bits & 0x1F; + +- ld->bytes_left = ld->buffer_size - words*4; ++ if (ld->buffer_size < words * 4) ++ ld->bytes_left = 0; ++ else ++ ld->bytes_left = ld->buffer_size - words*4; + + if (ld->bytes_left >= 4) + { |