Pullup ticket #5996 - requested by nia

audio/faad2: security fix Revisions pulled up: - audio/faad2/Makefile 1.53 - audio/faad2/distinfo 1.27 - audio/faad2/patches/patch-CVE-2018-20194 1.1 - audio/faad2/patches/patch-CVE-2018-20362 1.1 - audio/faad2/patches/patch-libfaad_bits.c 1.1 --- Module Name: pkgsrc Committed By: nia Date: Thu Jul 11 09:03:35 UTC 2019 Modified Files: pkgsrc/audio/faad2: Makefile distinfo Added Files: pkgsrc/audio/faad2/patches: patch-CVE-2018-20194 patch-CVE-2018-20362 patch-libfaad_bits.c Log Message: faad2: Backport some security fixes from upstream. CVE-2018-20194: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch CVE-2018-20362: https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch Misc buffer overflows: https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
author: bsiegert <bsiegert@pkgsrc.org> 2019-07-13 11:12:03 +0000
committer: bsiegert <bsiegert@pkgsrc.org> 2019-07-13 11:12:03 +0000
commit: e3ef81acfd28b7571e41736bca3264668273a519 (patch)
tree: d5261cd037e6003197104a1fe181d01fb710c14e
parent: 4bf1eae793a704672c3f129c256ce280aa7dccc2 (diff)
download: pkgsrc-e3ef81acfd28b7571e41736bca3264668273a519.tar.gz
5 files changed, 149 insertions, 2 deletions
diff --git a/audio/faad2/Makefile b/audio/faad2/Makefile
index d2e7ce10114..2c6842356d4 100644
--- a/audio/faad2/Makefile
+++ b/audio/faad2/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.52 2019/06/17 10:48:32 nia Exp $
+# $NetBSD: Makefile,v 1.52.2.1 2019/07/13 11:12:03 bsiegert Exp $
 # IMPORTANT: Do not forget to update audio/xmms-faad
 
 DISTNAME=	faad2-2.8.8
+PKGREVISION=	1
 CATEGORIES=	audio
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=faac/}
 
diff --git a/audio/faad2/distinfo b/audio/faad2/distinfo
index ccfacd9d107..38170e66cad 100644
--- a/audio/faad2/distinfo
+++ b/audio/faad2/distinfo
@@ -1,15 +1,18 @@
-$NetBSD: distinfo,v 1.26 2019/06/05 06:07:27 nia Exp $
+$NetBSD: distinfo,v 1.26.2.1 2019/07/13 11:12:03 bsiegert Exp $
 
 SHA1 (faad2-2.8.8.tar.gz) = 0d49c516d4a83c39053a9bd214fddba72cbc34ad
 RMD160 (faad2-2.8.8.tar.gz) = b69349ee69c869ba070f28c58418749d53898985
 SHA512 (faad2-2.8.8.tar.gz) = 3275d292b2a9fe984842962f4d81202894bddd17033f7cd6df95466554cc968dfcbf2890ae8b1df37da0cd25d645cca0a687f07e39b9fc37dd004fd5956a82af
 Size (faad2-2.8.8.tar.gz) = 1069044 bytes
+SHA1 (patch-CVE-2018-20194) = fefaa2cde9cdaff71cfe8e82e9d0e4b791bca015
+SHA1 (patch-CVE-2018-20362) = 00a8cf72f824a3c98d7f20d80542192634a84518
 SHA1 (patch-common_mp4ff_Makefile.am) = a662e6fd841420110c02f85923d022919135be82
 SHA1 (patch-configure.ac) = ed9d4e9d611d27d4add86884996a8e7fc001bc90
 SHA1 (patch-frontend_Makefile.am) = ab3369e67fb5f2842076fb698819936473440de9
 SHA1 (patch-frontend_getopt.c) = 3eaf3e8318887eca49e354696cad1bd2c5bf5504
 SHA1 (patch-frontend_mp4read.c) = 235d69a310bb2cb52cf62479e9254c1d3eb9cef9
 SHA1 (patch-libfaad_Makefile.am) = 4d3b92f54d998bd577641f49e88d0c8bc38f963c
+SHA1 (patch-libfaad_bits.c) = bc21ea92f62a7facbf70df3fe85b852e625efc1c
 SHA1 (patch-libfaad_common.h) = 60eccd8aebeb085760d6866f83ff5a613197918f
 SHA1 (patch-plugins_xmms_src_Makefile.am) = 4ba1dfefe1e351830ee990c711af6ac46db42c14
 SHA1 (patch-plugins_xmms_src_libmp4.c) = 7c6cd667999aab36efc9d713cf967c01b01916bf
diff --git a/audio/faad2/patches/patch-CVE-2018-20194 b/audio/faad2/patches/patch-CVE-2018-20194
new file mode 100644
index 00000000000..689bc98fe3d
--- /dev/null
+++ b/audio/faad2/patches/patch-CVE-2018-20194
@@ -0,0 +1,59 @@
+$NetBSD: patch-CVE-2018-20194,v 1.1.2.2 2019/07/13 11:12:03 bsiegert Exp $
+
+user passed f_table_lim contains frequency band borders. Frequency
+bands are groups of consecutive QMF channels. This means that their
+bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
+number of QMF channels). c.f. ISO/IEC 14496-3:2001
+
+FAAD2 does not verify this, leading to security issues when
+processing files defining f_table_lim with values > MAX_M.
+
+This patch sanitizes the values of f_table_lim so that they can be safely
+used as index for Q_M_lim and G_lim arrays.
+
+Fixes CVE-2018-20194.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch
+
+--- libfaad/sbr_hfadj.c.orig	2017-07-06 19:16:40.000000000 +0000
++++ libfaad/sbr_hfadj.c
+@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr
+             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ 
++            if (ml1 > MAX_M)
++                ml1 = MAX_M;
++
++            if (ml2 > MAX_M)
++                ml2 = MAX_M;
++
+ 
+             /* calculate the accumulated E_orig and E_curr over the limiter band */
+             for (m = ml1; m < ml2; m++)
+@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr
+             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ 
++            if (ml1 > MAX_M)
++                ml1 = MAX_M;
++
++            if (ml2 > MAX_M)
++                ml2 = MAX_M;
++
+ 
+             /* calculate the accumulated E_orig and E_curr over the limiter band */
+             for (m = ml1; m < ml2; m++)
+@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr
+             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ 
++            if (ml1 > MAX_M)
++                ml1 = MAX_M;
++
++            if (ml2 > MAX_M)
++                ml2 = MAX_M;
++
+ 
+             /* calculate the accumulated E_orig and E_curr over the limiter band */
+             for (m = ml1; m < ml2; m++)
diff --git a/audio/faad2/patches/patch-CVE-2018-20362 b/audio/faad2/patches/patch-CVE-2018-20362
new file mode 100644
index 00000000000..ec729d4cf4f
--- /dev/null
+++ b/audio/faad2/patches/patch-CVE-2018-20362
@@ -0,0 +1,63 @@
+$NetBSD: patch-CVE-2018-20362,v 1.1.2.2 2019/07/13 11:12:03 bsiegert Exp $
+
+Implicit channel mapping reconfiguration is explicitely forbidden by
+ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such
+files and reject them. FAAD2 does not perform any kind of checks
+regarding this.
+
+This leads to security vulnerabilities when processing crafted AAC
+files performing such reconfigurations.
+
+Add checks to decode_sce_lfe and decode_cpe to make sure such
+inconsistencies are detected as early as possible.
+
+These checks first read hDecoder->frame: if this is not the first
+frame then we make sure that the syntax element at the same position
+in the previous frame also had element_id id_syn_ele. If not, return
+21 as this is a fatal file structure issue.
+
+This patch addresses CVE-2018-20362 and possibly other related issues.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch
+
+Buffer overflow fix, no CVE, upstream commit:
+https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
+
+--- libfaad/syntax.c.orig	2017-10-30 17:44:16.000000000 +0000
++++ libfaad/syntax.c
+@@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruc
+        can become 2 when some form of Parametric Stereo coding is used
+     */
+ 
++    if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
++        /* element inconsistency */
++        hInfo->error = 21;
++        return;
++    }
++
+     /* save the syntax element id */
+     hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
+ 
+@@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *h
+         return;
+     }
+ 
++    if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
++        /* element inconsistency */
++        hInfo->error = 21;
++        return;
++    }
++
+     /* save the syntax element id */
+     hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
+ 
+@@ -2292,6 +2304,8 @@ static uint8_t excluded_channels(bitfile
+     while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
+         DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
+     {
++        if (i >= MAX_CHANNELS - num_excl_chan - 7)
++            return n;
+         for (i = num_excl_chan; i < num_excl_chan+7; i++)
+         {
+             drc->exclude_mask[i] = faad_get1bit(ld
diff --git a/audio/faad2/patches/patch-libfaad_bits.c b/audio/faad2/patches/patch-libfaad_bits.c
new file mode 100644
index 00000000000..baecd8cc5e8
--- /dev/null
+++ b/audio/faad2/patches/patch-libfaad_bits.c
@@ -0,0 +1,21 @@
+$NetBSD: patch-libfaad_bits.c,v 1.1.2.2 2019/07/13 11:12:03 bsiegert Exp $
+
+Fix a potential buffer overflow.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
+
+--- libfaad/bits.c.orig	2017-07-06 19:16:40.000000000 +0000
++++ libfaad/bits.c
+@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bit
+     int words = bits >> 5;
+     int remainder = bits & 0x1F;
+ 
+-    ld->bytes_left = ld->buffer_size - words*4;
++    if (ld->buffer_size < words * 4)
++        ld->bytes_left = 0;
++    else
++        ld->bytes_left = ld->buffer_size - words*4;
+ 
+     if (ld->bytes_left >= 4)
+     {
author	bsiegert <bsiegert@pkgsrc.org>	2019-07-13 11:12:03 +0000
committer	bsiegert <bsiegert@pkgsrc.org>	2019-07-13 11:12:03 +0000
commit	e3ef81acfd28b7571e41736bca3264668273a519 (patch)
tree	d5261cd037e6003197104a1fe181d01fb710c14e
parent	4bf1eae793a704672c3f129c256ce280aa7dccc2 (diff)
download	pkgsrc-e3ef81acfd28b7571e41736bca3264668273a519.tar.gz