faad2: Update to 2.9.0

Changes:

[ Krzysztof Nikiel ]

    Build system fixes and code clean-up

[ LoRd_MuldeR ]

    Fix compiler warnings and code indentation
    Fix compilation with GCC <= 4.7.3
    MSVC solution file clean-up

[ Cameron Cawley ]

    Fix compilation with GCC 4.7.4
    Fix compilation with MinGW

[ Michael Fink ]

    MSVC 2017 project file update

[ Hugo Lefeuvre ]

    Fix crash with unsupported MP4 files (NULL pointer dereference,
    division by zero)
    CVE-2019-6956: ps_dec: sanitize iid_index before mixing
    CVE-2018-20196: sbr_fbt: sanitize sbr->M (should not exceed MAX_M)
    CVE-2018-20199, CVE-2018-20360: specrec: better handle unexpected
    parametric stereo (PS)
    CVE-2018-20362, CVE-2018-19504, CVE-2018-20195, CVE-2018-20198,
    CVE-2018-20358: syntax.c: check for syntax element inconsistencies
    CVE-2018-20194, CVE-2018-19503, CVE-2018-20197, CVE-2018-20357,
    CVE-2018-20359, CVE-2018-20361: sbr_hfadj: sanitize frequency band
    borders

[ Hugo Beauzée-Luyssen ]

    CVE-2019-15296, CVE-2018-19502: Fix a couple buffer overflows

[ Filip Roséen ]

    Prevent crash on SCE followed by CPE

[ Gianfranco Costamagna ]

    Fix linking with GCC 9 and "-Wl,--as-needed"

[ Fabian Greffrath ]

    Enable the frontend to be built reproducibly

9 files changed, 23 insertions, 212 deletions

diff --git a/audio/faad2/Makefile b/audio/faad2/Makefile
index 4429bdeb854..38f72183691 100644
--- a/audio/faad2/Makefile
+++ b/audio/faad2/Makefile
@@ -1,13 +1,13 @@
-# $NetBSD: Makefile,v 1.53 2019/07/11 09:03:35 nia Exp $
+# $NetBSD: Makefile,v 1.54 2019/09/14 13:34:06 nia Exp $
 # IMPORTANT: Do not forget to update audio/xmms-faad
 
-DISTNAME=	faad2-2.8.8
-PKGREVISION=	1
+DISTNAME=	faad2-2.9.0
 CATEGORIES=	audio
-MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=faac/}
+MASTER_SITES=	${MASTER_SITE_GITHUB:=knik0/}
+GITHUB_TAG=	2_9_0
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
-HOMEPAGE=	https://www.audiocoding.com/
+HOMEPAGE=	https://github.com/knik0/faad2
 COMMENT=	AAC decoding library
 LICENSE=	gnu-gpl-v2
 
@@ -17,18 +17,9 @@ USE_TOOLS+=		autoconf automake autoreconf gmake
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--includedir=${PREFIX}/include/faad2
 
-# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52624
-GCC_REQD+=		4.8
-
 LIBS+=			-lm
 CPPFLAGS.SunOS+=	-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE=1
 
-SUBST_CLASSES+=		pkgver
-SUBST_STAGE.pkgver=	pre-configure
-SUBST_MESSAGE.pkgver=	Setting PACKAGE_VERSION in neaacdec.h
-SUBST_FILES.pkgver=	include/neaacdec.h
-SUBST_SED.pkgver=	-e 's,PACKAGE_VERSION,"${PKGVERSION_NOREV}",'
-
 post-extract:
 	${MV} ${WRKSRC}/frontend/faad.man ${WRKSRC}/frontend/faad.1
 
diff --git a/audio/faad2/PLIST b/audio/faad2/PLIST
index 5745f17ee13..c9ffefa0d03 100644
--- a/audio/faad2/PLIST
+++ b/audio/faad2/PLIST
@@ -1,10 +1,7 @@
-@comment $NetBSD: PLIST,v 1.15 2017/07/23 16:09:17 adam Exp $
+@comment $NetBSD: PLIST,v 1.16 2019/09/14 13:34:06 nia Exp $
 bin/faad
 include/faad2/faad.h
-include/faad2/mp4ff.h
-include/faad2/mp4ffint.h
 include/faad2/neaacdec.h
 lib/libfaad.la
 lib/libfaad_drm.la
-lib/libmp4ff.la
 man/man1/faad.1
diff --git a/audio/faad2/distinfo b/audio/faad2/distinfo
index e9f3da7d7eb..f53f3640e6e 100644
--- a/audio/faad2/distinfo
+++ b/audio/faad2/distinfo
@@ -1,18 +1,14 @@
-$NetBSD: distinfo,v 1.27 2019/07/11 09:03:35 nia Exp $
+$NetBSD: distinfo,v 1.28 2019/09/14 13:34:06 nia Exp $
 
-SHA1 (faad2-2.8.8.tar.gz) = 0d49c516d4a83c39053a9bd214fddba72cbc34ad
-RMD160 (faad2-2.8.8.tar.gz) = b69349ee69c869ba070f28c58418749d53898985
-SHA512 (faad2-2.8.8.tar.gz) = 3275d292b2a9fe984842962f4d81202894bddd17033f7cd6df95466554cc968dfcbf2890ae8b1df37da0cd25d645cca0a687f07e39b9fc37dd004fd5956a82af
-Size (faad2-2.8.8.tar.gz) = 1069044 bytes
-SHA1 (patch-CVE-2018-20194) = fefaa2cde9cdaff71cfe8e82e9d0e4b791bca015
-SHA1 (patch-CVE-2018-20362) = 00a8cf72f824a3c98d7f20d80542192634a84518
-SHA1 (patch-common_mp4ff_Makefile.am) = a662e6fd841420110c02f85923d022919135be82
+SHA1 (faad2-2.9.0.tar.gz) = 0c39dd1362288f372211cdbc053748569a9cb2ea
+RMD160 (faad2-2.9.0.tar.gz) = 6a6576fb640daba2cb4754ade1d2b8834b8766e5
+SHA512 (faad2-2.9.0.tar.gz) = 1756b2672f9e438a56b11160ddc77fc721d85860eaa325a3ff01b51a2524baf4c1c61068a97cbc4e99d47e7643f10e1d6afb997eede3295b44551fe4661fb5dc
+Size (faad2-2.9.0.tar.gz) = 802390 bytes
 SHA1 (patch-configure.ac) = ed9d4e9d611d27d4add86884996a8e7fc001bc90
-SHA1 (patch-frontend_Makefile.am) = ab3369e67fb5f2842076fb698819936473440de9
+SHA1 (patch-frontend_Makefile.am) = 32c8bede5773b2cb97777951b1a18366b4e10e3d
 SHA1 (patch-frontend_getopt.c) = 3eaf3e8318887eca49e354696cad1bd2c5bf5504
-SHA1 (patch-frontend_mp4read.c) = 235d69a310bb2cb52cf62479e9254c1d3eb9cef9
+SHA1 (patch-frontend_mp4read.c) = a72c20b69428809caf328850fd70a13ba5c82d41
 SHA1 (patch-libfaad_Makefile.am) = 4d3b92f54d998bd577641f49e88d0c8bc38f963c
-SHA1 (patch-libfaad_bits.c) = bc21ea92f62a7facbf70df3fe85b852e625efc1c
 SHA1 (patch-libfaad_common.h) = 60eccd8aebeb085760d6866f83ff5a613197918f
 SHA1 (patch-plugins_xmms_src_Makefile.am) = 4ba1dfefe1e351830ee990c711af6ac46db42c14
 SHA1 (patch-plugins_xmms_src_libmp4.c) = 7c6cd667999aab36efc9d713cf967c01b01916bf
diff --git a/audio/faad2/patches/patch-CVE-2018-20194 b/audio/faad2/patches/patch-CVE-2018-20194
deleted file mode 100644
index 04f2c4116d5..00000000000
--- a/audio/faad2/patches/patch-CVE-2018-20194
+++ /dev/null
@@ -1,59 +0,0 @@
-$NetBSD: patch-CVE-2018-20194,v 1.1 2019/07/11 09:03:35 nia Exp $
-
-user passed f_table_lim contains frequency band borders. Frequency
-bands are groups of consecutive QMF channels. This means that their
-bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
-number of QMF channels). c.f. ISO/IEC 14496-3:2001
-
-FAAD2 does not verify this, leading to security issues when
-processing files defining f_table_lim with values > MAX_M.
-
-This patch sanitizes the values of f_table_lim so that they can be safely
-used as index for Q_M_lim and G_lim arrays.
-
-Fixes CVE-2018-20194.
-
-Upstream commit:
-https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch
-
---- libfaad/sbr_hfadj.c.orig	2017-07-06 19:16:40.000000000 +0000
-+++ libfaad/sbr_hfadj.c
-@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr
-             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
-             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
- 
-+            if (ml1 > MAX_M)
-+                ml1 = MAX_M;
-+
-+            if (ml2 > MAX_M)
-+                ml2 = MAX_M;
-+
- 
-             /* calculate the accumulated E_orig and E_curr over the limiter band */
-             for (m = ml1; m < ml2; m++)
-@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr
-             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
-             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
- 
-+            if (ml1 > MAX_M)
-+                ml1 = MAX_M;
-+
-+            if (ml2 > MAX_M)
-+                ml2 = MAX_M;
-+
- 
-             /* calculate the accumulated E_orig and E_curr over the limiter band */
-             for (m = ml1; m < ml2; m++)
-@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr
-             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
-             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
- 
-+            if (ml1 > MAX_M)
-+                ml1 = MAX_M;
-+
-+            if (ml2 > MAX_M)
-+                ml2 = MAX_M;
-+
- 
-             /* calculate the accumulated E_orig and E_curr over the limiter band */
-             for (m = ml1; m < ml2; m++)
diff --git a/audio/faad2/patches/patch-CVE-2018-20362 b/audio/faad2/patches/patch-CVE-2018-20362
deleted file mode 100644
index 4a2548a75bb..00000000000
--- a/audio/faad2/patches/patch-CVE-2018-20362
+++ /dev/null
@@ -1,63 +0,0 @@
-$NetBSD: patch-CVE-2018-20362,v 1.1 2019/07/11 09:03:35 nia Exp $
-
-Implicit channel mapping reconfiguration is explicitely forbidden by
-ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such
-files and reject them. FAAD2 does not perform any kind of checks
-regarding this.
-
-This leads to security vulnerabilities when processing crafted AAC
-files performing such reconfigurations.
-
-Add checks to decode_sce_lfe and decode_cpe to make sure such
-inconsistencies are detected as early as possible.
-
-These checks first read hDecoder->frame: if this is not the first
-frame then we make sure that the syntax element at the same position
-in the previous frame also had element_id id_syn_ele. If not, return
-21 as this is a fatal file structure issue.
-
-This patch addresses CVE-2018-20362 and possibly other related issues.
-
-Upstream commit:
-https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch
-
-Buffer overflow fix, no CVE, upstream commit:
-https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
-
---- libfaad/syntax.c.orig	2017-10-30 17:44:16.000000000 +0000
-+++ libfaad/syntax.c
-@@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruc
-        can become 2 when some form of Parametric Stereo coding is used
-     */
- 
-+    if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
-+        /* element inconsistency */
-+        hInfo->error = 21;
-+        return;
-+    }
-+
-     /* save the syntax element id */
-     hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
- 
-@@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *h
-         return;
-     }
- 
-+    if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
-+        /* element inconsistency */
-+        hInfo->error = 21;
-+        return;
-+    }
-+
-     /* save the syntax element id */
-     hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
- 
-@@ -2292,6 +2304,8 @@ static uint8_t excluded_channels(bitfile
-     while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
-         DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
-     {
-+        if (i >= MAX_CHANNELS - num_excl_chan - 7)
-+            return n;
-         for (i = num_excl_chan; i < num_excl_chan+7; i++)
-         {
-             drc->exclude_mask[i] = faad_get1bit(ld
diff --git a/audio/faad2/patches/patch-common_mp4ff_Makefile.am b/audio/faad2/patches/patch-common_mp4ff_Makefile.am
deleted file mode 100644
index a90b6d15521..00000000000
--- a/audio/faad2/patches/patch-common_mp4ff_Makefile.am
+++ /dev/null
@@ -1,20 +0,0 @@
-$NetBSD: patch-common_mp4ff_Makefile.am,v 1.1 2017/07/23 16:09:17 adam Exp $
-
-Install libmp4ff; needed for audio/xmms-faad.
-
---- common/mp4ff/Makefile.am.orig	2017-07-17 12:04:02.000000000 +0000
-+++ common/mp4ff/Makefile.am
-@@ -1,7 +1,8 @@
--noinst_LIBRARIES = libmp4ff.a
--noinst_HEADERS = mp4ff.h mp4ffint.h
-+lib_LTLIBRARIES = libmp4ff.la
-+include_HEADERS = mp4ff.h mp4ffint.h
- 
--libmp4ff_a_CFLAGS = -DUSE_TAGGING=1
-+libmp4ff_la_CFLAGS = -DUSE_TAGGING=1
- 
--libmp4ff_a_SOURCES = mp4ff.c mp4atom.c mp4meta.c mp4sample.c mp4util.c \
--		     mp4tagupdate.c mp4ff.h mp4ffint.h
-+libmp4ff_la_SOURCES = mp4ff.c mp4atom.c mp4meta.c mp4sample.c mp4util.c \
-+		     mp4tagupdate.c
-+libmp4ff_la_INCLUDES= mp4ff.h mp4ffint.h
diff --git a/audio/faad2/patches/patch-frontend_Makefile.am b/audio/faad2/patches/patch-frontend_Makefile.am
index 293342cb760..ee1c8c123b7 100644
--- a/audio/faad2/patches/patch-frontend_Makefile.am
+++ b/audio/faad2/patches/patch-frontend_Makefile.am
@@ -1,20 +1,11 @@
-$NetBSD: patch-frontend_Makefile.am,v 1.3 2019/06/05 06:07:27 nia Exp $
+$NetBSD: patch-frontend_Makefile.am,v 1.4 2019/09/14 13:34:06 nia Exp $
 
-Use correct sources.
-
---- frontend/Makefile.am.orig	2017-12-17 19:51:26.000000000 +0000
+--- frontend/Makefile.am.orig	2019-09-09 10:28:33.000000000 +0000
 +++ frontend/Makefile.am
-@@ -1,10 +1,11 @@
+@@ -1,5 +1,5 @@
  bin_PROGRAMS = faad
 -dist_man1_MANS = faad.man
 +dist_man1_MANS = faad.1
  
  AM_CPPFLAGS = -I$(top_srcdir)/include
  
- faad_LDADD = $(top_builddir)/libfaad/libfaad.la
- 
--faad_SOURCES = mp4read.c audio.c main.c audio.h mp4read.h unicode_support.c unicode_support.h
-+faad_SOURCES = mp4read.c audio.c main.c unicode_support.c
-+faad_INCLUDES = audio.h mp4read.h unicode_support.h
- 
- EXTRA_faad_SOURCES =  getopt.c
diff --git a/audio/faad2/patches/patch-frontend_mp4read.c b/audio/faad2/patches/patch-frontend_mp4read.c
index 297fcc54aad..af9e8971691 100644
--- a/audio/faad2/patches/patch-frontend_mp4read.c
+++ b/audio/faad2/patches/patch-frontend_mp4read.c
@@ -1,20 +1,19 @@
-$NetBSD: patch-frontend_mp4read.c,v 1.2 2019/06/05 06:07:27 nia Exp $
+$NetBSD: patch-frontend_mp4read.c,v 1.3 2019/09/14 13:34:06 nia Exp $
 
-Do not re-define bswap32() and bswap16().
+Avoid conflicting with NetBSD libc.
 
---- frontend/mp4read.c.orig	2017-12-17 11:18:43.000000000 +0000
+--- frontend/mp4read.c.orig	2019-09-09 10:28:33.000000000 +0000
 +++ frontend/mp4read.c
-@@ -46,6 +46,8 @@ mp4config_t mp4config = { 0 };
+@@ -46,6 +46,7 @@ mp4config_t mp4config = { 0 };
  
  static FILE *g_fin = NULL;
  
-+#include "config.h"
-+#ifndef HAVE_SYS_ENDIAN_H
++#ifndef __NetBSD__
  static inline uint32_t bswap32(const uint32_t u32)
  {
  #ifndef WORDS_BIGENDIAN
-@@ -71,6 +73,7 @@ static inline uint16_t bswap16(const uin
- 	return u16;
+@@ -75,6 +76,7 @@ static inline uint16_t bswap16(const uin
+     return u16;
  #endif
  }
 +#endif
diff --git a/audio/faad2/patches/patch-libfaad_bits.c b/audio/faad2/patches/patch-libfaad_bits.c
deleted file mode 100644
index b0c6dae1d58..00000000000
--- a/audio/faad2/patches/patch-libfaad_bits.c
+++ /dev/null
@@ -1,21 +0,0 @@
-$NetBSD: patch-libfaad_bits.c,v 1.1 2019/07/11 09:03:35 nia Exp $
-
-Fix a potential buffer overflow.
-
-Upstream commit:
-https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch
-
---- libfaad/bits.c.orig	2017-07-06 19:16:40.000000000 +0000
-+++ libfaad/bits.c
-@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bit
-     int words = bits >> 5;
-     int remainder = bits & 0x1F;
- 
--    ld->bytes_left = ld->buffer_size - words*4;
-+    if (ld->buffer_size < words * 4)
-+        ld->bytes_left = 0;
-+    else
-+        ld->bytes_left = ld->buffer_size - words*4;
- 
-     if (ld->bytes_left >= 4)
-     {