svn commit: r517566 - in branches/2019Q4/audio/libmad: . files
Sunpoet Po-Chuan Hsieh
sunpoet at FreeBSD.org
Thu Nov 14 14:07:26 UTC 2019
Author: sunpoet
Date: Thu Nov 14 14:07:25 2019
New Revision: 517566
URL: https://svnweb.freebsd.org/changeset/ports/517566
Log:
MFH: r517408
Fix CVE-2017-8372, CVE-2017-8373 and CVE-2017-8374
- Bump PORTREVISION for package change
Differential Revision: https://reviews.freebsd.org/D22300
Submitted by: Daniel Engberg <daniel.engberg.lists at pyret.net>
Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15
Security: b48e7b14-052a-11ea-a1de-53b029d2b061
Approved by: ports-secteam (delphij, miwi)
Added:
branches/2019Q4/audio/libmad/files/patch-layer12.c
- copied unchanged from r517408, head/audio/libmad/files/patch-layer12.c
branches/2019Q4/audio/libmad/files/patch-layer3.c
- copied unchanged from r517408, head/audio/libmad/files/patch-layer3.c
Modified:
branches/2019Q4/audio/libmad/Makefile
Directory Properties:
branches/2019Q4/ (props changed)
Modified: branches/2019Q4/audio/libmad/Makefile
==============================================================================
--- branches/2019Q4/audio/libmad/Makefile Thu Nov 14 13:52:05 2019 (r517565)
+++ branches/2019Q4/audio/libmad/Makefile Thu Nov 14 14:07:25 2019 (r517566)
@@ -3,7 +3,7 @@
PORTNAME= libmad
PORTVERSION= 0.15.1b
-PORTREVISION= 6
+PORTREVISION= 7
CATEGORIES= audio
MASTER_SITES= SF/mad/${PORTNAME}/${PORTVERSION}
Copied: branches/2019Q4/audio/libmad/files/patch-layer12.c (from r517408, head/audio/libmad/files/patch-layer12.c)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2019Q4/audio/libmad/files/patch-layer12.c Thu Nov 14 14:07:25 2019 (r517566, copy of r517408, head/audio/libmad/files/patch-layer12.c)
@@ -0,0 +1,175 @@
+Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15
+
+--- layer12.c.orig 2004-02-05 09:02:39 UTC
++++ layer12.c
+@@ -134,6 +134,12 @@ int mad_layer_I(struct mad_stream *strea
+ for (sb = 0; sb < bound; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
+ nb = mad_bit_read(&stream->ptr, 4);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+
+ if (nb == 15) {
+ stream->error = MAD_ERROR_BADBITALLOC;
+@@ -146,6 +152,12 @@ int mad_layer_I(struct mad_stream *strea
+
+ for (sb = bound; sb < 32; ++sb) {
+ nb = mad_bit_read(&stream->ptr, 4);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+
+ if (nb == 15) {
+ stream->error = MAD_ERROR_BADBITALLOC;
+@@ -162,6 +174,12 @@ int mad_layer_I(struct mad_stream *strea
+ for (ch = 0; ch < nch; ++ch) {
+ if (allocation[ch][sb]) {
+ scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+
+ # if defined(OPT_STRICT)
+ /*
+@@ -187,6 +205,12 @@ int mad_layer_I(struct mad_stream *strea
+ frame->sbsample[ch][s][sb] = nb ?
+ mad_f_mul(I_sample(&stream->ptr, nb),
+ sf_table[scalefactor[ch][sb]]) : 0;
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ }
+ }
+
+@@ -195,6 +219,12 @@ int mad_layer_I(struct mad_stream *strea
+ mad_fixed_t sample;
+
+ sample = I_sample(&stream->ptr, nb);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+
+ for (ch = 0; ch < nch; ++ch) {
+ frame->sbsample[ch][s][sb] =
+@@ -403,7 +433,15 @@ int mad_layer_II(struct mad_stream *stre
+ nbal = bitalloc_table[offsets[sb]].nbal;
+
+ for (ch = 0; ch < nch; ++ch)
++ {
+ allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
++ }
+ }
+
+ for (sb = bound; sb < sblimit; ++sb) {
+@@ -411,6 +449,13 @@ int mad_layer_II(struct mad_stream *stre
+
+ allocation[0][sb] =
+ allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
++
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ }
+
+ /* decode scalefactor selection info */
+@@ -419,6 +464,12 @@ int mad_layer_II(struct mad_stream *stre
+ for (ch = 0; ch < nch; ++ch) {
+ if (allocation[ch][sb])
+ scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ }
+ }
+
+@@ -442,6 +493,12 @@ int mad_layer_II(struct mad_stream *stre
+ for (ch = 0; ch < nch; ++ch) {
+ if (allocation[ch][sb]) {
+ scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+
+ switch (scfsi[ch][sb]) {
+ case 2:
+@@ -452,11 +509,23 @@ int mad_layer_II(struct mad_stream *stre
+
+ case 0:
+ scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ /* fall through */
+
+ case 1:
+ case 3:
+ scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ }
+
+ if (scfsi[ch][sb] & 1)
+@@ -488,6 +557,12 @@ int mad_layer_II(struct mad_stream *stre
+ index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+
+ II_samples(&stream->ptr, &qc_table[index], samples);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+
+ for (s = 0; s < 3; ++s) {
+ frame->sbsample[ch][3 * gr + s][sb] =
+@@ -506,6 +581,12 @@ int mad_layer_II(struct mad_stream *stre
+ index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+
+ II_samples(&stream->ptr, &qc_table[index], samples);
++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+
+ for (ch = 0; ch < nch; ++ch) {
+ for (s = 0; s < 3; ++s) {
Copied: branches/2019Q4/audio/libmad/files/patch-layer3.c (from r517408, head/audio/libmad/files/patch-layer3.c)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2019Q4/audio/libmad/files/patch-layer3.c Thu Nov 14 14:07:25 2019 (r517566, copy of r517408, head/audio/libmad/files/patch-layer3.c)
@@ -0,0 +1,17 @@
+Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15
+
+--- layer3.c.orig 2004-01-23 09:41:32 UTC
++++ layer3.c
+@@ -2608,6 +2608,12 @@ int mad_layer_III(struct mad_stream *str
+ next_md_begin = 0;
+
+ md_len = si.main_data_begin + frame_space - next_md_begin;
++ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN)
++ {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+
+ frame_used = 0;
+
More information about the svn-ports-branches
mailing list