Date: Wed, 13 Nov 2019 23:24:54 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r517408 - in head/audio/libmad: . files Message-ID: <201911132324.xADNOsN5032322@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Wed Nov 13 23:24:54 2019 New Revision: 517408 URL: https://svnweb.freebsd.org/changeset/ports/517408 Log: Fix CVE-2017-8372, CVE-2017-8373 and CVE-2017-8374 - Bump PORTREVISION for package change Differential Revision: https://reviews.freebsd.org/D22300 Submitted by: Daniel Engberg <daniel.engberg.lists@pyret.net> Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15 Security: b48e7b14-052a-11ea-a1de-53b029d2b061 MFH: 2019Q4 Added: head/audio/libmad/files/patch-layer12.c (contents, props changed) head/audio/libmad/files/patch-layer3.c (contents, props changed) Modified: head/audio/libmad/Makefile Modified: head/audio/libmad/Makefile ============================================================================== --- head/audio/libmad/Makefile Wed Nov 13 23:24:48 2019 (r517407) +++ head/audio/libmad/Makefile Wed Nov 13 23:24:54 2019 (r517408) @@ -3,7 +3,7 @@ PORTNAME= libmad PORTVERSION= 0.15.1b -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= audio MASTER_SITES= SF/mad/${PORTNAME}/${PORTVERSION} Added: head/audio/libmad/files/patch-layer12.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/audio/libmad/files/patch-layer12.c Wed Nov 13 23:24:54 2019 (r517408) @@ -0,0 +1,175 @@ +Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15 + +--- layer12.c.orig 2004-02-05 09:02:39 UTC ++++ layer12.c +@@ -134,6 +134,12 @@ int mad_layer_I(struct mad_stream *strea + for (sb = 0; sb < bound; ++sb) { + for (ch = 0; ch < nch; ++ch) { + nb = mad_bit_read(&stream->ptr, 4); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + if (nb == 15) { + stream->error = MAD_ERROR_BADBITALLOC; +@@ -146,6 +152,12 @@ int mad_layer_I(struct mad_stream *strea + + for (sb = bound; sb < 32; ++sb) { + nb = mad_bit_read(&stream->ptr, 4); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + if (nb == 15) { + stream->error = MAD_ERROR_BADBITALLOC; +@@ -162,6 +174,12 @@ int mad_layer_I(struct mad_stream *strea + for (ch = 0; ch < nch; ++ch) { + if (allocation[ch][sb]) { + scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + # if defined(OPT_STRICT) + /* +@@ -187,6 +205,12 @@ int mad_layer_I(struct mad_stream *strea + frame->sbsample[ch][s][sb] = nb ? + mad_f_mul(I_sample(&stream->ptr, nb), + sf_table[scalefactor[ch][sb]]) : 0; ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + } + } + +@@ -195,6 +219,12 @@ int mad_layer_I(struct mad_stream *strea + mad_fixed_t sample; + + sample = I_sample(&stream->ptr, nb); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + for (ch = 0; ch < nch; ++ch) { + frame->sbsample[ch][s][sb] = +@@ -403,7 +433,15 @@ int mad_layer_II(struct mad_stream *stre + nbal = bitalloc_table[offsets[sb]].nbal; + + for (ch = 0; ch < nch; ++ch) ++ { + allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } ++ } + } + + for (sb = bound; sb < sblimit; ++sb) { +@@ -411,6 +449,13 @@ int mad_layer_II(struct mad_stream *stre + + allocation[0][sb] = + allocation[1][sb] = mad_bit_read(&stream->ptr, nbal); ++ ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + } + + /* decode scalefactor selection info */ +@@ -419,6 +464,12 @@ int mad_layer_II(struct mad_stream *stre + for (ch = 0; ch < nch; ++ch) { + if (allocation[ch][sb]) + scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + } + } + +@@ -442,6 +493,12 @@ int mad_layer_II(struct mad_stream *stre + for (ch = 0; ch < nch; ++ch) { + if (allocation[ch][sb]) { + scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + switch (scfsi[ch][sb]) { + case 2: +@@ -452,11 +509,23 @@ int mad_layer_II(struct mad_stream *stre + + case 0: + scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + /* fall through */ + + case 1: + case 3: + scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + } + + if (scfsi[ch][sb] & 1) +@@ -488,6 +557,12 @@ int mad_layer_II(struct mad_stream *stre + index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; + + II_samples(&stream->ptr, &qc_table[index], samples); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + for (s = 0; s < 3; ++s) { + frame->sbsample[ch][3 * gr + s][sb] = +@@ -506,6 +581,12 @@ int mad_layer_II(struct mad_stream *stre + index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; + + II_samples(&stream->ptr, &qc_table[index], samples); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + for (ch = 0; ch < nch; ++ch) { + for (s = 0; s < 3; ++s) { Added: head/audio/libmad/files/patch-layer3.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/audio/libmad/files/patch-layer3.c Wed Nov 13 23:24:54 2019 (r517408) @@ -0,0 +1,17 @@ +Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15 + +--- layer3.c.orig 2004-01-23 09:41:32 UTC ++++ layer3.c +@@ -2608,6 +2608,12 @@ int mad_layer_III(struct mad_stream *str + next_md_begin = 0; + + md_len = si.main_data_begin + frame_space - next_md_begin; ++ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + frame_used = 0; +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201911132324.xADNOsN5032322>