diff options
author | Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> | 2019-11-13 23:24:54 +0000 |
---|---|---|
committer | Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> | 2019-11-13 23:24:54 +0000 |
commit | f3a0cc6e099c0b483cef3810baed0e67157fa145 (patch) | |
tree | eca942e10fa4a2a28d8bd45085b02bbc9b2663b1 /audio/libmad | |
parent | ba0f8560cdeeeb977d20dfb36b5fe7670a7476dd (diff) | |
download | ports-f3a0cc6e099c0b483cef3810baed0e67157fa145.tar.gz ports-f3a0cc6e099c0b483cef3810baed0e67157fa145.zip |
Fix CVE-2017-8372, CVE-2017-8373 and CVE-2017-8374
- Bump PORTREVISION for package change
Differential Revision: https://reviews.freebsd.org/D22300
Submitted by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15
Security: b48e7b14-052a-11ea-a1de-53b029d2b061
MFH: 2019Q4
Notes
Notes:
svn path=/head/; revision=517408
Diffstat (limited to 'audio/libmad')
-rw-r--r-- | audio/libmad/Makefile | 2 | ||||
-rw-r--r-- | audio/libmad/files/patch-layer12.c | 175 | ||||
-rw-r--r-- | audio/libmad/files/patch-layer3.c | 17 |
3 files changed, 193 insertions, 1 deletions
diff --git a/audio/libmad/Makefile b/audio/libmad/Makefile index 238bd6e2639f..18a1a1ff5a11 100644 --- a/audio/libmad/Makefile +++ b/audio/libmad/Makefile @@ -3,7 +3,7 @@ PORTNAME= libmad PORTVERSION= 0.15.1b -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= audio MASTER_SITES= SF/mad/${PORTNAME}/${PORTVERSION} diff --git a/audio/libmad/files/patch-layer12.c b/audio/libmad/files/patch-layer12.c new file mode 100644 index 000000000000..27e572259ff9 --- /dev/null +++ b/audio/libmad/files/patch-layer12.c @@ -0,0 +1,175 @@ +Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15 + +--- layer12.c.orig 2004-02-05 09:02:39 UTC ++++ layer12.c +@@ -134,6 +134,12 @@ int mad_layer_I(struct mad_stream *strea + for (sb = 0; sb < bound; ++sb) { + for (ch = 0; ch < nch; ++ch) { + nb = mad_bit_read(&stream->ptr, 4); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + if (nb == 15) { + stream->error = MAD_ERROR_BADBITALLOC; +@@ -146,6 +152,12 @@ int mad_layer_I(struct mad_stream *strea + + for (sb = bound; sb < 32; ++sb) { + nb = mad_bit_read(&stream->ptr, 4); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + if (nb == 15) { + stream->error = MAD_ERROR_BADBITALLOC; +@@ -162,6 +174,12 @@ int mad_layer_I(struct mad_stream *strea + for (ch = 0; ch < nch; ++ch) { + if (allocation[ch][sb]) { + scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + # if defined(OPT_STRICT) + /* +@@ -187,6 +205,12 @@ int mad_layer_I(struct mad_stream *strea + frame->sbsample[ch][s][sb] = nb ? + mad_f_mul(I_sample(&stream->ptr, nb), + sf_table[scalefactor[ch][sb]]) : 0; ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + } + } + +@@ -195,6 +219,12 @@ int mad_layer_I(struct mad_stream *strea + mad_fixed_t sample; + + sample = I_sample(&stream->ptr, nb); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + for (ch = 0; ch < nch; ++ch) { + frame->sbsample[ch][s][sb] = +@@ -403,7 +433,15 @@ int mad_layer_II(struct mad_stream *stre + nbal = bitalloc_table[offsets[sb]].nbal; + + for (ch = 0; ch < nch; ++ch) ++ { + allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } ++ } + } + + for (sb = bound; sb < sblimit; ++sb) { +@@ -411,6 +449,13 @@ int mad_layer_II(struct mad_stream *stre + + allocation[0][sb] = + allocation[1][sb] = mad_bit_read(&stream->ptr, nbal); ++ ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + } + + /* decode scalefactor selection info */ +@@ -419,6 +464,12 @@ int mad_layer_II(struct mad_stream *stre + for (ch = 0; ch < nch; ++ch) { + if (allocation[ch][sb]) + scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + } + } + +@@ -442,6 +493,12 @@ int mad_layer_II(struct mad_stream *stre + for (ch = 0; ch < nch; ++ch) { + if (allocation[ch][sb]) { + scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + switch (scfsi[ch][sb]) { + case 2: +@@ -452,11 +509,23 @@ int mad_layer_II(struct mad_stream *stre + + case 0: + scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + /* fall through */ + + case 1: + case 3: + scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + } + + if (scfsi[ch][sb] & 1) +@@ -488,6 +557,12 @@ int mad_layer_II(struct mad_stream *stre + index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; + + II_samples(&stream->ptr, &qc_table[index], samples); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + for (s = 0; s < 3; ++s) { + frame->sbsample[ch][3 * gr + s][sb] = +@@ -506,6 +581,12 @@ int mad_layer_II(struct mad_stream *stre + index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; + + II_samples(&stream->ptr, &qc_table[index], samples); ++ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + for (ch = 0; ch < nch; ++ch) { + for (s = 0; s < 3; ++s) { diff --git a/audio/libmad/files/patch-layer3.c b/audio/libmad/files/patch-layer3.c new file mode 100644 index 000000000000..5f7455f5382b --- /dev/null +++ b/audio/libmad/files/patch-layer3.c @@ -0,0 +1,17 @@ +Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15 + +--- layer3.c.orig 2004-01-23 09:41:32 UTC ++++ layer3.c +@@ -2608,6 +2608,12 @@ int mad_layer_III(struct mad_stream *str + next_md_begin = 0; + + md_len = si.main_data_begin + frame_space - next_md_begin; ++ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) ++ { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + frame_used = 0; + |