mirror of
https://git.FreeBSD.org/ports.git
synced 2024-10-19 19:59:43 +00:00
Fix CVE-2017-8372, CVE-2017-8373 and CVE-2017-8374
- Bump PORTREVISION for package change Differential Revision: https://reviews.freebsd.org/D22300 Submitted by: Daniel Engberg <daniel.engberg.lists@pyret.net> Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15 Security: b48e7b14-052a-11ea-a1de-53b029d2b061 MFH: 2019Q4
This commit is contained in:
parent
ba0f8560cd
commit
f3a0cc6e09
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=517408
@ -3,7 +3,7 @@
|
||||
|
||||
PORTNAME= libmad
|
||||
PORTVERSION= 0.15.1b
|
||||
PORTREVISION= 6
|
||||
PORTREVISION= 7
|
||||
CATEGORIES= audio
|
||||
MASTER_SITES= SF/mad/${PORTNAME}/${PORTVERSION}
|
||||
|
||||
|
175
audio/libmad/files/patch-layer12.c
Normal file
175
audio/libmad/files/patch-layer12.c
Normal file
@ -0,0 +1,175 @@
|
||||
Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15
|
||||
|
||||
--- layer12.c.orig 2004-02-05 09:02:39 UTC
|
||||
+++ layer12.c
|
||||
@@ -134,6 +134,12 @@ int mad_layer_I(struct mad_stream *strea
|
||||
for (sb = 0; sb < bound; ++sb) {
|
||||
for (ch = 0; ch < nch; ++ch) {
|
||||
nb = mad_bit_read(&stream->ptr, 4);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
if (nb == 15) {
|
||||
stream->error = MAD_ERROR_BADBITALLOC;
|
||||
@@ -146,6 +152,12 @@ int mad_layer_I(struct mad_stream *strea
|
||||
|
||||
for (sb = bound; sb < 32; ++sb) {
|
||||
nb = mad_bit_read(&stream->ptr, 4);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
if (nb == 15) {
|
||||
stream->error = MAD_ERROR_BADBITALLOC;
|
||||
@@ -162,6 +174,12 @@ int mad_layer_I(struct mad_stream *strea
|
||||
for (ch = 0; ch < nch; ++ch) {
|
||||
if (allocation[ch][sb]) {
|
||||
scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
# if defined(OPT_STRICT)
|
||||
/*
|
||||
@@ -187,6 +205,12 @@ int mad_layer_I(struct mad_stream *strea
|
||||
frame->sbsample[ch][s][sb] = nb ?
|
||||
mad_f_mul(I_sample(&stream->ptr, nb),
|
||||
sf_table[scalefactor[ch][sb]]) : 0;
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -195,6 +219,12 @@ int mad_layer_I(struct mad_stream *strea
|
||||
mad_fixed_t sample;
|
||||
|
||||
sample = I_sample(&stream->ptr, nb);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
for (ch = 0; ch < nch; ++ch) {
|
||||
frame->sbsample[ch][s][sb] =
|
||||
@@ -403,7 +433,15 @@ int mad_layer_II(struct mad_stream *stre
|
||||
nbal = bitalloc_table[offsets[sb]].nbal;
|
||||
|
||||
for (ch = 0; ch < nch; ++ch)
|
||||
+ {
|
||||
allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
for (sb = bound; sb < sblimit; ++sb) {
|
||||
@@ -411,6 +449,13 @@ int mad_layer_II(struct mad_stream *stre
|
||||
|
||||
allocation[0][sb] =
|
||||
allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
|
||||
+
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* decode scalefactor selection info */
|
||||
@@ -419,6 +464,12 @@ int mad_layer_II(struct mad_stream *stre
|
||||
for (ch = 0; ch < nch; ++ch) {
|
||||
if (allocation[ch][sb])
|
||||
scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -442,6 +493,12 @@ int mad_layer_II(struct mad_stream *stre
|
||||
for (ch = 0; ch < nch; ++ch) {
|
||||
if (allocation[ch][sb]) {
|
||||
scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
switch (scfsi[ch][sb]) {
|
||||
case 2:
|
||||
@@ -452,11 +509,23 @@ int mad_layer_II(struct mad_stream *stre
|
||||
|
||||
case 0:
|
||||
scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
/* fall through */
|
||||
|
||||
case 1:
|
||||
case 3:
|
||||
scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (scfsi[ch][sb] & 1)
|
||||
@@ -488,6 +557,12 @@ int mad_layer_II(struct mad_stream *stre
|
||||
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
|
||||
|
||||
II_samples(&stream->ptr, &qc_table[index], samples);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
for (s = 0; s < 3; ++s) {
|
||||
frame->sbsample[ch][3 * gr + s][sb] =
|
||||
@@ -506,6 +581,12 @@ int mad_layer_II(struct mad_stream *stre
|
||||
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
|
||||
|
||||
II_samples(&stream->ptr, &qc_table[index], samples);
|
||||
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
for (ch = 0; ch < nch; ++ch) {
|
||||
for (s = 0; s < 3; ++s) {
|
17
audio/libmad/files/patch-layer3.c
Normal file
17
audio/libmad/files/patch-layer3.c
Normal file
@ -0,0 +1,17 @@
|
||||
Obtained from: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133#15
|
||||
|
||||
--- layer3.c.orig 2004-01-23 09:41:32 UTC
|
||||
+++ layer3.c
|
||||
@@ -2608,6 +2608,12 @@ int mad_layer_III(struct mad_stream *str
|
||||
next_md_begin = 0;
|
||||
|
||||
md_len = si.main_data_begin + frame_space - next_md_begin;
|
||||
+ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN)
|
||||
+ {
|
||||
+ stream->error = MAD_ERROR_LOSTSYNC;
|
||||
+ stream->sync = 0;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
frame_used = 0;
|
||||
|
Loading…
Reference in New Issue
Block a user