Commit 2294a75b authored by Rasmus Thomsen's avatar Rasmus Thomsen Committed by Leonardo Arena

main/libmad: fix CVE-2017-8372, CVE-2017-8373, CVE-2017-8374

Fixes #8905
parent e1c28f4a
......@@ -2,12 +2,12 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libmad
pkgver=0.15.1b
pkgrel=8
pkgrel=9
pkgdesc="A high-quality MPEG audio decoder"
url="http://www.underbit.com/products/mad/"
arch="all"
options="!check" # No test suite.
license="GPL-2.0+"
license="GPL-2.0-or-later"
subpackages="$pkgname-dev"
depends=
makedepends="autoconf automake libtool"
......@@ -17,9 +17,17 @@ source="https://downloads.sourceforge.net/sourceforge/mad/$pkgname-$pkgver.tar.g
automake.patch
libmad.thumb.patch
Provide-Thumb-2-alternative-code-for-MAD_F_MLN.patch
length-check.patch
md_size.patch
mad.pc
"
# secfixes:
# 0.15.1b-r9:
# - CVE-2017-8372
# - CVE-2017-8373
# - CVE-2017-8374
prepare() {
cd "$builddir"
update_config_sub
......@@ -52,4 +60,6 @@ sha512sums="2cad30347fb310dc605c46bacd9da117f447a5cabedd8fefdb24ab5de641429e5ec5
e73ec5ae3b14e8d45579b52bcc561a309b85e1e51d946e061e2f0a9252f515e48e2d818e8bdce1adf5a9801ec314be8c911914d0bb12f9113a7afc54cf385250 automake.patch
82c7e89433ceee2c9e48fc8930ea591f722b48e0a928721322a15c15e5c6a018c013d45deae583c4e583591a4cb9de50d0b2bd2ff76e18da3198609e8ea5cb33 libmad.thumb.patch
9e9af20050c922c1c2f0b55009ae0eb20c9381eaff071f0dfee8a7b3a357e58f835f69364beb99820f5672459d88ac483d2419e1f9532d763779aafad7cbf72b Provide-Thumb-2-alternative-code-for-MAD_F_MLN.patch
dd412962246d4c9db8c07dbafcaba2f64fdc0c94cf6bcc3f4f0f88a92800f40e550cc56dc8a2324c0123d9c70a89055dc50cd714206d7886e2f6877d4cc26600 length-check.patch
511fc4496044bc676e1957c5085aded89e33248c5ee4c965c76c609904086911dcc912a943be98244b2d7e5f140f432584722cc3b53fdb27265328322a727427 md_size.patch
ec0b14bd0c6236a216107b507b92c06e295352f1657ba5e45f37fff220a73e1454b262ac36fc715d698c4ffd210d348fca71cf0198e2c49d16fe0ec5ea839f08 mad.pc"
This diff is collapsed.
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 28 Jan 2018 15:44:08 +0100
Subject: Check the size of the main data
The main data to decode a frame can come from the current frame and part of the
previous frame, the so called bit reservoir. si.main_data_begin is the part of
the previous frame we need for this frame. frame_space is the amount of main
data that can be in this frame, and next_md_begin is the part of this frame that
is going to be used for the next frame.
The maximum amount of data from a previous frame that the format allows is 511
bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2
at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881.
So those defines are not large enough:
# define MAD_BUFFER_GUARD 8
# define MAD_BUFFER_MDLEN (511 + 2048 + MAD_BUFFER_GUARD)
There is also support for a "free" bitrate which allows you to create any frame
size, which can be larger than the buffer.
Changing the defines is not an option since it's part of the ABI, so we check
that the main data fits in the bufer.
The previous frame data is stored in *stream->main_data and contains
stream->md_len bytes. If stream->md_len is larger than the data we
need from the previous frame (si.main_data_begin) it still wouldn't fit
in the buffer, so just keep the data that we need.
Index: libmad-0.15.1b/layer3.c
===================================================================
--- libmad-0.15.1b.orig/layer3.c
+++ libmad-0.15.1b/layer3.c
@@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream *str
next_md_begin = 0;
md_len = si.main_data_begin + frame_space - next_md_begin;
+ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
frame_used = 0;
@@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream *str
}
}
else {
- mad_bit_init(&ptr,
- *stream->main_data + stream->md_len - si.main_data_begin);
+ memmove(stream->main_data,
+ *stream->main_data + stream->md_len - si.main_data_begin,
+ si.main_data_begin);
+ stream->md_len = si.main_data_begin;
+ mad_bit_init(&ptr, *stream->main_data);
if (md_len > si.main_data_begin) {
assert(stream->md_len + md_len -
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment