head 1.2; access; symbols pkgsrc-2019Q2:1.1.0.2; locks; strict; comment @# @; 1.2 date 2019.09.14.13.34.06; author nia; state dead; branches; next 1.1; commitid eVf0rNgIks360ZCB; 1.1 date 2019.07.11.09.03.35; author nia; state Exp; branches 1.1.2.1; next ; commitid qSHZgz87hSXGABuB; 1.1.2.1 date 2019.07.11.09.03.35; author bsiegert; state dead; branches; next 1.1.2.2; commitid CfDYJ95yh410fSuB; 1.1.2.2 date 2019.07.13.11.12.03; author bsiegert; state Exp; branches; next ; commitid CfDYJ95yh410fSuB; desc @@ 1.2 log @faad2: Update to 2.9.0 Changes: [ Krzysztof Nikiel ] Build system fixes and code clean-up [ LoRd_MuldeR ] Fix compiler warnings and code indentation Fix compilation with GCC <= 4.7.3 MSVC solution file clean-up [ Cameron Cawley ] Fix compilation with GCC 4.7.4 Fix compilation with MinGW [ Michael Fink ] MSVC 2017 project file update [ Hugo Lefeuvre ] Fix crash with unsupported MP4 files (NULL pointer dereference, division by zero) CVE-2019-6956: ps_dec: sanitize iid_index before mixing CVE-2018-20196: sbr_fbt: sanitize sbr->M (should not exceed MAX_M) CVE-2018-20199, CVE-2018-20360: specrec: better handle unexpected parametric stereo (PS) CVE-2018-20362, CVE-2018-19504, CVE-2018-20195, CVE-2018-20198, CVE-2018-20358: syntax.c: check for syntax element inconsistencies CVE-2018-20194, CVE-2018-19503, CVE-2018-20197, CVE-2018-20357, CVE-2018-20359, CVE-2018-20361: sbr_hfadj: sanitize frequency band borders [ Hugo Beauzée-Luyssen ] CVE-2019-15296, CVE-2018-19502: Fix a couple buffer overflows [ Filip Roséen ] Prevent crash on SCE followed by CPE [ Gianfranco Costamagna ] Fix linking with GCC 9 and "-Wl,--as-needed" [ Fabian Greffrath ] Enable the frontend to be built reproducibly @ text @$NetBSD: patch-CVE-2018-20362,v 1.1 2019/07/11 09:03:35 nia Exp $ Implicit channel mapping reconfiguration is explicitely forbidden by ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such files and reject them. FAAD2 does not perform any kind of checks regarding this. This leads to security vulnerabilities when processing crafted AAC files performing such reconfigurations. Add checks to decode_sce_lfe and decode_cpe to make sure such inconsistencies are detected as early as possible. These checks first read hDecoder->frame: if this is not the first frame then we make sure that the syntax element at the same position in the previous frame also had element_id id_syn_ele. If not, return 21 as this is a fatal file structure issue. This patch addresses CVE-2018-20362 and possibly other related issues. Upstream commit: https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch Buffer overflow fix, no CVE, upstream commit: https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch --- libfaad/syntax.c.orig 2017-10-30 17:44:16.000000000 +0000 +++ libfaad/syntax.c @@@@ -344,6 +344,12 @@@@ static void decode_sce_lfe(NeAACDecStruc can become 2 when some form of Parametric Stereo coding is used */ + if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { + /* element inconsistency */ + hInfo->error = 21; + return; + } + /* save the syntax element id */ hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; @@@@ -395,6 +401,12 @@@@ static void decode_cpe(NeAACDecStruct *h return; } + if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { + /* element inconsistency */ + hInfo->error = 21; + return; + } + /* save the syntax element id */ hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; @@@@ -2292,6 +2304,8 @@@@ static uint8_t excluded_channels(bitfile while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1) { + if (i >= MAX_CHANNELS - num_excl_chan - 7) + return n; for (i = num_excl_chan; i < num_excl_chan+7; i++) { drc->exclude_mask[i] = faad_get1bit(ld @ 1.1 log @faad2: Backport some security fixes from upstream. CVE-2018-20194: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch CVE-2018-20362: https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch Misc buffer overflows: https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2018-20362 was added on branch pkgsrc-2019Q2 on 2019-07-13 11:12:03 +0000 @ text @d1 63 @ 1.1.2.2 log @Pullup ticket #5996 - requested by nia audio/faad2: security fix Revisions pulled up: - audio/faad2/Makefile 1.53 - audio/faad2/distinfo 1.27 - audio/faad2/patches/patch-CVE-2018-20194 1.1 - audio/faad2/patches/patch-CVE-2018-20362 1.1 - audio/faad2/patches/patch-libfaad_bits.c 1.1 --- Module Name: pkgsrc Committed By: nia Date: Thu Jul 11 09:03:35 UTC 2019 Modified Files: pkgsrc/audio/faad2: Makefile distinfo Added Files: pkgsrc/audio/faad2/patches: patch-CVE-2018-20194 patch-CVE-2018-20362 patch-libfaad_bits.c Log Message: faad2: Backport some security fixes from upstream. CVE-2018-20194: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch CVE-2018-20362: https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch Misc buffer overflows: https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch @ text @a0 63 $NetBSD: patch-CVE-2018-20362,v 1.1 2019/07/11 09:03:35 nia Exp $ Implicit channel mapping reconfiguration is explicitely forbidden by ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such files and reject them. FAAD2 does not perform any kind of checks regarding this. This leads to security vulnerabilities when processing crafted AAC files performing such reconfigurations. Add checks to decode_sce_lfe and decode_cpe to make sure such inconsistencies are detected as early as possible. These checks first read hDecoder->frame: if this is not the first frame then we make sure that the syntax element at the same position in the previous frame also had element_id id_syn_ele. If not, return 21 as this is a fatal file structure issue. This patch addresses CVE-2018-20362 and possibly other related issues. Upstream commit: https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14.patch Buffer overflow fix, no CVE, upstream commit: https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174.patch --- libfaad/syntax.c.orig 2017-10-30 17:44:16.000000000 +0000 +++ libfaad/syntax.c @@@@ -344,6 +344,12 @@@@ static void decode_sce_lfe(NeAACDecStruc can become 2 when some form of Parametric Stereo coding is used */ + if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { + /* element inconsistency */ + hInfo->error = 21; + return; + } + /* save the syntax element id */ hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; @@@@ -395,6 +401,12 @@@@ static void decode_cpe(NeAACDecStruct *h return; } + if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { + /* element inconsistency */ + hInfo->error = 21; + return; + } + /* save the syntax element id */ hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; @@@@ -2292,6 +2304,8 @@@@ static uint8_t excluded_channels(bitfile while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1) { + if (i >= MAX_CHANNELS - num_excl_chan - 7) + return n; for (i = num_excl_chan; i < num_excl_chan+7; i++) { drc->exclude_mask[i] = faad_get1bit(ld @