head 1.1; access; symbols pkgsrc-2026Q1:1.1.0.20 pkgsrc-2026Q1-base:1.1 pkgsrc-2025Q4:1.1.0.18 pkgsrc-2025Q4-base:1.1 pkgsrc-2025Q3:1.1.0.16 pkgsrc-2025Q3-base:1.1 pkgsrc-2025Q2:1.1.0.14 pkgsrc-2025Q2-base:1.1 pkgsrc-2025Q1:1.1.0.12 pkgsrc-2025Q1-base:1.1 pkgsrc-2024Q4:1.1.0.10 pkgsrc-2024Q4-base:1.1 pkgsrc-2024Q3:1.1.0.8 pkgsrc-2024Q3-base:1.1 pkgsrc-2024Q2:1.1.0.6 pkgsrc-2024Q2-base:1.1 pkgsrc-2024Q1:1.1.0.4 pkgsrc-2024Q1-base:1.1 pkgsrc-2023Q4:1.1.0.2 pkgsrc-2023Q4-base:1.1; locks; strict; comment @# @; 1.1 date 2023.11.13.15.22.45; author wiz; state Exp; branches; next ; commitid Jse6pLZJaXc2IsME; desc @@ 1.1 log @faad2: update to 2.11.0. 2.11.0: [ Eugène Filin ] * Fix incorrect variable initialization [ Eugene Kliuchnikov ] * CI/CD, build, etc - setup GitHub workflows; test build under MSVC, OSX, MSYS2, Linux - add CMake build system - additionally add Bazel build - remove automake and MSVC project files - add fuzzers that cover almost all decoder code - setup fuzzing for various builds: (no-)FIXED_POINT / (no-)DRM - remove dead code - address differes compilers warnings - move version to distingished place that different build systems can read * "Safe" bugs "Safe" means that it is unlikely to be exploited; those affect the decoded result for (most likely) extreme inputs. Some fixes are useful only for "FIXED_POINT" build, since it has more restrictions on intermediate values. - "negative range" in estimate_current_envelope - integer overflow in channel downmixing - integer overflow in estimate_envelope - integer overflows caused by "practical infinite" gain - integer overflows in HF adjustment code - several "left shift of negative value" - priming RNG to avoid using values that does not look random at all - do not drop the first frame of output; other decoders don't do this - touching uninitialized values in lt_update_state - touching uninitialized values in bit-reader buffers * "Almost Safe" bugs "Almost safe" means that those are unlinkly to be exploited; if those surface depends on build options / environment. - division by zero in HF (noise?) generator and scale factor adjustment - division by zero gen_rand_vector * "Unsafe" bugs "Unsafe" means that those can cause crash, or could somehow else be exploited. - CLI: accessing unallocated memory in mp4info (corrupted / zero-samples input) (CVE-2023-38857) - CLI: out-of-bounds when parsing mp4 header - CLI: crash because of wrong mp4 frame offset calculation (CVE-2023-38857) - error handling rvlc_decode_scale_factors (CPU bomb?) - null pointer dereference (in DRM + PS build) - index-out-of-bounds / stack-buffer-overflow in decode_sce_lfe (for streams with PCE) - stack-buffer-overflow in pns_decode - null pointer derefernce (when channels change their type in the middle of the stream) - infinite loop on currupted stream - add practial limits for scale factors; otherwise calculated NaN/Inf values could confuse further logic, resulting in access-out-of-bounds - check sf_index in window_grouping_info to avoid access-out-of-bounds - clamp bs_pointer values to avoid access-out-of-bounds - infinite loop in fill_element - sanitize input values in ps_mix_phase to avoid access-out-of-bounds - fix internal decoder buffer size calculation to avoid heap-out-of-bounds - calculate channel length multiplier even if main channel is already allocated to avoid heap-out-of-bounds - reserve enough slots for channels in decode_sce_lfe to avoid heap-out-of-bounds [ David Korczynski ] * Fuzzing integration with oss-fuzz [ Steveice10 ] * Add define option to disable SBR/PS support * Fix coefficient table selection in tns_decode_coef @ text @$NetBSD$ Allow shared libraries. --- CMakeLists.txt.orig 2023-11-07 08:38:42.000000000 +0000 +++ CMakeLists.txt @@@@ -30,6 +30,8 @@@@ if(${CMAKE_SYSTEM_NAME} MATCHES "Darwin" set(CMAKE_INSTALL_NAME_DIR "${CMAKE_INSTALL_PREFIX}/lib") endif() +option(BUILD_SHARED_LIBS "Build using shared libraries" ON) + # Extract version information set(CAPTURE_PACKAGE_VERSION "[ \\t]*\"PACKAGE_VERSION\"[ \\t]*:[ \\t]\"(.*)\"") @