diff --git a/debian/patches/0004-Fix-a-couple-buffer-overflows.patch b/debian/patches/0004-Fix-a-couple-buffer-overflows.patch deleted file mode 100644 index 9038e65..0000000 --- a/debian/patches/0004-Fix-a-couple-buffer-overflows.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: =?utf-8?q?Hugo_Beauz=C3=A9e-Luyssen?= -Date: Fri, 7 Jun 2019 20:02:57 +0200 -Subject: Fix a couple buffer overflows - -https://hackerone.com/reports/502816 -https://hackerone.com/reports/507858 ---- - libfaad/bits.c | 5 ++++- - libfaad/syntax.c | 2 ++ - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/libfaad/bits.c b/libfaad/bits.c -index dc14d7a..4c0de24 100644 ---- a/libfaad/bits.c -+++ b/libfaad/bits.c -@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bits) - int words = bits >> 5; - int remainder = bits & 0x1F; - -- ld->bytes_left = ld->buffer_size - words*4; -+ if (ld->buffer_size < words * 4) -+ ld->bytes_left = 0; -+ else -+ ld->bytes_left = ld->buffer_size - words*4; - - if (ld->bytes_left >= 4) - { -diff --git a/libfaad/syntax.c b/libfaad/syntax.c -index e7fb113..c992543 100644 ---- a/libfaad/syntax.c -+++ b/libfaad/syntax.c -@@ -2304,6 +2304,8 @@ static uint8_t excluded_channels(bitfile *ld, drc_info *drc) - while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld - DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1) - { -+ if (i >= MAX_CHANNELS - num_excl_chan - 7) -+ return n; - for (i = num_excl_chan; i < num_excl_chan+7; i++) - { - drc->exclude_mask[i] = faad_get1bit(ld diff --git a/debian/patches/0009-syntax.c-check-for-syntax-element-inconsistencies.patch b/debian/patches/0009-syntax.c-check-for-syntax-element-inconsistencies.patch deleted file mode 100644 index c91f6ce..0000000 --- a/debian/patches/0009-syntax.c-check-for-syntax-element-inconsistencies.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 466b01d504d7e45f1e9169ac90b3e34ab94aed14 Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre -Date: Mon, 25 Feb 2019 10:49:03 +0100 -Subject: [PATCH 09/10] syntax.c: check for syntax element inconsistencies - -Implicit channel mapping reconfiguration is explicitely forbidden by -ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such -files and reject them. FAAD2 does not perform any kind of checks -regarding this. - -This leads to security vulnerabilities when processing crafted AAC -files performing such reconfigurations. - -Add checks to decode_sce_lfe and decode_cpe to make sure such -inconsistencies are detected as early as possible. - -These checks first read hDecoder->frame: if this is not the first -frame then we make sure that the syntax element at the same position -in the previous frame also had element_id id_syn_ele. If not, return -21 as this is a fatal file structure issue. - -This patch addresses CVE-2018-20362 (fixes #26) and possibly other -related issues. ---- - libfaad/syntax.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/libfaad/syntax.c b/libfaad/syntax.c -index f8e808c..e7fb113 100644 ---- a/libfaad/syntax.c -+++ b/libfaad/syntax.c -@@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruct *hDecoder, - can become 2 when some form of Parametric Stereo coding is used - */ - -+ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { -+ /* element inconsistency */ -+ hInfo->error = 21; -+ return; -+ } -+ - /* save the syntax element id */ - hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; - -@@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *hDecoder, NeAACDecFrameInfo *hInfo, bitfi - return; - } - -+ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { -+ /* element inconsistency */ -+ hInfo->error = 21; -+ return; -+ } -+ - /* save the syntax element id */ - hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; - --- -2.20.1 - diff --git a/debian/patches/0010-sbr_hfadj-sanitize-frequency-band-borders.patch b/debian/patches/0010-sbr_hfadj-sanitize-frequency-band-borders.patch deleted file mode 100644 index 157403e..0000000 --- a/debian/patches/0010-sbr_hfadj-sanitize-frequency-band-borders.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre -Date: Thu, 11 Apr 2019 09:34:07 +0200 -Subject: [PATCH 10/10] sbr_hfadj: sanitize frequency band borders - -user passed f_table_lim contains frequency band borders. Frequency -bands are groups of consecutive QMF channels. This means that their -bounds, as provided by f_table_lim, should never exceed MAX_M (maximum -number of QMF channels). c.f. ISO/IEC 14496-3:2001 - -FAAD2 does not verify this, leading to security issues when -processing files defining f_table_lim with values > MAX_M. - -This patch sanitizes the values of f_table_lim so that they can be safely -used as index for Q_M_lim and G_lim arrays. - -Fixes #21 (CVE-2018-20194). ---- - libfaad/sbr_hfadj.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/libfaad/sbr_hfadj.c b/libfaad/sbr_hfadj.c -index 3f310b8..dda1ce8 100644 ---- a/libfaad/sbr_hfadj.c -+++ b/libfaad/sbr_hfadj.c -@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) - ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; - ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; - -+ if (ml1 > MAX_M) -+ ml1 = MAX_M; -+ -+ if (ml2 > MAX_M) -+ ml2 = MAX_M; -+ - - /* calculate the accumulated E_orig and E_curr over the limiter band */ - for (m = ml1; m < ml2; m++) -@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) - ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; - ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; - -+ if (ml1 > MAX_M) -+ ml1 = MAX_M; -+ -+ if (ml2 > MAX_M) -+ ml2 = MAX_M; -+ - - /* calculate the accumulated E_orig and E_curr over the limiter band */ - for (m = ml1; m < ml2; m++) -@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) - ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; - ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; - -+ if (ml1 > MAX_M) -+ ml1 = MAX_M; -+ -+ if (ml2 > MAX_M) -+ ml2 = MAX_M; -+ - - /* calculate the accumulated E_orig and E_curr over the limiter band */ - for (m = ml1; m < ml2; m++) --- -2.20.1 - diff --git a/debian/patches/reproducible-build.patch b/debian/patches/reproducible-build.patch deleted file mode 100644 index ed0e4d1..0000000 --- a/debian/patches/reproducible-build.patch +++ /dev/null @@ -1,16 +0,0 @@ -Description: Remove timestamps from CPP macros - The C pre-processor macros '__DATE__' and '__TIME__' capture the current time - and thus will obviously make a build unreproducible. Usage of these macros - must simply be removed in order to make builds reproducible. -Author: Fabian Greffrath - ---- a/frontend/main.c -+++ b/frontend/main.c -@@ -1194,7 +1194,6 @@ int main(int argc, char *argv[]) - NeAACDecGetVersion(&faad_id_string, &faad_copyright_string); - - faad_fprintf(stderr, " *********** Ahead Software MPEG-4 AAC Decoder V%s ******************\n\n", faad_id_string); -- faad_fprintf(stderr, " Build: %s\n", __DATE__); - faad_fprintf(stderr, "%s", faad_copyright_string); - if (cap & FIXED_POINT_CAP) - faad_fprintf(stderr, " Fixed point version\n"); diff --git a/debian/patches/series b/debian/patches/series deleted file mode 100644 index 6d4062f..0000000 --- a/debian/patches/series +++ /dev/null @@ -1,4 +0,0 @@ -reproducible-build.patch -0009-syntax.c-check-for-syntax-element-inconsistencies.patch -0010-sbr_hfadj-sanitize-frequency-band-borders.patch -0004-Fix-a-couple-buffer-overflows.patch