Package list faad2 / c99198e
Remove all patches, applied upstream. Fabian Greffrath 2 years ago
5 changed file(s) with 0 addition(s) and 187 deletion(s). Raw diff Collapse all Expand all
+0
-40
debian/patches/0004-Fix-a-couple-buffer-overflows.patch less more
0 From: =?utf-8?q?Hugo_Beauz=C3=A9e-Luyssen?= <hugo@beauzee.fr>
1 Date: Fri, 7 Jun 2019 20:02:57 +0200
2 Subject: Fix a couple buffer overflows
3
4 https://hackerone.com/reports/502816
5 https://hackerone.com/reports/507858
6 ---
7 libfaad/bits.c | 5 ++++-
8 libfaad/syntax.c | 2 ++
9 2 files changed, 6 insertions(+), 1 deletion(-)
10
11 diff --git a/libfaad/bits.c b/libfaad/bits.c
12 index dc14d7a..4c0de24 100644
13 --- a/libfaad/bits.c
14 +++ b/libfaad/bits.c
15 @@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bits)
16 int words = bits >> 5;
17 int remainder = bits & 0x1F;
18
19 - ld->bytes_left = ld->buffer_size - words*4;
20 + if (ld->buffer_size < words * 4)
21 + ld->bytes_left = 0;
22 + else
23 + ld->bytes_left = ld->buffer_size - words*4;
24
25 if (ld->bytes_left >= 4)
26 {
27 diff --git a/libfaad/syntax.c b/libfaad/syntax.c
28 index e7fb113..c992543 100644
29 --- a/libfaad/syntax.c
30 +++ b/libfaad/syntax.c
31 @@ -2304,6 +2304,8 @@ static uint8_t excluded_channels(bitfile *ld, drc_info *drc)
32 while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
33 DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
34 {
35 + if (i >= MAX_CHANNELS - num_excl_chan - 7)
36 + return n;
37 for (i = num_excl_chan; i < num_excl_chan+7; i++)
38 {
39 drc->exclude_mask[i] = faad_get1bit(ld
+0
-60
debian/patches/0009-syntax.c-check-for-syntax-element-inconsistencies.patch less more
0 From 466b01d504d7e45f1e9169ac90b3e34ab94aed14 Mon Sep 17 00:00:00 2001
1 From: Hugo Lefeuvre <hle@debian.org>
2 Date: Mon, 25 Feb 2019 10:49:03 +0100
3 Subject: [PATCH 09/10] syntax.c: check for syntax element inconsistencies
4
5 Implicit channel mapping reconfiguration is explicitely forbidden by
6 ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such
7 files and reject them. FAAD2 does not perform any kind of checks
8 regarding this.
9
10 This leads to security vulnerabilities when processing crafted AAC
11 files performing such reconfigurations.
12
13 Add checks to decode_sce_lfe and decode_cpe to make sure such
14 inconsistencies are detected as early as possible.
15
16 These checks first read hDecoder->frame: if this is not the first
17 frame then we make sure that the syntax element at the same position
18 in the previous frame also had element_id id_syn_ele. If not, return
19 21 as this is a fatal file structure issue.
20
21 This patch addresses CVE-2018-20362 (fixes #26) and possibly other
22 related issues.
23 ---
24 libfaad/syntax.c | 12 ++++++++++++
25 1 file changed, 12 insertions(+)
26
27 diff --git a/libfaad/syntax.c b/libfaad/syntax.c
28 index f8e808c..e7fb113 100644
29 --- a/libfaad/syntax.c
30 +++ b/libfaad/syntax.c
31 @@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruct *hDecoder,
32 can become 2 when some form of Parametric Stereo coding is used
33 */
34
35 + if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
36 + /* element inconsistency */
37 + hInfo->error = 21;
38 + return;
39 + }
40 +
41 /* save the syntax element id */
42 hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
43
44 @@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *hDecoder, NeAACDecFrameInfo *hInfo, bitfi
45 return;
46 }
47
48 + if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
49 + /* element inconsistency */
50 + hInfo->error = 21;
51 + return;
52 + }
53 +
54 /* save the syntax element id */
55 hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
56
57 --
58 2.20.1
59
+0
-67
debian/patches/0010-sbr_hfadj-sanitize-frequency-band-borders.patch less more
0 From 6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 Mon Sep 17 00:00:00 2001
1 From: Hugo Lefeuvre <hle@debian.org>
2 Date: Thu, 11 Apr 2019 09:34:07 +0200
3 Subject: [PATCH 10/10] sbr_hfadj: sanitize frequency band borders
4
5 user passed f_table_lim contains frequency band borders. Frequency
6 bands are groups of consecutive QMF channels. This means that their
7 bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
8 number of QMF channels). c.f. ISO/IEC 14496-3:2001
9
10 FAAD2 does not verify this, leading to security issues when
11 processing files defining f_table_lim with values > MAX_M.
12
13 This patch sanitizes the values of f_table_lim so that they can be safely
14 used as index for Q_M_lim and G_lim arrays.
15
16 Fixes #21 (CVE-2018-20194).
17 ---
18 libfaad/sbr_hfadj.c | 18 ++++++++++++++++++
19 1 file changed, 18 insertions(+)
20
21 diff --git a/libfaad/sbr_hfadj.c b/libfaad/sbr_hfadj.c
22 index 3f310b8..dda1ce8 100644
23 --- a/libfaad/sbr_hfadj.c
24 +++ b/libfaad/sbr_hfadj.c
25 @@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch)
26 ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
27 ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
28
29 + if (ml1 > MAX_M)
30 + ml1 = MAX_M;
31 +
32 + if (ml2 > MAX_M)
33 + ml2 = MAX_M;
34 +
35
36 /* calculate the accumulated E_orig and E_curr over the limiter band */
37 for (m = ml1; m < ml2; m++)
38 @@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch)
39 ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
40 ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
41
42 + if (ml1 > MAX_M)
43 + ml1 = MAX_M;
44 +
45 + if (ml2 > MAX_M)
46 + ml2 = MAX_M;
47 +
48
49 /* calculate the accumulated E_orig and E_curr over the limiter band */
50 for (m = ml1; m < ml2; m++)
51 @@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch)
52 ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
53 ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
54
55 + if (ml1 > MAX_M)
56 + ml1 = MAX_M;
57 +
58 + if (ml2 > MAX_M)
59 + ml2 = MAX_M;
60 +
61
62 /* calculate the accumulated E_orig and E_curr over the limiter band */
63 for (m = ml1; m < ml2; m++)
64 --
65 2.20.1
66
+0
-16
debian/patches/reproducible-build.patch less more
0 Description: Remove timestamps from CPP macros
1 The C pre-processor macros '__DATE__' and '__TIME__' capture the current time
2 and thus will obviously make a build unreproducible. Usage of these macros
3 must simply be removed in order to make builds reproducible.
4 Author: Fabian Greffrath <fabian+debian@greffrath.com>
5
6 --- a/frontend/main.c
7 +++ b/frontend/main.c
8 @@ -1194,7 +1194,6 @@ int main(int argc, char *argv[])
9 NeAACDecGetVersion(&faad_id_string, &faad_copyright_string);
10
11 faad_fprintf(stderr, " *********** Ahead Software MPEG-4 AAC Decoder V%s ******************\n\n", faad_id_string);
12 - faad_fprintf(stderr, " Build: %s\n", __DATE__);
13 faad_fprintf(stderr, "%s", faad_copyright_string);
14 if (cap & FIXED_POINT_CAP)
15 faad_fprintf(stderr, " Fixed point version\n");
+0
-4
debian/patches/series less more
0 reproducible-build.patch
1 0009-syntax.c-check-for-syntax-element-inconsistencies.patch
2 0010-sbr_hfadj-sanitize-frequency-band-borders.patch
3 0004-Fix-a-couple-buffer-overflows.patch