Remove all patches, applied upstream.
Fabian Greffrath
4 years ago
| 0 | From: =?utf-8?q?Hugo_Beauz=C3=A9e-Luyssen?= <hugo@beauzee.fr> | |
| 1 | Date: Fri, 7 Jun 2019 20:02:57 +0200 | |
| 2 | Subject: Fix a couple buffer overflows | |
| 3 | ||
| 4 | https://hackerone.com/reports/502816 | |
| 5 | https://hackerone.com/reports/507858 | |
| 6 | --- | |
| 7 | libfaad/bits.c | 5 ++++- | |
| 8 | libfaad/syntax.c | 2 ++ | |
| 9 | 2 files changed, 6 insertions(+), 1 deletion(-) | |
| 10 | ||
| 11 | diff --git a/libfaad/bits.c b/libfaad/bits.c | |
| 12 | index dc14d7a..4c0de24 100644 | |
| 13 | --- a/libfaad/bits.c | |
| 14 | +++ b/libfaad/bits.c | |
| 15 | @@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bits) | |
| 16 | int words = bits >> 5; | |
| 17 | int remainder = bits & 0x1F; | |
| 18 | ||
| 19 | - ld->bytes_left = ld->buffer_size - words*4; | |
| 20 | + if (ld->buffer_size < words * 4) | |
| 21 | + ld->bytes_left = 0; | |
| 22 | + else | |
| 23 | + ld->bytes_left = ld->buffer_size - words*4; | |
| 24 | ||
| 25 | if (ld->bytes_left >= 4) | |
| 26 | { | |
| 27 | diff --git a/libfaad/syntax.c b/libfaad/syntax.c | |
| 28 | index e7fb113..c992543 100644 | |
| 29 | --- a/libfaad/syntax.c | |
| 30 | +++ b/libfaad/syntax.c | |
| 31 | @@ -2304,6 +2304,8 @@ static uint8_t excluded_channels(bitfile *ld, drc_info *drc) | |
| 32 | while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld | |
| 33 | DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1) | |
| 34 | { | |
| 35 | + if (i >= MAX_CHANNELS - num_excl_chan - 7) | |
| 36 | + return n; | |
| 37 | for (i = num_excl_chan; i < num_excl_chan+7; i++) | |
| 38 | { | |
| 39 | drc->exclude_mask[i] = faad_get1bit(ld |
| 0 | From 466b01d504d7e45f1e9169ac90b3e34ab94aed14 Mon Sep 17 00:00:00 2001 | |
| 1 | From: Hugo Lefeuvre <hle@debian.org> | |
| 2 | Date: Mon, 25 Feb 2019 10:49:03 +0100 | |
| 3 | Subject: [PATCH 09/10] syntax.c: check for syntax element inconsistencies | |
| 4 | ||
| 5 | Implicit channel mapping reconfiguration is explicitely forbidden by | |
| 6 | ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such | |
| 7 | files and reject them. FAAD2 does not perform any kind of checks | |
| 8 | regarding this. | |
| 9 | ||
| 10 | This leads to security vulnerabilities when processing crafted AAC | |
| 11 | files performing such reconfigurations. | |
| 12 | ||
| 13 | Add checks to decode_sce_lfe and decode_cpe to make sure such | |
| 14 | inconsistencies are detected as early as possible. | |
| 15 | ||
| 16 | These checks first read hDecoder->frame: if this is not the first | |
| 17 | frame then we make sure that the syntax element at the same position | |
| 18 | in the previous frame also had element_id id_syn_ele. If not, return | |
| 19 | 21 as this is a fatal file structure issue. | |
| 20 | ||
| 21 | This patch addresses CVE-2018-20362 (fixes #26) and possibly other | |
| 22 | related issues. | |
| 23 | --- | |
| 24 | libfaad/syntax.c | 12 ++++++++++++ | |
| 25 | 1 file changed, 12 insertions(+) | |
| 26 | ||
| 27 | diff --git a/libfaad/syntax.c b/libfaad/syntax.c | |
| 28 | index f8e808c..e7fb113 100644 | |
| 29 | --- a/libfaad/syntax.c | |
| 30 | +++ b/libfaad/syntax.c | |
| 31 | @@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruct *hDecoder, | |
| 32 | can become 2 when some form of Parametric Stereo coding is used | |
| 33 | */ | |
| 34 | ||
| 35 | + if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { | |
| 36 | + /* element inconsistency */ | |
| 37 | + hInfo->error = 21; | |
| 38 | + return; | |
| 39 | + } | |
| 40 | + | |
| 41 | /* save the syntax element id */ | |
| 42 | hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; | |
| 43 | ||
| 44 | @@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *hDecoder, NeAACDecFrameInfo *hInfo, bitfi | |
| 45 | return; | |
| 46 | } | |
| 47 | ||
| 48 | + if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { | |
| 49 | + /* element inconsistency */ | |
| 50 | + hInfo->error = 21; | |
| 51 | + return; | |
| 52 | + } | |
| 53 | + | |
| 54 | /* save the syntax element id */ | |
| 55 | hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; | |
| 56 | ||
| 57 | -- | |
| 58 | 2.20.1 | |
| 59 |
| 0 | From 6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 Mon Sep 17 00:00:00 2001 | |
| 1 | From: Hugo Lefeuvre <hle@debian.org> | |
| 2 | Date: Thu, 11 Apr 2019 09:34:07 +0200 | |
| 3 | Subject: [PATCH 10/10] sbr_hfadj: sanitize frequency band borders | |
| 4 | ||
| 5 | user passed f_table_lim contains frequency band borders. Frequency | |
| 6 | bands are groups of consecutive QMF channels. This means that their | |
| 7 | bounds, as provided by f_table_lim, should never exceed MAX_M (maximum | |
| 8 | number of QMF channels). c.f. ISO/IEC 14496-3:2001 | |
| 9 | ||
| 10 | FAAD2 does not verify this, leading to security issues when | |
| 11 | processing files defining f_table_lim with values > MAX_M. | |
| 12 | ||
| 13 | This patch sanitizes the values of f_table_lim so that they can be safely | |
| 14 | used as index for Q_M_lim and G_lim arrays. | |
| 15 | ||
| 16 | Fixes #21 (CVE-2018-20194). | |
| 17 | --- | |
| 18 | libfaad/sbr_hfadj.c | 18 ++++++++++++++++++ | |
| 19 | 1 file changed, 18 insertions(+) | |
| 20 | ||
| 21 | diff --git a/libfaad/sbr_hfadj.c b/libfaad/sbr_hfadj.c | |
| 22 | index 3f310b8..dda1ce8 100644 | |
| 23 | --- a/libfaad/sbr_hfadj.c | |
| 24 | +++ b/libfaad/sbr_hfadj.c | |
| 25 | @@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) | |
| 26 | ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; | |
| 27 | ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; | |
| 28 | ||
| 29 | + if (ml1 > MAX_M) | |
| 30 | + ml1 = MAX_M; | |
| 31 | + | |
| 32 | + if (ml2 > MAX_M) | |
| 33 | + ml2 = MAX_M; | |
| 34 | + | |
| 35 | ||
| 36 | /* calculate the accumulated E_orig and E_curr over the limiter band */ | |
| 37 | for (m = ml1; m < ml2; m++) | |
| 38 | @@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) | |
| 39 | ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; | |
| 40 | ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; | |
| 41 | ||
| 42 | + if (ml1 > MAX_M) | |
| 43 | + ml1 = MAX_M; | |
| 44 | + | |
| 45 | + if (ml2 > MAX_M) | |
| 46 | + ml2 = MAX_M; | |
| 47 | + | |
| 48 | ||
| 49 | /* calculate the accumulated E_orig and E_curr over the limiter band */ | |
| 50 | for (m = ml1; m < ml2; m++) | |
| 51 | @@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) | |
| 52 | ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; | |
| 53 | ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; | |
| 54 | ||
| 55 | + if (ml1 > MAX_M) | |
| 56 | + ml1 = MAX_M; | |
| 57 | + | |
| 58 | + if (ml2 > MAX_M) | |
| 59 | + ml2 = MAX_M; | |
| 60 | + | |
| 61 | ||
| 62 | /* calculate the accumulated E_orig and E_curr over the limiter band */ | |
| 63 | for (m = ml1; m < ml2; m++) | |
| 64 | -- | |
| 65 | 2.20.1 | |
| 66 |
| 0 | Description: Remove timestamps from CPP macros | |
| 1 | The C pre-processor macros '__DATE__' and '__TIME__' capture the current time | |
| 2 | and thus will obviously make a build unreproducible. Usage of these macros | |
| 3 | must simply be removed in order to make builds reproducible. | |
| 4 | Author: Fabian Greffrath <fabian+debian@greffrath.com> | |
| 5 | ||
| 6 | --- a/frontend/main.c | |
| 7 | +++ b/frontend/main.c | |
| 8 | @@ -1194,7 +1194,6 @@ int main(int argc, char *argv[]) | |
| 9 | NeAACDecGetVersion(&faad_id_string, &faad_copyright_string); | |
| 10 | ||
| 11 | faad_fprintf(stderr, " *********** Ahead Software MPEG-4 AAC Decoder V%s ******************\n\n", faad_id_string); | |
| 12 | - faad_fprintf(stderr, " Build: %s\n", __DATE__); | |
| 13 | faad_fprintf(stderr, "%s", faad_copyright_string); | |
| 14 | if (cap & FIXED_POINT_CAP) | |
| 15 | faad_fprintf(stderr, " Fixed point version\n"); |