/[packages]/updates/5/mad/current/SOURCES/frame_length.patch
ViewVC logotype

Contents of /updates/5/mad/current/SOURCES/frame_length.patch

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1186840 - (show annotations) (download)
Thu Dec 28 22:09:21 2017 UTC (6 years, 3 months ago) by luigiwalser
File size: 5237 byte(s) 
rediff patch from debian to fix CVE-2017-837[2-4]
1 ; You can calculate where the next frame will start depending on things
2 ; like the bitrate. See mad_header_decode(). It seems that when decoding
3 ; the frame you can go past that boundary. This attempts to catch those cases,
4 ; but might not catch all of them.
5 ; For more info see http://bugs.debian.org/508133
6 Index: libmad-0.15.1b/layer12.c
7 ===================================================================
8 --- libmad-0.15.1b.orig/layer12.c 2008-12-23 21:38:07.000000000 +0100
9 +++ libmad-0.15.1b/layer12.c 2008-12-23 21:38:12.000000000 +0100
10 @@ -134,6 +134,12 @@
11 for (sb = 0; sb < bound; ++sb) {
12 for (ch = 0; ch < nch; ++ch) {
13 nb = mad_bit_w_len_read(stream->l_ptr, 4);
14 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
15 + {
16 + stream->error = MAD_ERROR_LOSTSYNC;
17 + stream->sync = 0;
18 + return -1;
19 + }
20
21 if (nb == 15) {
22 stream->error = MAD_ERROR_BADBITALLOC;
23 @@ -146,6 +152,12 @@
24
25 for (sb = bound; sb < 32; ++sb) {
26 nb = mad_bit_w_len_read(stream->l_ptr, 4);
27 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
28 + {
29 + stream->error = MAD_ERROR_LOSTSYNC;
30 + stream->sync = 0;
31 + return -1;
32 + }
33
34 if (nb == 15) {
35 stream->error = MAD_ERROR_BADBITALLOC;
36 @@ -162,6 +174,12 @@
37 for (ch = 0; ch < nch; ++ch) {
38 if (allocation[ch][sb]) {
39 scalefactor[ch][sb] = mad_bit_w_len_read(stream->l_ptr, 6);
40 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
41 + {
42 + stream->error = MAD_ERROR_LOSTSYNC;
43 + stream->sync = 0;
44 + return -1;
45 + }
46
47 # if defined(OPT_STRICT)
48 /*
49 @@ -187,6 +205,12 @@
50 frame->sbsample[ch][s][sb] = nb ?
51 mad_f_mul(I_sample(stream->l_ptr, nb),
52 sf_table[scalefactor[ch][sb]]) : 0;
53 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
54 + {
55 + stream->error = MAD_ERROR_LOSTSYNC;
56 + stream->sync = 0;
57 + return -1;
58 + }
59 }
60 }
61
62 @@ -195,6 +219,12 @@
63 mad_fixed_t sample;
64
65 sample = I_sample(stream->l_ptr, nb);
66 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
67 + {
68 + stream->error = MAD_ERROR_LOSTSYNC;
69 + stream->sync = 0;
70 + return -1;
71 + }
72
73 for (ch = 0; ch < nch; ++ch) {
74 frame->sbsample[ch][s][sb] =
75 @@ -403,7 +433,15 @@
76 nbal = bitalloc_table[offsets[sb]].nbal;
77
78 for (ch = 0; ch < nch; ++ch)
79 + {
80 allocation[ch][sb] = mad_bit_w_len_read(stream->l_ptr, nbal);
81 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
82 + {
83 + stream->error = MAD_ERROR_LOSTSYNC;
84 + stream->sync = 0;
85 + return -1;
86 + }
87 + }
88 }
89
90 for (sb = bound; sb < sblimit; ++sb) {
91 @@ -411,6 +449,13 @@
92
93 allocation[0][sb] =
94 allocation[1][sb] = mad_bit_w_len_read(stream->l_ptr, nbal);
95 +
96 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
97 + {
98 + stream->error = MAD_ERROR_LOSTSYNC;
99 + stream->sync = 0;
100 + return -1;
101 + }
102 }
103
104 /* decode scalefactor selection info */
105 @@ -419,6 +464,12 @@
106 for (ch = 0; ch < nch; ++ch) {
107 if (allocation[ch][sb])
108 scfsi[ch][sb] = mad_bit_w_len_read(stream->l_ptr, 2);
109 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
110 + {
111 + stream->error = MAD_ERROR_LOSTSYNC;
112 + stream->sync = 0;
113 + return -1;
114 + }
115 }
116 }
117
118 @@ -442,6 +493,12 @@
119 for (ch = 0; ch < nch; ++ch) {
120 if (allocation[ch][sb]) {
121 scalefactor[ch][sb][0] = mad_bit_w_len_read(stream->l_ptr, 6);
122 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
123 + {
124 + stream->error = MAD_ERROR_LOSTSYNC;
125 + stream->sync = 0;
126 + return -1;
127 + }
128
129 switch (scfsi[ch][sb]) {
130 case 2:
131 @@ -452,11 +509,23 @@
132
133 case 0:
134 scalefactor[ch][sb][1] = mad_bit_w_len_read(stream->l_ptr, 6);
135 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
136 + {
137 + stream->error = MAD_ERROR_LOSTSYNC;
138 + stream->sync = 0;
139 + return -1;
140 + }
141 /* fall through */
142
143 case 1:
144 case 3:
145 scalefactor[ch][sb][2] = mad_bit_w_len_read(stream->l_ptr, 6);
146 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
147 + {
148 + stream->error = MAD_ERROR_LOSTSYNC;
149 + stream->sync = 0;
150 + return -1;
151 + }
152 }
153
154 if (scfsi[ch][sb] & 1)
155 @@ -488,6 +557,12 @@
156 index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
157
158 II_samples(stream->l_ptr, &qc_table[index], samples);
159 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
160 + {
161 + stream->error = MAD_ERROR_LOSTSYNC;
162 + stream->sync = 0;
163 + return -1;
164 + }
165
166 for (s = 0; s < 3; ++s) {
167 frame->sbsample[ch][3 * gr + s][sb] =
168 @@ -506,6 +581,12 @@
169 index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
170
171 II_samples(stream->l_ptr, &qc_table[index], samples);
172 + if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
173 + {
174 + stream->error = MAD_ERROR_LOSTSYNC;
175 + stream->sync = 0;
176 + return -1;
177 + }
178
179 for (ch = 0; ch < nch; ++ch) {
180 for (s = 0; s < 3; ++s) {
181 Index: libmad-0.15.1b/layer3.c
182 ===================================================================
183 --- libmad-0.15.1b.orig/layer3.c 2008-12-23 21:38:07.000000000 +0100
184 +++ libmad-0.15.1b/layer3.c 2008-12-23 21:38:12.000000000 +0100
185 @@ -2608,6 +2608,12 @@
186 next_md_begin = 0;
187
188 md_len = si.main_data_begin + frame_space - next_md_begin;
189 + if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN)
190 + {
191 + stream->error = MAD_ERROR_LOSTSYNC;
192 + stream->sync = 0;
193 + return -1;
194 + }
195
196 frame_used = 0;
197
  ViewVC Help
Powered by ViewVC 1.1.30