Hello community, here is the log from the commit of package libmad for openSUSE:Factory checked in at 2018-02-22 14:58:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libmad (Old) and /work/SRC/openSUSE:Factory/.libmad.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libmad" Thu Feb 22 14:58:46 2018 rev:3 rq:578712 version:0.15.1b Changes: -------- --- /work/SRC/openSUSE:Factory/libmad/libmad.changes 2017-09-12 19:37:56.530297750 +0200 +++ /work/SRC/openSUSE:Factory/.libmad.new/libmad.changes 2018-02-22 14:58:47.629887473 +0100 @@ -1,0 +2,6 @@ +Wed Feb 21 13:57:11 UTC 2018 - idonmez@suse.com + +- Add frame_length.diff from Debian to fix CVE-2017-8374 + bsc#1036967 + +------------------------------------------------------------------- New: ---- frame_length.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libmad.spec ++++++ --- /var/tmp/diff_new_pack.0yFU5M/_old 2018-02-22 14:58:48.545854518 +0100 +++ /var/tmp/diff_new_pack.0yFU5M/_new 2018-02-22 14:58:48.549854374 +0100 @@ -1,7 +1,7 @@ # # spec file for package libmad # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + %define sover 0 %define libname %{name}%{sover} Name: libmad @@ -32,6 +33,7 @@ Patch3: Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff Patch4: libmad.thumb.diff Patch5: libmad-0.15.1b-ppc.patch +Patch6: frame_length.diff BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -82,6 +84,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 # new autoconf does not support deprecated declare (10 years in deprecation) sed -i 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' configure.ac ++++++ frame_length.diff ++++++ ; You can calculate where the next frame will start depending on things ; like the bitrate. See mad_header_decode(). It seems that when decoding ; the frame you can go past that boundary. This attempts to catch those cases, ; but might not catch all of them. ; For more info see http://bugs.debian.org/508133 Index: libmad-0.15.1b/layer12.c =================================================================== --- libmad-0.15.1b.orig/layer12.c 2008-12-23 21:38:07.000000000 +0100 +++ libmad-0.15.1b/layer12.c 2008-12-23 21:38:12.000000000 +0100 @@ -134,6 +134,12 @@ for (sb = 0; sb < bound; ++sb) { for (ch = 0; ch < nch; ++ch) { nb = mad_bit_read(&stream->ptr, 4); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } if (nb == 15) { stream->error = MAD_ERROR_BADBITALLOC; @@ -146,6 +152,12 @@ for (sb = bound; sb < 32; ++sb) { nb = mad_bit_read(&stream->ptr, 4); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } if (nb == 15) { stream->error = MAD_ERROR_BADBITALLOC; @@ -162,6 +174,12 @@ for (ch = 0; ch < nch; ++ch) { if (allocation[ch][sb]) { scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } # if defined(OPT_STRICT) /* @@ -187,6 +205,12 @@ frame->sbsample[ch][s][sb] = nb ? mad_f_mul(I_sample(&stream->ptr, nb), sf_table[scalefactor[ch][sb]]) : 0; + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } } } @@ -195,6 +219,12 @@ mad_fixed_t sample; sample = I_sample(&stream->ptr, nb); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } for (ch = 0; ch < nch; ++ch) { frame->sbsample[ch][s][sb] = @@ -403,7 +433,15 @@ nbal = bitalloc_table[offsets[sb]].nbal; for (ch = 0; ch < nch; ++ch) + { allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } + } } for (sb = bound; sb < sblimit; ++sb) { @@ -411,6 +449,13 @@ allocation[0][sb] = allocation[1][sb] = mad_bit_read(&stream->ptr, nbal); + + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } } /* decode scalefactor selection info */ @@ -419,6 +464,12 @@ for (ch = 0; ch < nch; ++ch) { if (allocation[ch][sb]) scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } } } @@ -442,6 +493,12 @@ for (ch = 0; ch < nch; ++ch) { if (allocation[ch][sb]) { scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } switch (scfsi[ch][sb]) { case 2: @@ -452,11 +509,23 @@ case 0: scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } /* fall through */ case 1: case 3: scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } } if (scfsi[ch][sb] & 1) @@ -488,6 +557,12 @@ index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; II_samples(&stream->ptr, &qc_table[index], samples); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } for (s = 0; s < 3; ++s) { frame->sbsample[ch][3 * gr + s][sb] = @@ -506,6 +581,12 @@ index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; II_samples(&stream->ptr, &qc_table[index], samples); + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } for (ch = 0; ch < nch; ++ch) { for (s = 0; s < 3; ++s) { Index: libmad-0.15.1b/layer3.c =================================================================== --- libmad-0.15.1b.orig/layer3.c 2008-12-23 21:38:07.000000000 +0100 +++ libmad-0.15.1b/layer3.c 2008-12-23 21:38:12.000000000 +0100 @@ -2608,6 +2608,12 @@ next_md_begin = 0; md_len = si.main_data_begin + frame_space - next_md_begin; + if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) + { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } frame_used = 0;