Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32276
Pick the patches from the PR[1] that resolved the issue[2] referenced by the NVD advisory. [1]: https://github.com/knik0/faad2/pull/66 [2]: https://github.com/knik0/faad2/issues/58 Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../faad2/faad2/CVE-2021-32276-1.patch | 83 +++++++++++++++++++ .../faad2/faad2/CVE-2021-32276-2.patch | 36 ++++++++ .../recipes-multimedia/faad2/faad2_2.8.8.bb | 2 + 3 files changed, 121 insertions(+) create mode 100644 meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch create mode 100644 meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch diff --git a/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch new file mode 100644 index 0000000000..9e208477fc --- /dev/null +++ b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch @@ -0,0 +1,83 @@ +From 586ac8cf550b63a1d87ec105ea4bf20b6f406591 Mon Sep 17 00:00:00 2001 +From: Andrew Wesie <[email protected]> +Date: Fri, 9 Oct 2020 08:19:48 -0500 +Subject: [PATCH] Check for error after each channel decode. + +hInfo->error is reset within the decode_* functions. This caused the decoder +to ignore errors for some channels in the error resilience (ER) code path. + +Fixes #58. + +CVE: CVE-2021-32276 +Upstream-Status: Backport [https://github.com/knik0/faad2/commit/b58840121d1827b4b6c7617e2431589af1776ddc] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + libfaad/syntax.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/libfaad/syntax.c b/libfaad/syntax.c +index 4e57efd..af48cd1 100644 +--- a/libfaad/syntax.c ++++ b/libfaad/syntax.c +@@ -523,37 +523,61 @@ void raw_data_block(NeAACDecStruct *hDecoder, NeAACDecFrameInfo *hInfo, + break; + case 3: + decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); ++ if (hInfo->error > 0) ++ return; + decode_cpe(hDecoder, hInfo, ld, ID_CPE); + if (hInfo->error > 0) + return; + break; + case 4: + decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); ++ if (hInfo->error > 0) ++ return; + decode_cpe(hDecoder, hInfo, ld, ID_CPE); ++ if (hInfo->error > 0) ++ return; + decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); + if (hInfo->error > 0) + return; + break; + case 5: + decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); ++ if (hInfo->error > 0) ++ return; + decode_cpe(hDecoder, hInfo, ld, ID_CPE); ++ if (hInfo->error > 0) ++ return; + decode_cpe(hDecoder, hInfo, ld, ID_CPE); + if (hInfo->error > 0) + return; + break; + case 6: + decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); ++ if (hInfo->error > 0) ++ return; + decode_cpe(hDecoder, hInfo, ld, ID_CPE); ++ if (hInfo->error > 0) ++ return; + decode_cpe(hDecoder, hInfo, ld, ID_CPE); ++ if (hInfo->error > 0) ++ return; + decode_sce_lfe(hDecoder, hInfo, ld, ID_LFE); + if (hInfo->error > 0) + return; + break; + case 7: /* 8 channels */ + decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); ++ if (hInfo->error > 0) ++ return; + decode_cpe(hDecoder, hInfo, ld, ID_CPE); ++ if (hInfo->error > 0) ++ return; + decode_cpe(hDecoder, hInfo, ld, ID_CPE); ++ if (hInfo->error > 0) ++ return; + decode_cpe(hDecoder, hInfo, ld, ID_CPE); ++ if (hInfo->error > 0) ++ return; + decode_sce_lfe(hDecoder, hInfo, ld, ID_LFE); + if (hInfo->error > 0) + return; diff --git a/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch new file mode 100644 index 0000000000..c21391ca6b --- /dev/null +++ b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch @@ -0,0 +1,36 @@ +From bac3c71781465bb92286e89ef326161bd2500cb4 Mon Sep 17 00:00:00 2001 +From: Andrew Wesie <[email protected]> +Date: Fri, 9 Oct 2020 08:55:52 -0500 +Subject: [PATCH] Check for inconsistent number of channels. + +The frontend does not support audio output when the number of channels +changes between frames. Check if the number of decoded channels matches the +number of audio output channels. + +It is possible that this condition should be detected in the decoder instead +of the frontend. + +Fixes crash from afl-fuzz. + +CVE: CVE-2021-32276 +Upstream-Status: Backport [https://github.com/knik0/faad2/commit/4ed30d3d232b6a7a150cc06aed14eb47e4eda14e] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + frontend/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/frontend/main.c b/frontend/main.c +index 3b0850d..39d5276 100644 +--- a/frontend/main.c ++++ b/frontend/main.c +@@ -693,6 +693,10 @@ static int decodeAACfile(char *aacfile, char *sndfile, char *adts_fn, int to_std + /* update buffer indices */ + advance_buffer(&b, frameInfo.bytesconsumed); + ++ /* check if the inconsistent number of channels */ ++ if (aufile != NULL && frameInfo.channels != aufile->channels) ++ frameInfo.error = 12; ++ + if (frameInfo.error > 0) + { + faad_fprintf(stderr, "Error: %s\n", diff --git a/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb b/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb index f354c99d33..311a384fc4 100644 --- a/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb +++ b/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb @@ -12,6 +12,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/faac/faad2-src/faad2-2.8.0/${BP}.tar.gz \ file://0001-mp4read.c-fix-stack-buffer-overflow-in-stringin-ftyp.patch \ file://0001-Restrict-SBR-frame-length-to-960-and-1024-samples.patch \ file://0001-Check-return-value-of-ltp_data.patch \ + file://CVE-2021-32276-1.patch \ + file://CVE-2021-32276-2.patch \ " SRC_URI[md5sum] = "28f6116efdbe9378269f8a6221767d1f" SRC_URI[sha256sum] = "985c3fadb9789d2815e50f4ff714511c79c2710ac27a4aaaf5c0c2662141426d"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124040): https://lists.openembedded.org/g/openembedded-devel/message/124040 Mute This Topic: https://lists.openembedded.org/mt/117578201/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
