Hello community, here is the log from the commit of package mpg123 for openSUSE:Factory checked in at 2017-07-23 12:13:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mpg123 (Old) and /work/SRC/openSUSE:Factory/.mpg123.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mpg123" Sun Jul 23 12:13:16 2017 rev:5 rq:511320 version:1.25.3 Changes: -------- --- /work/SRC/openSUSE:Factory/mpg123/mpg123.changes 2017-07-17 09:01:51.034586604 +0200 +++ /work/SRC/openSUSE:Factory/.mpg123.new/mpg123.changes 2017-07-23 12:13:35.818549601 +0200 @@ -1,0 +2,9 @@ +Tue Jul 18 15:55:51 UTC 2017 - [email protected] + +- Update to version 1.25.3 + libmpg123: + * Better checks for xrpnt overflow in III_dequantize_sample() + before each use, avoiding false positives and catching cases + that were rendered harmless by alignment-enlarged buffers. + +------------------------------------------------------------------- Old: ---- mpg123-1.25.2.tar.bz2 mpg123-1.25.2.tar.bz2.sig New: ---- mpg123-1.25.3.tar.bz2 mpg123-1.25.3.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mpg123.spec ++++++ --- /var/tmp/diff_new_pack.vq5I0o/_old 2017-07-23 12:13:36.398467682 +0200 +++ /var/tmp/diff_new_pack.vq5I0o/_new 2017-07-23 12:13:36.402467118 +0200 @@ -17,7 +17,7 @@ Name: mpg123 -Version: 1.25.2 +Version: 1.25.3 Release: 0 Summary: Console MPEG audio player and decoder library License: LGPL-2.1 ++++++ mpg123-1.25.2.tar.bz2 -> mpg123-1.25.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.2/NEWS new/mpg123-1.25.3/NEWS --- old/mpg123-1.25.2/NEWS 2017-07-11 11:36:46.000000000 +0200 +++ new/mpg123-1.25.3/NEWS 2017-07-18 09:19:40.000000000 +0200 @@ -1,6 +1,12 @@ -1.25.2 +1.25.3 ------ +- libmpg123: +-- Better checks for xrpnt overflow in III_dequantize_sample() before each + use, avoiding false positives and catching cases that were rendered + harmless by alignment-enlarged buffers. +1.25.2 +------ - libmpg123: -- Extend pow tables for layer III to properly handle files with i-stereo and 5-bit scalefactors. Never observed them for real, just as fuzzed input to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.2/configure new/mpg123-1.25.3/configure --- old/mpg123-1.25.2/configure 2017-07-11 11:37:28.000000000 +0200 +++ new/mpg123-1.25.3/configure 2017-07-18 09:21:56.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for mpg123 1.25.2. +# Generated by GNU Autoconf 2.69 for mpg123 1.25.3. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='mpg123' PACKAGE_TARNAME='mpg123' -PACKAGE_VERSION='1.25.2' -PACKAGE_STRING='mpg123 1.25.2' +PACKAGE_VERSION='1.25.3' +PACKAGE_STRING='mpg123 1.25.3' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1567,7 +1567,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mpg123 1.25.2 to adapt to many kinds of systems. +\`configure' configures mpg123 1.25.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1637,7 +1637,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mpg123 1.25.2:";; + short | recursive ) echo "Configuration of mpg123 1.25.3:";; esac cat <<\_ACEOF @@ -1863,7 +1863,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mpg123 configure 1.25.2 +mpg123 configure 1.25.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2469,7 +2469,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mpg123 $as_me 1.25.2, which was +It was created by mpg123 $as_me 1.25.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2822,7 +2822,7 @@ API_VERSION=44 -LIB_PATCHLEVEL=2 +LIB_PATCHLEVEL=3 OUTAPI_VERSION=2 OUTLIB_PATCHLEVEL=1 @@ -3425,7 +3425,7 @@ # Define the identity of the package. PACKAGE='mpg123' - VERSION='1.25.2' + VERSION='1.25.3' cat >>confdefs.h <<_ACEOF @@ -20241,7 +20241,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mpg123 $as_me 1.25.2, which was +This file was extended by mpg123 $as_me 1.25.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20307,7 +20307,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -mpg123 config.status 1.25.2 +mpg123 config.status 1.25.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.2/configure.ac new/mpg123-1.25.3/configure.ac --- old/mpg123-1.25.2/configure.ac 2017-07-11 11:28:42.000000000 +0200 +++ new/mpg123-1.25.3/configure.ac 2017-07-18 09:21:17.000000000 +0200 @@ -8,12 +8,12 @@ AC_PREREQ(2.57) dnl ############# Initialisation -AC_INIT([mpg123], [1.25.2], [[email protected]]) +AC_INIT([mpg123], [1.25.3], [[email protected]]) dnl Increment API_VERSION when the API gets changes (new functions). dnl libmpg123 API_VERSION=44 -LIB_PATCHLEVEL=2 +LIB_PATCHLEVEL=3 dnl libout123 OUTAPI_VERSION=2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.2/mpg123.spec new/mpg123-1.25.3/mpg123.spec --- old/mpg123-1.25.2/mpg123.spec 2017-07-11 11:39:09.000000000 +0200 +++ new/mpg123-1.25.3/mpg123.spec 2017-07-18 09:22:09.000000000 +0200 @@ -3,7 +3,7 @@ # - devel packages for alsa, sdl, etc... to build the respective output modules. Summary: The fast console mpeg audio decoder/player. Name: mpg123 -Version: 1.25.2 +Version: 1.25.3 Release: 1 URL: http://www.mpg123.org/ License: GPL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.2/src/libmpg123/layer3.c new/mpg123-1.25.3/src/libmpg123/layer3.c --- old/mpg123-1.25.2/src/libmpg123/layer3.c 2017-07-11 11:27:37.000000000 +0200 +++ new/mpg123-1.25.3/src/libmpg123/layer3.c 2017-07-18 09:32:26.000000000 +0200 @@ -771,7 +771,14 @@ } } } - + +#define CHECK_XRPNT if(xrpnt >= &xr[SBLIMIT][0]) \ +{ \ + if(NOQUIET) \ + error2("attempted xrpnt overflow (%p !< %p)", (void*) xrpnt, (void*) &xr[SBLIMIT][0]); \ + return 1; \ +} + if(gr_info->block_type == 2) { /* decoding with short or mixed mode BandIndex table */ @@ -852,6 +859,7 @@ y &= 0xf; #endif } + CHECK_XRPNT; if(x == 15 && h->linbits) { max[lwin] = cb; @@ -876,6 +884,7 @@ else *xrpnt = DOUBLE_TO_REAL(0.0); xrpnt += step; + CHECK_XRPNT; if(y == 15 && h->linbits) { max[lwin] = cb; @@ -908,22 +917,7 @@ const struct newhuff* h; const short* val; register short a; - /* - This is only a humble hack to prevent a special segfault. - More insight into the real workings is still needed. - Especially why there are (valid?) files that make xrpnt exceed the array with 4 bytes without segfaulting, more seems to be really bad, though. - */ - #ifdef DEBUG - if(!(xrpnt < &xr[SBLIMIT][0])) - { - if(VERBOSE) debug2("attempted soft xrpnt overflow (%p !< %p) ?", (void*) xrpnt, (void*) &xr[SBLIMIT][0]); - } - #endif - if(!(xrpnt < &xr[SBLIMIT][0]+5)) - { - if(NOQUIET) error2("attempted xrpnt overflow (%p !< %p)", (void*) xrpnt, (void*) &xr[SBLIMIT][0]); - return 2; - } + h = htc+gr_info->count1table_select; val = h->table; @@ -970,6 +964,7 @@ } mc--; } + CHECK_XRPNT; if( (a & (0x8>>i)) ) { max[lwin] = cb; @@ -994,6 +989,7 @@ { for(;mc > 0;mc--) { + CHECK_XRPNT; *xrpnt = DOUBLE_TO_REAL(0.0); xrpnt += 3; /* short band -> step=3 */ *xrpnt = DOUBLE_TO_REAL(0.0); xrpnt += 3; } @@ -1083,6 +1079,7 @@ #endif } + CHECK_XRPNT; if(x == 15 && h->linbits) { max = cb; @@ -1106,6 +1103,7 @@ } else *xrpnt++ = DOUBLE_TO_REAL(0.0); + CHECK_XRPNT; if(y == 15 && h->linbits) { max = cb; @@ -1174,6 +1172,7 @@ } mc--; } + CHECK_XRPNT; if( (a & (0x8>>i)) ) { max = cb;
