Hello community, here is the log from the commit of package mpg123 for openSUSE:Factory checked in at 2017-08-12 20:19:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mpg123 (Old) and /work/SRC/openSUSE:Factory/.mpg123.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mpg123" Sat Aug 12 20:19:40 2017 rev:7 rq:516085 version:1.25.6 Changes: -------- --- /work/SRC/openSUSE:Factory/mpg123/mpg123.changes 2017-07-28 09:43:32.486924071 +0200 +++ /work/SRC/openSUSE:Factory/.mpg123.new/mpg123.changes 2017-08-12 20:19:43.938835385 +0200 @@ -1,0 +2,16 @@ +Fri Aug 11 08:11:26 UTC 2017 - [email protected] + +- Update to version 1.25.6 + * Hotfix for bug 255: Overflow reading frame data bits in layer + II decoding. Now, all-zero data is returned if the frame data + is exhausted. This might have a slight impact on performance, + but not easily measurable so far. + +------------------------------------------------------------------- +Tue Aug 8 20:22:15 UTC 2017 - [email protected] + +- Update to version 1.25.5 + * Avoid another buffer read overflow in the ID3 parser on 32 bit + platforms (bug 254). + +------------------------------------------------------------------- Old: ---- mpg123-1.25.4.tar.bz2 mpg123-1.25.4.tar.bz2.sig New: ---- mpg123-1.25.6.tar.bz2 mpg123-1.25.6.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mpg123.spec ++++++ --- /var/tmp/diff_new_pack.FGuKqZ/_old 2017-08-12 20:19:45.274648216 +0200 +++ /var/tmp/diff_new_pack.FGuKqZ/_new 2017-08-12 20:19:45.278647655 +0200 @@ -17,7 +17,7 @@ Name: mpg123 -Version: 1.25.4 +Version: 1.25.6 Release: 0 Summary: Console MPEG audio player and decoder library License: LGPL-2.1 ++++++ mpg123-1.25.4.tar.bz2 -> mpg123-1.25.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.4/NEWS new/mpg123-1.25.6/NEWS --- old/mpg123-1.25.4/NEWS 2017-07-24 11:52:26.000000000 +0200 +++ new/mpg123-1.25.6/NEWS 2017-08-11 09:29:15.000000000 +0200 @@ -1,3 +1,14 @@ +1.25.6 +------ +- Hotfix for bug 255: Overflow reading frame data bits in layer II decoding. + Now, all-zero data is returned if the frame data is exhausted. This might + have a slight impact on performance, but not easily measurable so far. + +1.25.5 +------ +- Avoid another buffer read overflow in the ID3 parser on 32 bit platforms + (bug 254). + 1.25.4 ------ - Better configure checks for i?86-apple-darwin (bug 253). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.4/configure new/mpg123-1.25.6/configure --- old/mpg123-1.25.4/configure 2017-07-24 11:53:18.000000000 +0200 +++ new/mpg123-1.25.6/configure 2017-08-11 09:30:00.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for mpg123 1.25.4. +# Generated by GNU Autoconf 2.69 for mpg123 1.25.6. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='mpg123' PACKAGE_TARNAME='mpg123' -PACKAGE_VERSION='1.25.4' -PACKAGE_STRING='mpg123 1.25.4' +PACKAGE_VERSION='1.25.6' +PACKAGE_STRING='mpg123 1.25.6' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1567,7 +1567,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mpg123 1.25.4 to adapt to many kinds of systems. +\`configure' configures mpg123 1.25.6 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1637,7 +1637,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mpg123 1.25.4:";; + short | recursive ) echo "Configuration of mpg123 1.25.6:";; esac cat <<\_ACEOF @@ -1863,7 +1863,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mpg123 configure 1.25.4 +mpg123 configure 1.25.6 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2469,7 +2469,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mpg123 $as_me 1.25.4, which was +It was created by mpg123 $as_me 1.25.6, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2822,7 +2822,7 @@ API_VERSION=44 -LIB_PATCHLEVEL=3 +LIB_PATCHLEVEL=5 OUTAPI_VERSION=2 OUTLIB_PATCHLEVEL=1 @@ -3425,7 +3425,7 @@ # Define the identity of the package. PACKAGE='mpg123' - VERSION='1.25.4' + VERSION='1.25.6' cat >>confdefs.h <<_ACEOF @@ -20241,7 +20241,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mpg123 $as_me 1.25.4, which was +This file was extended by mpg123 $as_me 1.25.6, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20307,7 +20307,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -mpg123 config.status 1.25.4 +mpg123 config.status 1.25.6 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.4/configure.ac new/mpg123-1.25.6/configure.ac --- old/mpg123-1.25.4/configure.ac 2017-07-24 11:52:33.000000000 +0200 +++ new/mpg123-1.25.6/configure.ac 2017-08-11 09:29:23.000000000 +0200 @@ -8,12 +8,12 @@ AC_PREREQ(2.57) dnl ############# Initialisation -AC_INIT([mpg123], [1.25.4], [[email protected]]) +AC_INIT([mpg123], [1.25.6], [[email protected]]) dnl Increment API_VERSION when the API gets changes (new functions). dnl libmpg123 API_VERSION=44 -LIB_PATCHLEVEL=3 +LIB_PATCHLEVEL=5 dnl libout123 OUTAPI_VERSION=2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.4/mpg123.spec new/mpg123-1.25.6/mpg123.spec --- old/mpg123-1.25.4/mpg123.spec 2017-07-24 11:53:32.000000000 +0200 +++ new/mpg123-1.25.6/mpg123.spec 2017-08-11 09:30:13.000000000 +0200 @@ -3,7 +3,7 @@ # - devel packages for alsa, sdl, etc... to build the respective output modules. Summary: The fast console mpeg audio decoder/player. Name: mpg123 -Version: 1.25.4 +Version: 1.25.6 Release: 1 URL: http://www.mpg123.org/ License: GPL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.4/src/libmpg123/getbits.h new/mpg123-1.25.6/src/libmpg123/getbits.h --- old/mpg123-1.25.4/src/libmpg123/getbits.h 2017-07-24 11:46:05.000000000 +0200 +++ new/mpg123-1.25.6/src/libmpg123/getbits.h 2017-08-11 09:29:15.000000000 +0200 @@ -44,7 +44,10 @@ #ifdef DEBUG_GETBITS fprintf(stderr,"g%d",number_of_bits); #endif - + /* Safety catch until we got the nasty code fully figured out. */ + if( (long)(fr->wordpointer-fr->bsbuf)*8 + + fr->bitindex+number_of_bits > (long)fr->framesize*8 ) + return 0; /* This is actually slow: if(!number_of_bits) return 0; */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.4/src/libmpg123/id3.c new/mpg123-1.25.6/src/libmpg123/id3.c --- old/mpg123-1.25.4/src/libmpg123/id3.c 2017-07-24 11:52:08.000000000 +0200 +++ new/mpg123-1.25.6/src/libmpg123/id3.c 2017-08-11 09:28:59.000000000 +0200 @@ -704,6 +704,7 @@ ,1) \ ) /* id3v2.3 does not store synchsafe frame sizes, but synchsafe tag size - doh! */ + /* Remember: bytes_to_long() can yield ULONG_MAX on 32 bit platforms! */ #define bytes_to_long(buf,res) \ ( \ major == 3 ? \ @@ -772,16 +773,25 @@ if((ret2 = fr->rd->read_frame_body(fr,tagdata,length)) > 0) { unsigned long tagpos = 0; + /* bytes of frame title and of framesize value */ + unsigned int head_part = fr->id3v2.version > 2 ? 4 : 3; + unsigned int flag_part = fr->id3v2.version > 2 ? 2 : 0; + /* The amount of bytes that are unconditionally read for each frame: */ + /* ID, size, flags. */ + unsigned int framebegin = head_part+head_part+flag_part; debug1("ID3v2: have read at all %lu bytes for the tag now", (unsigned long)length+6); /* going to apply strlen for strings inside frames, make sure that it doesn't overflow! */ tagdata[length] = 0; if(flags & EXTHEAD_FLAG) { debug("ID3v2: skipping extended header"); - if(!bytes_to_long(tagdata, tagpos)) + if(!bytes_to_long(tagdata, tagpos) || tagpos >= length) { ret = 0; - if(NOQUIET) error4("Bad (non-synchsafe) tag offset: 0x%02x%02x%02x%02x", tagdata[0], tagdata[1], tagdata[2], tagdata[3]); + if(NOQUIET) + error4( "Bad (non-synchsafe/too large) tag offset:" + "0x%02x%02x%02x%02x" + , tagdata[0], tagdata[1], tagdata[2], tagdata[3] ); } } if(ret > 0) @@ -789,13 +799,12 @@ char id[5]; unsigned long framesize; unsigned long fflags; /* need 16 bits, actually */ - /* bytes of frame title and of framesize value */ - int head_part = fr->id3v2.version > 2 ? 4 : 3; - int flag_part = fr->id3v2.version > 2 ? 2 : 0; id[4] = 0; - /* pos now advanced after ext head, now a frame has to follow */ + /* Pos now advanced after ext head, now a frame has to follow. */ + /* Note: tagpos <= length, which is 28 bit integer, so both */ + /* far away from overflow for adding known small values. */ /* I want to read at least one full header now. */ - while(tagpos <= length-head_part-head_part-flag_part) + while(length >= tagpos+framebegin) { int i = 0; unsigned long pos = tagpos; @@ -828,12 +837,7 @@ break; } if(VERBOSE3) fprintf(stderr, "Note: ID3v2 %s frame of size %lu\n", id, framesize); - tagpos += head_part + framesize; /* the important advancement in whole tag */ - if(tagpos > length-flag_part) - { - if(NOQUIET) error("Whoa! ID3v2 frame claims to be larger than the whole rest of the tag."); - break; - } + tagpos += head_part; pos += head_part; if(fr->id3v2.version > 2) { @@ -842,6 +846,13 @@ tagpos += 2; } else fflags = 0; + + if(length - tagpos < framesize) + { + if(NOQUIET) error("Whoa! ID3v2 frame claims to be larger than the whole rest of the tag."); + break; + } + tagpos += framesize; /* the important advancement in whole tag */ /* for sanity, after full parsing tagpos should be == pos */ /* debug4("ID3v2: found %s frame, size %lu (as bytes: 0x%08lx), flags 0x%016lx", id, framesize, framesize, fflags); */ /* %0abc0000 %0h00kmnp */
