Hello community,

here is the log from the commit of package libmad for openSUSE:Factory checked 
in at 2018-02-22 14:58:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libmad (Old)
 and      /work/SRC/openSUSE:Factory/.libmad.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libmad"

Thu Feb 22 14:58:46 2018 rev:3 rq:578712 version:0.15.1b

Changes:
--------
--- /work/SRC/openSUSE:Factory/libmad/libmad.changes    2017-09-12 
19:37:56.530297750 +0200
+++ /work/SRC/openSUSE:Factory/.libmad.new/libmad.changes       2018-02-22 
14:58:47.629887473 +0100
@@ -1,0 +2,6 @@
+Wed Feb 21 13:57:11 UTC 2018 - idon...@suse.com
+
+- Add frame_length.diff from Debian to fix CVE-2017-8374
+  bsc#1036967
+
+-------------------------------------------------------------------

New:
----
  frame_length.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libmad.spec ++++++
--- /var/tmp/diff_new_pack.0yFU5M/_old  2018-02-22 14:58:48.545854518 +0100
+++ /var/tmp/diff_new_pack.0yFU5M/_new  2018-02-22 14:58:48.549854374 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package libmad
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
+
 %define sover   0
 %define libname %{name}%{sover}
 Name:           libmad
@@ -32,6 +33,7 @@
 Patch3:         Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff
 Patch4:         libmad.thumb.diff
 Patch5:         libmad-0.15.1b-ppc.patch
+Patch6:         frame_length.diff
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@@ -82,6 +84,7 @@
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 # new autoconf does not support deprecated declare (10 years in deprecation)
 sed -i 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' configure.ac

++++++ frame_length.diff ++++++
; You can calculate where the next frame will start depending on things
; like the bitrate. See mad_header_decode().  It seems that when decoding
; the frame you can go past that boundary.  This attempts to catch those cases,
; but might not catch all of them.
; For more info see http://bugs.debian.org/508133
Index: libmad-0.15.1b/layer12.c
===================================================================
--- libmad-0.15.1b.orig/layer12.c       2008-12-23 21:38:07.000000000 +0100
+++ libmad-0.15.1b/layer12.c    2008-12-23 21:38:12.000000000 +0100
@@ -134,6 +134,12 @@
   for (sb = 0; sb < bound; ++sb) {
     for (ch = 0; ch < nch; ++ch) {
       nb = mad_bit_read(&stream->ptr, 4);
+       if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+       {
+               stream->error = MAD_ERROR_LOSTSYNC;
+               stream->sync = 0;
+               return -1;
+       }
 
       if (nb == 15) {
        stream->error = MAD_ERROR_BADBITALLOC;
@@ -146,6 +152,12 @@
 
   for (sb = bound; sb < 32; ++sb) {
     nb = mad_bit_read(&stream->ptr, 4);
+       if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+       {
+               stream->error = MAD_ERROR_LOSTSYNC;
+               stream->sync = 0;
+               return -1;
+       }
 
     if (nb == 15) {
       stream->error = MAD_ERROR_BADBITALLOC;
@@ -162,6 +174,12 @@
     for (ch = 0; ch < nch; ++ch) {
       if (allocation[ch][sb]) {
        scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
+       if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+       {
+               stream->error = MAD_ERROR_LOSTSYNC;
+               stream->sync = 0;
+               return -1;
+       }
 
 # if defined(OPT_STRICT)
        /*
@@ -187,6 +205,12 @@
        frame->sbsample[ch][s][sb] = nb ?
          mad_f_mul(I_sample(&stream->ptr, nb),
                    sf_table[scalefactor[ch][sb]]) : 0;
+       if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+       {
+               stream->error = MAD_ERROR_LOSTSYNC;
+               stream->sync = 0;
+               return -1;
+       }
       }
     }
 
@@ -195,6 +219,12 @@
        mad_fixed_t sample;
 
        sample = I_sample(&stream->ptr, nb);
+       if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+       {
+               stream->error = MAD_ERROR_LOSTSYNC;
+               stream->sync = 0;
+               return -1;
+       }
 
        for (ch = 0; ch < nch; ++ch) {
          frame->sbsample[ch][s][sb] =
@@ -403,7 +433,15 @@
     nbal = bitalloc_table[offsets[sb]].nbal;
 
     for (ch = 0; ch < nch; ++ch)
+    {
       allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
+       if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+       {
+               stream->error = MAD_ERROR_LOSTSYNC;
+               stream->sync = 0;
+               return -1;
+       }
+    }
   }
 
   for (sb = bound; sb < sblimit; ++sb) {
@@ -411,6 +449,13 @@
 
     allocation[0][sb] =
     allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
+
+       if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+       {
+               stream->error = MAD_ERROR_LOSTSYNC;
+               stream->sync = 0;
+               return -1;
+       }
   }
 
   /* decode scalefactor selection info */
@@ -419,6 +464,12 @@
     for (ch = 0; ch < nch; ++ch) {
       if (allocation[ch][sb])
        scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
+       if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+       {
+               stream->error = MAD_ERROR_LOSTSYNC;
+               stream->sync = 0;
+               return -1;
+       }
     }
   }
 
@@ -442,6 +493,12 @@
     for (ch = 0; ch < nch; ++ch) {
       if (allocation[ch][sb]) {
        scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
+       if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+       {
+               stream->error = MAD_ERROR_LOSTSYNC;
+               stream->sync = 0;
+               return -1;
+       }
 
        switch (scfsi[ch][sb]) {
        case 2:
@@ -452,11 +509,23 @@
 
        case 0:
          scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
+               if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+               {
+                       stream->error = MAD_ERROR_LOSTSYNC;
+                       stream->sync = 0;
+                       return -1;
+               }
          /* fall through */
 
        case 1:
        case 3:
          scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
+               if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+               {
+                       stream->error = MAD_ERROR_LOSTSYNC;
+                       stream->sync = 0;
+                       return -1;
+               }
        }
 
        if (scfsi[ch][sb] & 1)
@@ -488,6 +557,12 @@
          index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
 
          II_samples(&stream->ptr, &qc_table[index], samples);
+               if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+               {
+                       stream->error = MAD_ERROR_LOSTSYNC;
+                       stream->sync = 0;
+                       return -1;
+               }
 
          for (s = 0; s < 3; ++s) {
            frame->sbsample[ch][3 * gr + s][sb] =
@@ -506,6 +581,12 @@
        index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
 
        II_samples(&stream->ptr, &qc_table[index], samples);
+       if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+       {
+               stream->error = MAD_ERROR_LOSTSYNC;
+               stream->sync = 0;
+               return -1;
+       }
 
        for (ch = 0; ch < nch; ++ch) {
          for (s = 0; s < 3; ++s) {
Index: libmad-0.15.1b/layer3.c
===================================================================
--- libmad-0.15.1b.orig/layer3.c        2008-12-23 21:38:07.000000000 +0100
+++ libmad-0.15.1b/layer3.c     2008-12-23 21:38:12.000000000 +0100
@@ -2608,6 +2608,12 @@
     next_md_begin = 0;
 
   md_len = si.main_data_begin + frame_space - next_md_begin;
+  if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN)
+  {
+       stream->error = MAD_ERROR_LOSTSYNC;
+       stream->sync = 0;
+       return -1;
+  }
 
   frame_used = 0;
 

Reply via email to