SecBSD's official ports repository
This commit is contained in:
commit
2c0afcbbf3
GPG key ID:
F42C07F07E2E35B7
64331 changed files with 5339189 additions and 0 deletions
67
audio/libmad/patches/patch-frame_c
Normal file
67
audio/libmad/patches/patch-frame_c
Normal file
|
|
@ -0,0 +1,67 @@
|
|||
Fixes for CVE-2017-8372, CVE-2017-8373, CVE-2017-8374.
|
||||
From Debian 0.15.1b-10, debian/patches/length-check.patch
|
||||
|
||||
Index: frame.c
|
||||
--- frame.c.orig
|
||||
+++ frame.c
|
||||
@@ -120,11 +120,18 @@ static
|
||||
int decode_header(struct mad_header *header, struct mad_stream *stream)
|
||||
{
|
||||
unsigned int index;
|
||||
+ struct mad_bitptr bufend_ptr;
|
||||
|
||||
header->flags = 0;
|
||||
header->private_bits = 0;
|
||||
|
||||
+ mad_bit_init(&bufend_ptr, stream->bufend);
|
||||
+
|
||||
/* header() */
|
||||
+ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
|
||||
+ stream->error = MAD_ERROR_BUFLEN;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
/* syncword */
|
||||
mad_bit_skip(&stream->ptr, 11);
|
||||
@@ -225,8 +232,13 @@ int decode_header(struct mad_header *header, struct ma
|
||||
/* error_check() */
|
||||
|
||||
/* crc_check */
|
||||
- if (header->flags & MAD_FLAG_PROTECTION)
|
||||
+ if (header->flags & MAD_FLAG_PROTECTION) {
|
||||
+ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
|
||||
+ stream->error = MAD_ERROR_BUFLEN;
|
||||
+ return -1;
|
||||
+ }
|
||||
header->crc_target = mad_bit_read(&stream->ptr, 16);
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header *header, struc
|
||||
stream->error = MAD_ERROR_BUFLEN;
|
||||
goto fail;
|
||||
}
|
||||
- else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
|
||||
+ else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
|
||||
/* mark point where frame sync word was expected */
|
||||
stream->this_frame = ptr;
|
||||
stream->next_frame = ptr + 1;
|
||||
@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header *header, struc
|
||||
ptr = mad_bit_nextbyte(&stream->ptr);
|
||||
}
|
||||
|
||||
+ stream->error = MAD_ERROR_NONE;
|
||||
+
|
||||
/* begin processing */
|
||||
stream->this_frame = ptr;
|
||||
stream->next_frame = ptr + 1; /* possibly bogus sync word */
|
||||
@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header *header, struc
|
||||
/* check that a valid frame header follows this frame */
|
||||
|
||||
ptr = stream->next_frame;
|
||||
- if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
|
||||
+ if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
|
||||
ptr = stream->next_frame = stream->this_frame + 1;
|
||||
goto sync;
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue