libmad: patch CVE-2017-8372 and CVE-2017-8373

Pick patch [1] from Debian based on [2] and [3]. [1] https://salsa.debian.org/multimedia-team/libmad/-/blob/debian/0.15.1b-11/debian/patches/md_size.diff?ref_type=tags [2] https://security-tracker.debian.org/tracker/CVE-2017-8372 [3] https://security-tracker.debian.org/tracker/CVE-2017-8373 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Peter Marko <peter.marko@siemens.com> 2025-03-21 00:14:04 +0100
committer: Khem Raj <raj.khem@gmail.com> 2025-03-20 19:36:50 -0700
commit: 437635f608f2d9b69fefcde9ebfcff2bab64d35e (patch)
tree: ddb25d884e92eb60e172c88d524481d67876fb26
parent: fee86a312fbcaef7aaad66fe2f6756bd7e57d585 (diff)
download: meta-openembedded-437635f608f2d9b69fefcde9ebfcff2bab64d35e.tar.gz
2 files changed, 70 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/libmad/libmad/CVE-2017-8372_CVE-2017-8373.patch b/meta-oe/recipes-multimedia/libmad/libmad/CVE-2017-8372_CVE-2017-8373.patch
new file mode 100644
index 0000000000..a57df492d0
--- /dev/null
+++ b/meta-oe/recipes-multimedia/libmad/libmad/CVE-2017-8372_CVE-2017-8373.patch
@@ -0,0 +1,69 @@
+From 7e8f6e5118e31455924940141a761a1589e8d85d Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Sun, 28 Jan 2018 15:44:08 +0100
+Subject: [PATCH] Check the size of the main data
+The main data to decode a frame can come from the current frame and part of the
+previous frame, the so called bit reservoir. si.main_data_begin is the part of
+the previous frame we need for this frame. frame_space is the amount of main
+data that can be in this frame, and next_md_begin is the part of this frame that
+is going to be used for the next frame.
+The maximum amount of data from a previous frame that the format allows is 511
+bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2
+at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881.
+So those defines are not large enough:
+ # define MAD_BUFFER_GUARD      8
+ # define MAD_BUFFER_MDLEN      (511 + 2048 + MAD_BUFFER_GUARD)
+There is also support for a "free" bitrate which allows you to create any frame
+size, which can be larger than the buffer.
+Changing the defines is not an option since it's part of the ABI, so we check
+that the main data fits in the bufer.
+The previous frame data is stored in *stream->main_data and contains
+stream->md_len bytes. If stream->md_len is larger than the data we
+need from the previous frame (si.main_data_begin) it still wouldn't fit
+in the buffer, so just keep the data that we need.
+Source: https://salsa.debian.org/multimedia-team/libmad/-/blob/debian/0.15.1b-11/debian/patches/md_size.diff?ref_type=tags
+CVE: CVE-2017-8372
+CVE: CVE-2017-8373
+Upstream-Status: Inactive-Upstream [lastrelease: 2018]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ layer3.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+diff --git a/layer3.c b/layer3.c
+index 4e5d3fa..7dc4ca6 100644
+--- a/layer3.c
+++ b/layer3.c
+@@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream *stream, struct mad_frame *frame)
+     next_md_begin = 0;
+ 
+   md_len = si.main_data_begin + frame_space - next_md_begin;
+  if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) {
+    stream->error = MAD_ERROR_LOSTSYNC;
+    stream->sync = 0;
+    return -1;
+  }
+ 
+   frame_used = 0;
+ 
+@@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream *stream, struct mad_frame *frame)
+       }
+     }
+     else {
+-      mad_bit_init(&ptr,
+-                  *stream->main_data + stream->md_len - si.main_data_begin);
+      memmove(stream->main_data,
+       *stream->main_data + stream->md_len - si.main_data_begin,
+       si.main_data_begin);
+      stream->md_len = si.main_data_begin;
+      mad_bit_init(&ptr, *stream->main_data);
+ 
+       if (md_len > si.main_data_begin) {
+        assert(stream->md_len + md_len -
diff --git a/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb b/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb
index 2d63f9a804..b6668980da 100644
--- a/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb
+++ b/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://downloads.sourceforge.net/mad/libmad-${PV}.tar.gz \
    file://obsolete_automake_macros.patch \
    file://automake-foreign.patch \
    file://0001-configure-Respect-the-cflags-from-environment.patch \
+    file://CVE-2017-8372_CVE-2017-8373.patch \
 "
 SRC_URI:append:toolchain-clang = " file://0004-Remove-clang-unsupported-compiler-flags.patch "
author	Peter Marko <peter.marko@siemens.com>	2025-03-21 00:14:04 +0100
committer	Khem Raj <raj.khem@gmail.com>	2025-03-20 19:36:50 -0700
commit	437635f608f2d9b69fefcde9ebfcff2bab64d35e (patch)
tree	ddb25d884e92eb60e172c88d524481d67876fb26
parent	fee86a312fbcaef7aaad66fe2f6756bd7e57d585 (diff)
download	meta-openembedded-437635f608f2d9b69fefcde9ebfcff2bab64d35e.tar.gz

diff --git a/meta-oe/recipes-multimedia/libmad/libmad/CVE-2017-8372_CVE-2017-8373.patch b/meta-oe/recipes-multimedia/libmad/libmad/CVE-2017-8372_CVE-2017-8373.patch new file mode 100644 index 0000000000..a57df492d0 --- /dev/null +++ b/meta-oe/recipes-multimedia/libmad/libmad/CVE-2017-8372_CVE-2017-8373.patch
@@ -0,0 +1,69 @@
		1	From 7e8f6e5118e31455924940141a761a1589e8d85d Mon Sep 17 00:00:00 2001
		2	From: Kurt Roeckx <kurt@roeckx.be>
		3	Date: Sun, 28 Jan 2018 15:44:08 +0100
		4	Subject: [PATCH] Check the size of the main data
		5
		6	The main data to decode a frame can come from the current frame and part of the
		7	previous frame, the so called bit reservoir. si.main_data_begin is the part of
		8	the previous frame we need for this frame. frame_space is the amount of main
		9	data that can be in this frame, and next_md_begin is the part of this frame that
		10	is going to be used for the next frame.
		11
		12	The maximum amount of data from a previous frame that the format allows is 511
		13	bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2
		14	at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881.
		15	So those defines are not large enough:
		16	# define MAD_BUFFER_GUARD 8
		17	# define MAD_BUFFER_MDLEN (511 + 2048 + MAD_BUFFER_GUARD)
		18
		19	There is also support for a "free" bitrate which allows you to create any frame
		20	size, which can be larger than the buffer.
		21
		22	Changing the defines is not an option since it's part of the ABI, so we check
		23	that the main data fits in the bufer.
		24
		25	The previous frame data is stored in *stream->main_data and contains
		26	stream->md_len bytes. If stream->md_len is larger than the data we
		27	need from the previous frame (si.main_data_begin) it still wouldn't fit
		28	in the buffer, so just keep the data that we need.
		29
		30	Source: https://salsa.debian.org/multimedia-team/libmad/-/blob/debian/0.15.1b-11/debian/patches/md_size.diff?ref_type=tags
		31
		32	CVE: CVE-2017-8372
		33	CVE: CVE-2017-8373
		34	Upstream-Status: Inactive-Upstream [lastrelease: 2018]
		35	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		36	---
		37	layer3.c \| 12 ++++++++++--
		38	1 file changed, 10 insertions(+), 2 deletions(-)
		39
		40	diff --git a/layer3.c b/layer3.c
		41	index 4e5d3fa..7dc4ca6 100644
		42	--- a/layer3.c
		43	+++ b/layer3.c
		44	@@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream stream, struct mad_frame frame)
		45	next_md_begin = 0;
		46
		47	md_len = si.main_data_begin + frame_space - next_md_begin;
		48	+ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) {
		49	+ stream->error = MAD_ERROR_LOSTSYNC;
		50	+ stream->sync = 0;
		51	+ return -1;
		52	+ }
		53
		54	frame_used = 0;
		55
		56	@@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream stream, struct mad_frame frame)
		57	}
		58	}
		59	else {
		60	- mad_bit_init(&ptr,
		61	- *stream->main_data + stream->md_len - si.main_data_begin);
		62	+ memmove(stream->main_data,
		63	+ *stream->main_data + stream->md_len - si.main_data_begin,
		64	+ si.main_data_begin);
		65	+ stream->md_len = si.main_data_begin;
		66	+ mad_bit_init(&ptr, *stream->main_data);
		67
		68	if (md_len > si.main_data_begin) {
		69	assert(stream->md_len + md_len -


diff --git a/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb b/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb index 2d63f9a804..b6668980da 100644 --- a/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb +++ b/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://downloads.sourceforge.net/mad/libmad-${PV}.tar.gz \
16	file://obsolete_automake_macros.patch \	16	file://obsolete_automake_macros.patch \
17	file://automake-foreign.patch \	17	file://automake-foreign.patch \
18	file://0001-configure-Respect-the-cflags-from-environment.patch \	18	file://0001-configure-Respect-the-cflags-from-environment.patch \
		19	file://CVE-2017-8372_CVE-2017-8373.patch \
19	"	20	"
20	SRC_URI:append:toolchain-clang = " file://0004-Remove-clang-unsupported-compiler-flags.patch "	21	SRC_URI:append:toolchain-clang = " file://0004-Remove-clang-unsupported-compiler-flags.patch "
21		22