summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-oe/recipes-multimedia/libmad/libmad/CVE-2017-8374.patch830
-rw-r--r--meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb1
2 files changed, 831 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/libmad/libmad/CVE-2017-8374.patch b/meta-oe/recipes-multimedia/libmad/libmad/CVE-2017-8374.patch
new file mode 100644
index 0000000000..69a7153f07
--- /dev/null
+++ b/meta-oe/recipes-multimedia/libmad/libmad/CVE-2017-8374.patch
@@ -0,0 +1,830 @@
1From 05de6e0ddc2c911b725955d2af331ffd76aa8186 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 28 Jan 2018 19:26:36 +0100
4Subject: [PATCH] Check the size before reading with mad_bit_read
5
6There are various cases where it attemps to read past the end of the buffer
7using mad_bit_read(). Most functions didn't even know the size of the buffer
8they were reading from.
9
10Source: https://salsa.debian.org/multimedia-team/libmad/-/raw/debian/0.15.1b-11/debian/patches/length-check.patch?ref_type=tags
11
12CVE: CVE-2017-8374
13Upstream-Status: Inactive-Upstream [lastrelease: 2018]
14Signed-off-by: Peter Marko <peter.marko@siemens.com>
15---
16 bit.c | 3 +
17 frame.c | 20 +++++-
18 layer12.c | 112 +++++++++++++++++++++++++++---
19 layer3.c | 198 ++++++++++++++++++++++++++++++++++++++----------------
20 4 files changed, 262 insertions(+), 71 deletions(-)
21
22diff --git a/bit.c b/bit.c
23index c2bfb24..39ef50b 100644
24--- a/bit.c
25+++ b/bit.c
26@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bitptr *bitptr, unsigned int len)
27 {
28 register unsigned long value;
29
30+ if (len == 0)
31+ return 0;
32+
33 if (bitptr->left == CHAR_BIT)
34 bitptr->cache = *bitptr->byte;
35
36diff --git a/frame.c b/frame.c
37index 0cb3d0f..4b3aea8 100644
38--- a/frame.c
39+++ b/frame.c
40@@ -120,11 +120,18 @@ static
41 int decode_header(struct mad_header *header, struct mad_stream *stream)
42 {
43 unsigned int index;
44+ struct mad_bitptr bufend_ptr;
45
46 header->flags = 0;
47 header->private_bits = 0;
48
49+ mad_bit_init(&bufend_ptr, stream->bufend);
50+
51 /* header() */
52+ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
53+ stream->error = MAD_ERROR_BUFLEN;
54+ return -1;
55+ }
56
57 /* syncword */
58 mad_bit_skip(&stream->ptr, 11);
59@@ -225,8 +232,13 @@ int decode_header(struct mad_header *header, struct mad_stream *stream)
60 /* error_check() */
61
62 /* crc_check */
63- if (header->flags & MAD_FLAG_PROTECTION)
64+ if (header->flags & MAD_FLAG_PROTECTION) {
65+ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
66+ stream->error = MAD_ERROR_BUFLEN;
67+ return -1;
68+ }
69 header->crc_target = mad_bit_read(&stream->ptr, 16);
70+ }
71
72 return 0;
73 }
74@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header *header, struct mad_stream *stream)
75 stream->error = MAD_ERROR_BUFLEN;
76 goto fail;
77 }
78- else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
79+ else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
80 /* mark point where frame sync word was expected */
81 stream->this_frame = ptr;
82 stream->next_frame = ptr + 1;
83@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header *header, struct mad_stream *stream)
84 ptr = mad_bit_nextbyte(&stream->ptr);
85 }
86
87+ stream->error = MAD_ERROR_NONE;
88+
89 /* begin processing */
90 stream->this_frame = ptr;
91 stream->next_frame = ptr + 1; /* possibly bogus sync word */
92@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header *header, struct mad_stream *stream)
93 /* check that a valid frame header follows this frame */
94
95 ptr = stream->next_frame;
96- if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
97+ if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
98 ptr = stream->next_frame = stream->this_frame + 1;
99 goto sync;
100 }
101diff --git a/layer12.c b/layer12.c
102index 6981f9c..b6f4a2f 100644
103--- a/layer12.c
104+++ b/layer12.c
105@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
106 * DESCRIPTION: decode one requantized Layer I sample from a bitstream
107 */
108 static
109-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
110+mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
111 {
112 mad_fixed_t sample;
113+ struct mad_bitptr frameend_ptr;
114
115+ mad_bit_init(&frameend_ptr, stream->next_frame);
116+
117+ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
118+ stream->error = MAD_ERROR_LOSTSYNC;
119+ stream->sync = 0;
120+ return 0;
121+ }
122 sample = mad_bit_read(ptr, nb);
123
124 /* invert most significant bit, extend sign, then scale to fixed format */
125@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *stream, struct mad_frame *frame)
126 struct mad_header *header = &frame->header;
127 unsigned int nch, bound, ch, s, sb, nb;
128 unsigned char allocation[2][32], scalefactor[2][32];
129+ struct mad_bitptr bufend_ptr, frameend_ptr;
130+
131+ mad_bit_init(&bufend_ptr, stream->bufend);
132+ mad_bit_init(&frameend_ptr, stream->next_frame);
133
134 nch = MAD_NCHANNELS(header);
135
136@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *stream, struct mad_frame *frame)
137 /* check CRC word */
138
139 if (header->flags & MAD_FLAG_PROTECTION) {
140+ if (mad_bit_length(&stream->ptr, &bufend_ptr)
141+ < 4 * (bound * nch + (32 - bound))) {
142+ stream->error = MAD_ERROR_BADCRC;
143+ return -1;
144+ }
145 header->crc_check =
146 mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
147 header->crc_check);
148@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *stream, struct mad_frame *frame)
149
150 for (sb = 0; sb < bound; ++sb) {
151 for (ch = 0; ch < nch; ++ch) {
152+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
153+ stream->error = MAD_ERROR_LOSTSYNC;
154+ stream->sync = 0;
155+ return -1;
156+ }
157 nb = mad_bit_read(&stream->ptr, 4);
158
159 if (nb == 15) {
160@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *stream, struct mad_frame *frame)
161 }
162
163 for (sb = bound; sb < 32; ++sb) {
164+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
165+ stream->error = MAD_ERROR_LOSTSYNC;
166+ stream->sync = 0;
167+ return -1;
168+ }
169 nb = mad_bit_read(&stream->ptr, 4);
170
171 if (nb == 15) {
172@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *stream, struct mad_frame *frame)
173 for (sb = 0; sb < 32; ++sb) {
174 for (ch = 0; ch < nch; ++ch) {
175 if (allocation[ch][sb]) {
176+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
177+ stream->error = MAD_ERROR_LOSTSYNC;
178+ stream->sync = 0;
179+ return -1;
180+ }
181 scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
182
183 # if defined(OPT_STRICT)
184@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *stream, struct mad_frame *frame)
185 for (ch = 0; ch < nch; ++ch) {
186 nb = allocation[ch][sb];
187 frame->sbsample[ch][s][sb] = nb ?
188- mad_f_mul(I_sample(&stream->ptr, nb),
189+ mad_f_mul(I_sample(&stream->ptr, nb, stream),
190 sf_table[scalefactor[ch][sb]]) : 0;
191+ if (stream->error != 0)
192+ return -1;
193 }
194 }
195
196@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *stream, struct mad_frame *frame)
197 if ((nb = allocation[0][sb])) {
198 mad_fixed_t sample;
199
200- sample = I_sample(&stream->ptr, nb);
201+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
202+ stream->error = MAD_ERROR_LOSTSYNC;
203+ stream->sync = 0;
204+ return -1;
205+ }
206+ sample = I_sample(&stream->ptr, nb, stream);
207+ if (stream->error != 0)
208+ return -1;
209
210 for (ch = 0; ch < nch; ++ch) {
211 frame->sbsample[ch][s][sb] =
212@@ -280,13 +321,21 @@ struct quantclass {
213 static
214 void II_samples(struct mad_bitptr *ptr,
215 struct quantclass const *quantclass,
216- mad_fixed_t output[3])
217+ mad_fixed_t output[3], struct mad_stream *stream)
218 {
219 unsigned int nb, s, sample[3];
220+ struct mad_bitptr frameend_ptr;
221+
222+ mad_bit_init(&frameend_ptr, stream->next_frame);
223
224 if ((nb = quantclass->group)) {
225 unsigned int c, nlevels;
226
227+ if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
228+ stream->error = MAD_ERROR_LOSTSYNC;
229+ stream->sync = 0;
230+ return;
231+ }
232 /* degrouping */
233 c = mad_bit_read(ptr, quantclass->bits);
234 nlevels = quantclass->nlevels;
235@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
236 else {
237 nb = quantclass->bits;
238
239- for (s = 0; s < 3; ++s)
240+ for (s = 0; s < 3; ++s) {
241+ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
242+ stream->error = MAD_ERROR_LOSTSYNC;
243+ stream->sync = 0;
244+ return;
245+ }
246 sample[s] = mad_bit_read(ptr, nb);
247+ }
248 }
249
250 for (s = 0; s < 3; ++s) {
251@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stream, struct mad_frame *frame)
252 unsigned char const *offsets;
253 unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
254 mad_fixed_t samples[3];
255+ struct mad_bitptr frameend_ptr;
256+
257+ mad_bit_init(&frameend_ptr, stream->next_frame);
258
259 nch = MAD_NCHANNELS(header);
260
261@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stream, struct mad_frame *frame)
262 for (sb = 0; sb < bound; ++sb) {
263 nbal = bitalloc_table[offsets[sb]].nbal;
264
265- for (ch = 0; ch < nch; ++ch)
266+ for (ch = 0; ch < nch; ++ch) {
267+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
268+ stream->error = MAD_ERROR_LOSTSYNC;
269+ stream->sync = 0;
270+ return -1;
271+ }
272 allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
273+ }
274 }
275
276 for (sb = bound; sb < sblimit; ++sb) {
277 nbal = bitalloc_table[offsets[sb]].nbal;
278
279+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
280+ stream->error = MAD_ERROR_LOSTSYNC;
281+ stream->sync = 0;
282+ return -1;
283+ }
284 allocation[0][sb] =
285 allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
286 }
287@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stream, struct mad_frame *frame)
288
289 for (sb = 0; sb < sblimit; ++sb) {
290 for (ch = 0; ch < nch; ++ch) {
291- if (allocation[ch][sb])
292+ if (allocation[ch][sb]) {
293+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
294+ stream->error = MAD_ERROR_LOSTSYNC;
295+ stream->sync = 0;
296+ return -1;
297+ }
298 scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
299+ }
300 }
301 }
302
303@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stream, struct mad_frame *frame)
304 for (sb = 0; sb < sblimit; ++sb) {
305 for (ch = 0; ch < nch; ++ch) {
306 if (allocation[ch][sb]) {
307+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
308+ stream->error = MAD_ERROR_LOSTSYNC;
309+ stream->sync = 0;
310+ return -1;
311+ }
312 scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
313
314 switch (scfsi[ch][sb]) {
315@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stream, struct mad_frame *frame)
316 break;
317
318 case 0:
319+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
320+ stream->error = MAD_ERROR_LOSTSYNC;
321+ stream->sync = 0;
322+ return -1;
323+ }
324 scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
325 /* fall through */
326
327 case 1:
328 case 3:
329+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
330+ stream->error = MAD_ERROR_LOSTSYNC;
331+ stream->sync = 0;
332+ return -1;
333+ }
334 scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
335 }
336
337@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stream, struct mad_frame *frame)
338 if ((index = allocation[ch][sb])) {
339 index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
340
341- II_samples(&stream->ptr, &qc_table[index], samples);
342+ II_samples(&stream->ptr, &qc_table[index], samples, stream);
343+ if (stream->error != 0)
344+ return -1;
345
346 for (s = 0; s < 3; ++s) {
347 frame->sbsample[ch][3 * gr + s][sb] =
348@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stream, struct mad_frame *frame)
349 if ((index = allocation[0][sb])) {
350 index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
351
352- II_samples(&stream->ptr, &qc_table[index], samples);
353+ II_samples(&stream->ptr, &qc_table[index], samples, stream);
354+ if (stream->error != 0)
355+ return -1;
356
357 for (ch = 0; ch < nch; ++ch) {
358 for (s = 0; s < 3; ++s) {
359diff --git a/layer3.c b/layer3.c
360index 7dc4ca6..59a81ed 100644
361--- a/layer3.c
362+++ b/layer3.c
363@@ -598,7 +598,8 @@ enum mad_error III_sideinfo(struct mad_bitptr *ptr, unsigned int nch,
364 static
365 unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
366 struct channel *channel,
367- struct channel *gr1ch, int mode_extension)
368+ struct channel *gr1ch, int mode_extension,
369+ unsigned int bits_left, unsigned int *part2_length)
370 {
371 struct mad_bitptr start;
372 unsigned int scalefac_compress, index, slen[4], part, n, i;
373@@ -644,8 +645,12 @@ unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
374
375 n = 0;
376 for (part = 0; part < 4; ++part) {
377- for (i = 0; i < nsfb[part]; ++i)
378+ for (i = 0; i < nsfb[part]; ++i) {
379+ if (bits_left < slen[part])
380+ return MAD_ERROR_BADSCFSI;
381 channel->scalefac[n++] = mad_bit_read(ptr, slen[part]);
382+ bits_left -= slen[part];
383+ }
384 }
385
386 while (n < 39)
387@@ -690,7 +695,10 @@ unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
388 max = (1 << slen[part]) - 1;
389
390 for (i = 0; i < nsfb[part]; ++i) {
391+ if (bits_left < slen[part])
392+ return MAD_ERROR_BADSCFSI;
393 is_pos = mad_bit_read(ptr, slen[part]);
394+ bits_left -= slen[part];
395
396 channel->scalefac[n] = is_pos;
397 gr1ch->scalefac[n++] = (is_pos == max);
398@@ -703,7 +711,8 @@ unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
399 }
400 }
401
402- return mad_bit_length(&start, ptr);
403+ *part2_length = mad_bit_length(&start, ptr);
404+ return MAD_ERROR_NONE;
405 }
406
407 /*
408@@ -712,7 +721,8 @@ unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
409 */
410 static
411 unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
412- struct channel const *gr0ch, unsigned int scfsi)
413+ struct channel const *gr0ch, unsigned int scfsi,
414+ unsigned int bits_left, unsigned int *part2_length)
415 {
416 struct mad_bitptr start;
417 unsigned int slen1, slen2, sfbi;
418@@ -728,12 +738,20 @@ unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
419 sfbi = 0;
420
421 nsfb = (channel->flags & mixed_block_flag) ? 8 + 3 * 3 : 6 * 3;
422- while (nsfb--)
423+ while (nsfb--) {
424+ if (bits_left < slen1)
425+ return MAD_ERROR_BADSCFSI;
426 channel->scalefac[sfbi++] = mad_bit_read(ptr, slen1);
427+ bits_left -= slen1;
428+ }
429
430 nsfb = 6 * 3;
431- while (nsfb--)
432+ while (nsfb--) {
433+ if (bits_left < slen2)
434+ return MAD_ERROR_BADSCFSI;
435 channel->scalefac[sfbi++] = mad_bit_read(ptr, slen2);
436+ bits_left -= slen2;
437+ }
438
439 nsfb = 1 * 3;
440 while (nsfb--)
441@@ -745,8 +763,12 @@ unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
442 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
443 }
444 else {
445- for (sfbi = 0; sfbi < 6; ++sfbi)
446+ for (sfbi = 0; sfbi < 6; ++sfbi) {
447+ if (bits_left < slen1)
448+ return MAD_ERROR_BADSCFSI;
449 channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
450+ bits_left -= slen1;
451+ }
452 }
453
454 if (scfsi & 0x4) {
455@@ -754,8 +776,12 @@ unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
456 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
457 }
458 else {
459- for (sfbi = 6; sfbi < 11; ++sfbi)
460+ for (sfbi = 6; sfbi < 11; ++sfbi) {
461+ if (bits_left < slen1)
462+ return MAD_ERROR_BADSCFSI;
463 channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
464+ bits_left -= slen1;
465+ }
466 }
467
468 if (scfsi & 0x2) {
469@@ -763,8 +789,12 @@ unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
470 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
471 }
472 else {
473- for (sfbi = 11; sfbi < 16; ++sfbi)
474+ for (sfbi = 11; sfbi < 16; ++sfbi) {
475+ if (bits_left < slen2)
476+ return MAD_ERROR_BADSCFSI;
477 channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
478+ bits_left -= slen2;
479+ }
480 }
481
482 if (scfsi & 0x1) {
483@@ -772,14 +802,19 @@ unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
484 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
485 }
486 else {
487- for (sfbi = 16; sfbi < 21; ++sfbi)
488+ for (sfbi = 16; sfbi < 21; ++sfbi) {
489+ if (bits_left < slen2)
490+ return MAD_ERROR_BADSCFSI;
491 channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
492+ bits_left -= slen2;
493+ }
494 }
495
496 channel->scalefac[21] = 0;
497 }
498
499- return mad_bit_length(&start, ptr);
500+ *part2_length = mad_bit_length(&start, ptr);
501+ return MAD_ERROR_NONE;
502 }
503
504 /*
505@@ -933,19 +968,17 @@ static
506 enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
507 struct channel *channel,
508 unsigned char const *sfbwidth,
509- unsigned int part2_length)
510+ signed int part3_length)
511 {
512 signed int exponents[39], exp;
513 signed int const *expptr;
514 struct mad_bitptr peek;
515- signed int bits_left, cachesz;
516+ signed int bits_left, cachesz, fakebits;
517 register mad_fixed_t *xrptr;
518 mad_fixed_t const *sfbound;
519 register unsigned long bitcache;
520
521- bits_left = (signed) channel->part2_3_length - (signed) part2_length;
522- if (bits_left < 0)
523- return MAD_ERROR_BADPART3LEN;
524+ bits_left = part3_length;
525
526 III_exponents(channel, sfbwidth, exponents);
527
528@@ -956,8 +989,12 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
529 cachesz = mad_bit_bitsleft(&peek);
530 cachesz += ((32 - 1 - 24) + (24 - cachesz)) & ~7;
531
532+ if (bits_left < cachesz) {
533+ cachesz = bits_left;
534+ }
535 bitcache = mad_bit_read(&peek, cachesz);
536 bits_left -= cachesz;
537+ fakebits = 0;
538
539 xrptr = &xr[0];
540
541@@ -986,7 +1023,7 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
542
543 big_values = channel->big_values;
544
545- while (big_values-- && cachesz + bits_left > 0) {
546+ while (big_values-- && cachesz + bits_left - fakebits > 0) {
547 union huffpair const *pair;
548 unsigned int clumpsz, value;
549 register mad_fixed_t requantized;
550@@ -1023,10 +1060,19 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
551 unsigned int bits;
552
553 bits = ((32 - 1 - 21) + (21 - cachesz)) & ~7;
554+ if (bits_left < bits) {
555+ bits = bits_left;
556+ }
557 bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
558 cachesz += bits;
559 bits_left -= bits;
560 }
561+ if (cachesz < 21) {
562+ unsigned int bits = 21 - cachesz;
563+ bitcache <<= bits;
564+ cachesz += bits;
565+ fakebits += bits;
566+ }
567
568 /* hcod (0..19) */
569
570@@ -1041,6 +1087,8 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
571 }
572
573 cachesz -= pair->value.hlen;
574+ if (cachesz < fakebits)
575+ return MAD_ERROR_BADHUFFDATA;
576
577 if (linbits) {
578 /* x (0..14) */
579@@ -1054,10 +1102,15 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
580
581 case 15:
582 if (cachesz < linbits + 2) {
583- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
584- cachesz += 16;
585- bits_left -= 16;
586+ unsigned int bits = 16;
587+ if (bits_left < 16)
588+ bits = bits_left;
589+ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
590+ cachesz += bits;
591+ bits_left -= bits;
592 }
593+ if (cachesz - fakebits < linbits)
594+ return MAD_ERROR_BADHUFFDATA;
595
596 value += MASK(bitcache, cachesz, linbits);
597 cachesz -= linbits;
598@@ -1074,6 +1127,8 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
599 }
600
601 x_final:
602+ if (cachesz - fakebits < 1)
603+ return MAD_ERROR_BADHUFFDATA;
604 xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
605 -requantized : requantized;
606 }
607@@ -1089,10 +1144,15 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
608
609 case 15:
610 if (cachesz < linbits + 1) {
611- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
612- cachesz += 16;
613- bits_left -= 16;
614+ unsigned int bits = 16;
615+ if (bits_left < 16)
616+ bits = bits_left;
617+ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
618+ cachesz += bits;
619+ bits_left -= bits;
620 }
621+ if (cachesz - fakebits < linbits)
622+ return MAD_ERROR_BADHUFFDATA;
623
624 value += MASK(bitcache, cachesz, linbits);
625 cachesz -= linbits;
626@@ -1109,6 +1169,8 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
627 }
628
629 y_final:
630+ if (cachesz - fakebits < 1)
631+ return MAD_ERROR_BADHUFFDATA;
632 xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
633 -requantized : requantized;
634 }
635@@ -1128,6 +1190,8 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
636 requantized = reqcache[value] = III_requantize(value, exp);
637 }
638
639+ if (cachesz - fakebits < 1)
640+ return MAD_ERROR_BADHUFFDATA;
641 xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
642 -requantized : requantized;
643 }
644@@ -1146,6 +1210,8 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
645 requantized = reqcache[value] = III_requantize(value, exp);
646 }
647
648+ if (cachesz - fakebits < 1)
649+ return MAD_ERROR_BADHUFFDATA;
650 xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
651 -requantized : requantized;
652 }
653@@ -1155,9 +1221,6 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
654 }
655 }
656
657- if (cachesz + bits_left < 0)
658- return MAD_ERROR_BADHUFFDATA; /* big_values overrun */
659-
660 /* count1 */
661 {
662 union huffquad const *table;
663@@ -1167,15 +1230,24 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
664
665 requantized = III_requantize(1, exp);
666
667- while (cachesz + bits_left > 0 && xrptr <= &xr[572]) {
668+ while (cachesz + bits_left - fakebits > 0 && xrptr <= &xr[572]) {
669 union huffquad const *quad;
670
671 /* hcod (1..6) */
672
673 if (cachesz < 10) {
674- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
675- cachesz += 16;
676- bits_left -= 16;
677+ unsigned int bits = 16;
678+ if (bits_left < 16)
679+ bits = bits_left;
680+ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
681+ cachesz += bits;
682+ bits_left -= bits;
683+ }
684+ if (cachesz < 10) {
685+ unsigned int bits = 10 - cachesz;
686+ bitcache <<= bits;
687+ cachesz += bits;
688+ fakebits += bits;
689 }
690
691 quad = &table[MASK(bitcache, cachesz, 4)];
692@@ -1188,6 +1260,11 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
693 MASK(bitcache, cachesz, quad->ptr.bits)];
694 }
695
696+ if (cachesz - fakebits < quad->value.hlen + quad->value.v
697+ + quad->value.w + quad->value.x + quad->value.y)
698+ /* We don't have enough bits to read one more entry, consider them
699+ * stuffing bits. */
700+ break;
701 cachesz -= quad->value.hlen;
702
703 if (xrptr == sfbound) {
704@@ -1236,22 +1313,8 @@ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
705
706 xrptr += 2;
707 }
708-
709- if (cachesz + bits_left < 0) {
710-# if 0 && defined(DEBUG)
711- fprintf(stderr, "huffman count1 overrun (%d bits)\n",
712- -(cachesz + bits_left));
713-# endif
714-
715- /* technically the bitstream is misformatted, but apparently
716- some encoders are just a bit sloppy with stuffing bits */
717-
718- xrptr -= 4;
719- }
720 }
721
722- assert(-bits_left <= MAD_BUFFER_GUARD * CHAR_BIT);
723-
724 # if 0 && defined(DEBUG)
725 if (bits_left < 0)
726 fprintf(stderr, "read %d bits too many\n", -bits_left);
727@@ -2348,10 +2411,11 @@ void III_freqinver(mad_fixed_t sample[18][32], unsigned int sb)
728 */
729 static
730 enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame,
731- struct sideinfo *si, unsigned int nch)
732+ struct sideinfo *si, unsigned int nch, unsigned int md_len)
733 {
734 struct mad_header *header = &frame->header;
735 unsigned int sfreqi, ngr, gr;
736+ int bits_left = md_len * CHAR_BIT;
737
738 {
739 unsigned int sfreq;
740@@ -2383,6 +2447,7 @@ enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame,
741 for (ch = 0; ch < nch; ++ch) {
742 struct channel *channel = &granule->ch[ch];
743 unsigned int part2_length;
744+ unsigned int part3_length;
745
746 sfbwidth[ch] = sfbwidth_table[sfreqi].l;
747 if (channel->block_type == 2) {
748@@ -2391,18 +2456,30 @@ enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame,
749 }
750
751 if (header->flags & MAD_FLAG_LSF_EXT) {
752- part2_length = III_scalefactors_lsf(ptr, channel,
753+ error = III_scalefactors_lsf(ptr, channel,
754 ch == 0 ? 0 : &si->gr[1].ch[1],
755- header->mode_extension);
756+ header->mode_extension, bits_left, &part2_length);
757 }
758 else {
759- part2_length = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
760- gr == 0 ? 0 : si->scfsi[ch]);
761+ error = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
762+ gr == 0 ? 0 : si->scfsi[ch], bits_left, &part2_length);
763 }
764+ if (error)
765+ return error;
766
767- error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part2_length);
768+ bits_left -= part2_length;
769+
770+ if (part2_length > channel->part2_3_length)
771+ return MAD_ERROR_BADPART3LEN;
772+
773+ part3_length = channel->part2_3_length - part2_length;
774+ if (part3_length > bits_left)
775+ return MAD_ERROR_BADPART3LEN;
776+
777+ error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part3_length);
778 if (error)
779 return error;
780+ bits_left -= part3_length;
781 }
782
783 /* joint stereo processing */
784@@ -2519,11 +2596,13 @@ int mad_layer_III(struct mad_stream *stream, struct mad_frame *frame)
785 unsigned int nch, priv_bitlen, next_md_begin = 0;
786 unsigned int si_len, data_bitlen, md_len;
787 unsigned int frame_space, frame_used, frame_free;
788- struct mad_bitptr ptr;
789+ struct mad_bitptr ptr, bufend_ptr;
790 struct sideinfo si;
791 enum mad_error error;
792 int result = 0;
793
794+ mad_bit_init(&bufend_ptr, stream->bufend);
795+
796 /* allocate Layer III dynamic structures */
797
798 if (stream->main_data == 0) {
799@@ -2587,14 +2666,15 @@ int mad_layer_III(struct mad_stream *stream, struct mad_frame *frame)
800 unsigned long header;
801
802 mad_bit_init(&peek, stream->next_frame);
803+ if (mad_bit_length(&peek, &bufend_ptr) >= 57) {
804+ header = mad_bit_read(&peek, 32);
805+ if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
806+ if (!(header & 0x00010000L)) /* protection_bit */
807+ mad_bit_skip(&peek, 16); /* crc_check */
808
809- header = mad_bit_read(&peek, 32);
810- if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
811- if (!(header & 0x00010000L)) /* protection_bit */
812- mad_bit_skip(&peek, 16); /* crc_check */
813-
814- next_md_begin =
815- mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
816+ next_md_begin =
817+ mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
818+ }
819 }
820
821 mad_bit_finish(&peek);
822@@ -2653,7 +2733,7 @@ int mad_layer_III(struct mad_stream *stream, struct mad_frame *frame)
823 /* decode main_data */
824
825 if (result == 0) {
826- error = III_decode(&ptr, frame, &si, nch);
827+ error = III_decode(&ptr, frame, &si, nch, md_len);
828 if (error) {
829 stream->error = error;
830 result = -1;
diff --git a/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb b/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb
index b6668980da..3f5a052906 100644
--- a/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb
+++ b/meta-oe/recipes-multimedia/libmad/libmad_0.15.1b.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://downloads.sourceforge.net/mad/libmad-${PV}.tar.gz \
17 file://automake-foreign.patch \ 17 file://automake-foreign.patch \
18 file://0001-configure-Respect-the-cflags-from-environment.patch \ 18 file://0001-configure-Respect-the-cflags-from-environment.patch \
19 file://CVE-2017-8372_CVE-2017-8373.patch \ 19 file://CVE-2017-8372_CVE-2017-8373.patch \
20 file://CVE-2017-8374.patch \
20" 21"
21SRC_URI:append:toolchain-clang = " file://0004-Remove-clang-unsupported-compiler-flags.patch " 22SRC_URI:append:toolchain-clang = " file://0004-Remove-clang-unsupported-compiler-flags.patch "
22 23
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-11-20 05:18:44 +0000