summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch83
-rw-r--r--meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch36
-rw-r--r--meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb2
3 files changed, 121 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch
new file mode 100644
index 0000000000..9e208477fc
--- /dev/null
+++ b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch
@@ -0,0 +1,83 @@
1From 586ac8cf550b63a1d87ec105ea4bf20b6f406591 Mon Sep 17 00:00:00 2001
2From: Andrew Wesie <awesie@gmail.com>
3Date: Fri, 9 Oct 2020 08:19:48 -0500
4Subject: [PATCH] Check for error after each channel decode.
5
6hInfo->error is reset within the decode_* functions. This caused the decoder
7to ignore errors for some channels in the error resilience (ER) code path.
8
9Fixes #58.
10
11CVE: CVE-2021-32276
12Upstream-Status: Backport [https://github.com/knik0/faad2/commit/b58840121d1827b4b6c7617e2431589af1776ddc]
13Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
14---
15 libfaad/syntax.c | 24 ++++++++++++++++++++++++
16 1 file changed, 24 insertions(+)
17
18diff --git a/libfaad/syntax.c b/libfaad/syntax.c
19index 4e57efd..af48cd1 100644
20--- a/libfaad/syntax.c
21+++ b/libfaad/syntax.c
22@@ -523,37 +523,61 @@ void raw_data_block(NeAACDecStruct *hDecoder, NeAACDecFrameInfo *hInfo,
23 break;
24 case 3:
25 decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
26+ if (hInfo->error > 0)
27+ return;
28 decode_cpe(hDecoder, hInfo, ld, ID_CPE);
29 if (hInfo->error > 0)
30 return;
31 break;
32 case 4:
33 decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
34+ if (hInfo->error > 0)
35+ return;
36 decode_cpe(hDecoder, hInfo, ld, ID_CPE);
37+ if (hInfo->error > 0)
38+ return;
39 decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
40 if (hInfo->error > 0)
41 return;
42 break;
43 case 5:
44 decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
45+ if (hInfo->error > 0)
46+ return;
47 decode_cpe(hDecoder, hInfo, ld, ID_CPE);
48+ if (hInfo->error > 0)
49+ return;
50 decode_cpe(hDecoder, hInfo, ld, ID_CPE);
51 if (hInfo->error > 0)
52 return;
53 break;
54 case 6:
55 decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
56+ if (hInfo->error > 0)
57+ return;
58 decode_cpe(hDecoder, hInfo, ld, ID_CPE);
59+ if (hInfo->error > 0)
60+ return;
61 decode_cpe(hDecoder, hInfo, ld, ID_CPE);
62+ if (hInfo->error > 0)
63+ return;
64 decode_sce_lfe(hDecoder, hInfo, ld, ID_LFE);
65 if (hInfo->error > 0)
66 return;
67 break;
68 case 7: /* 8 channels */
69 decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
70+ if (hInfo->error > 0)
71+ return;
72 decode_cpe(hDecoder, hInfo, ld, ID_CPE);
73+ if (hInfo->error > 0)
74+ return;
75 decode_cpe(hDecoder, hInfo, ld, ID_CPE);
76+ if (hInfo->error > 0)
77+ return;
78 decode_cpe(hDecoder, hInfo, ld, ID_CPE);
79+ if (hInfo->error > 0)
80+ return;
81 decode_sce_lfe(hDecoder, hInfo, ld, ID_LFE);
82 if (hInfo->error > 0)
83 return;
diff --git a/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch
new file mode 100644
index 0000000000..c21391ca6b
--- /dev/null
+++ b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch
@@ -0,0 +1,36 @@
1From bac3c71781465bb92286e89ef326161bd2500cb4 Mon Sep 17 00:00:00 2001
2From: Andrew Wesie <awesie@gmail.com>
3Date: Fri, 9 Oct 2020 08:55:52 -0500
4Subject: [PATCH] Check for inconsistent number of channels.
5
6The frontend does not support audio output when the number of channels
7changes between frames. Check if the number of decoded channels matches the
8number of audio output channels.
9
10It is possible that this condition should be detected in the decoder instead
11of the frontend.
12
13Fixes crash from afl-fuzz.
14
15CVE: CVE-2021-32276
16Upstream-Status: Backport [https://github.com/knik0/faad2/commit/4ed30d3d232b6a7a150cc06aed14eb47e4eda14e]
17Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
18---
19 frontend/main.c | 4 ++++
20 1 file changed, 4 insertions(+)
21
22diff --git a/frontend/main.c b/frontend/main.c
23index 3b0850d..39d5276 100644
24--- a/frontend/main.c
25+++ b/frontend/main.c
26@@ -693,6 +693,10 @@ static int decodeAACfile(char *aacfile, char *sndfile, char *adts_fn, int to_std
27 /* update buffer indices */
28 advance_buffer(&b, frameInfo.bytesconsumed);
29
30+ /* check if the inconsistent number of channels */
31+ if (aufile != NULL && frameInfo.channels != aufile->channels)
32+ frameInfo.error = 12;
33+
34 if (frameInfo.error > 0)
35 {
36 faad_fprintf(stderr, "Error: %s\n",
diff --git a/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb b/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb
index f354c99d33..311a384fc4 100644
--- a/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb
+++ b/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb
@@ -12,6 +12,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/faac/faad2-src/faad2-2.8.0/${BP}.tar.gz \
12 file://0001-mp4read.c-fix-stack-buffer-overflow-in-stringin-ftyp.patch \ 12 file://0001-mp4read.c-fix-stack-buffer-overflow-in-stringin-ftyp.patch \
13 file://0001-Restrict-SBR-frame-length-to-960-and-1024-samples.patch \ 13 file://0001-Restrict-SBR-frame-length-to-960-and-1024-samples.patch \
14 file://0001-Check-return-value-of-ltp_data.patch \ 14 file://0001-Check-return-value-of-ltp_data.patch \
15 file://CVE-2021-32276-1.patch \
16 file://CVE-2021-32276-2.patch \
15 " 17 "
16SRC_URI[md5sum] = "28f6116efdbe9378269f8a6221767d1f" 18SRC_URI[md5sum] = "28f6116efdbe9378269f8a6221767d1f"
17SRC_URI[sha256sum] = "985c3fadb9789d2815e50f4ff714511c79c2710ac27a4aaaf5c0c2662141426d" 19SRC_URI[sha256sum] = "985c3fadb9789d2815e50f4ff714511c79c2710ac27a4aaaf5c0c2662141426d"