diff options
3 files changed, 121 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch new file mode 100644 index 0000000000..9e208477fc --- /dev/null +++ b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch | |||
| @@ -0,0 +1,83 @@ | |||
| 1 | From 586ac8cf550b63a1d87ec105ea4bf20b6f406591 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Andrew Wesie <awesie@gmail.com> | ||
| 3 | Date: Fri, 9 Oct 2020 08:19:48 -0500 | ||
| 4 | Subject: [PATCH] Check for error after each channel decode. | ||
| 5 | |||
| 6 | hInfo->error is reset within the decode_* functions. This caused the decoder | ||
| 7 | to ignore errors for some channels in the error resilience (ER) code path. | ||
| 8 | |||
| 9 | Fixes #58. | ||
| 10 | |||
| 11 | CVE: CVE-2021-32276 | ||
| 12 | Upstream-Status: Backport [https://github.com/knik0/faad2/commit/b58840121d1827b4b6c7617e2431589af1776ddc] | ||
| 13 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 14 | --- | ||
| 15 | libfaad/syntax.c | 24 ++++++++++++++++++++++++ | ||
| 16 | 1 file changed, 24 insertions(+) | ||
| 17 | |||
| 18 | diff --git a/libfaad/syntax.c b/libfaad/syntax.c | ||
| 19 | index 4e57efd..af48cd1 100644 | ||
| 20 | --- a/libfaad/syntax.c | ||
| 21 | +++ b/libfaad/syntax.c | ||
| 22 | @@ -523,37 +523,61 @@ void raw_data_block(NeAACDecStruct *hDecoder, NeAACDecFrameInfo *hInfo, | ||
| 23 | break; | ||
| 24 | case 3: | ||
| 25 | decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); | ||
| 26 | + if (hInfo->error > 0) | ||
| 27 | + return; | ||
| 28 | decode_cpe(hDecoder, hInfo, ld, ID_CPE); | ||
| 29 | if (hInfo->error > 0) | ||
| 30 | return; | ||
| 31 | break; | ||
| 32 | case 4: | ||
| 33 | decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); | ||
| 34 | + if (hInfo->error > 0) | ||
| 35 | + return; | ||
| 36 | decode_cpe(hDecoder, hInfo, ld, ID_CPE); | ||
| 37 | + if (hInfo->error > 0) | ||
| 38 | + return; | ||
| 39 | decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); | ||
| 40 | if (hInfo->error > 0) | ||
| 41 | return; | ||
| 42 | break; | ||
| 43 | case 5: | ||
| 44 | decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); | ||
| 45 | + if (hInfo->error > 0) | ||
| 46 | + return; | ||
| 47 | decode_cpe(hDecoder, hInfo, ld, ID_CPE); | ||
| 48 | + if (hInfo->error > 0) | ||
| 49 | + return; | ||
| 50 | decode_cpe(hDecoder, hInfo, ld, ID_CPE); | ||
| 51 | if (hInfo->error > 0) | ||
| 52 | return; | ||
| 53 | break; | ||
| 54 | case 6: | ||
| 55 | decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); | ||
| 56 | + if (hInfo->error > 0) | ||
| 57 | + return; | ||
| 58 | decode_cpe(hDecoder, hInfo, ld, ID_CPE); | ||
| 59 | + if (hInfo->error > 0) | ||
| 60 | + return; | ||
| 61 | decode_cpe(hDecoder, hInfo, ld, ID_CPE); | ||
| 62 | + if (hInfo->error > 0) | ||
| 63 | + return; | ||
| 64 | decode_sce_lfe(hDecoder, hInfo, ld, ID_LFE); | ||
| 65 | if (hInfo->error > 0) | ||
| 66 | return; | ||
| 67 | break; | ||
| 68 | case 7: /* 8 channels */ | ||
| 69 | decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE); | ||
| 70 | + if (hInfo->error > 0) | ||
| 71 | + return; | ||
| 72 | decode_cpe(hDecoder, hInfo, ld, ID_CPE); | ||
| 73 | + if (hInfo->error > 0) | ||
| 74 | + return; | ||
| 75 | decode_cpe(hDecoder, hInfo, ld, ID_CPE); | ||
| 76 | + if (hInfo->error > 0) | ||
| 77 | + return; | ||
| 78 | decode_cpe(hDecoder, hInfo, ld, ID_CPE); | ||
| 79 | + if (hInfo->error > 0) | ||
| 80 | + return; | ||
| 81 | decode_sce_lfe(hDecoder, hInfo, ld, ID_LFE); | ||
| 82 | if (hInfo->error > 0) | ||
| 83 | return; | ||
diff --git a/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch new file mode 100644 index 0000000000..c21391ca6b --- /dev/null +++ b/meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch | |||
| @@ -0,0 +1,36 @@ | |||
| 1 | From bac3c71781465bb92286e89ef326161bd2500cb4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Andrew Wesie <awesie@gmail.com> | ||
| 3 | Date: Fri, 9 Oct 2020 08:55:52 -0500 | ||
| 4 | Subject: [PATCH] Check for inconsistent number of channels. | ||
| 5 | |||
| 6 | The frontend does not support audio output when the number of channels | ||
| 7 | changes between frames. Check if the number of decoded channels matches the | ||
| 8 | number of audio output channels. | ||
| 9 | |||
| 10 | It is possible that this condition should be detected in the decoder instead | ||
| 11 | of the frontend. | ||
| 12 | |||
| 13 | Fixes crash from afl-fuzz. | ||
| 14 | |||
| 15 | CVE: CVE-2021-32276 | ||
| 16 | Upstream-Status: Backport [https://github.com/knik0/faad2/commit/4ed30d3d232b6a7a150cc06aed14eb47e4eda14e] | ||
| 17 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 18 | --- | ||
| 19 | frontend/main.c | 4 ++++ | ||
| 20 | 1 file changed, 4 insertions(+) | ||
| 21 | |||
| 22 | diff --git a/frontend/main.c b/frontend/main.c | ||
| 23 | index 3b0850d..39d5276 100644 | ||
| 24 | --- a/frontend/main.c | ||
| 25 | +++ b/frontend/main.c | ||
| 26 | @@ -693,6 +693,10 @@ static int decodeAACfile(char *aacfile, char *sndfile, char *adts_fn, int to_std | ||
| 27 | /* update buffer indices */ | ||
| 28 | advance_buffer(&b, frameInfo.bytesconsumed); | ||
| 29 | |||
| 30 | + /* check if the inconsistent number of channels */ | ||
| 31 | + if (aufile != NULL && frameInfo.channels != aufile->channels) | ||
| 32 | + frameInfo.error = 12; | ||
| 33 | + | ||
| 34 | if (frameInfo.error > 0) | ||
| 35 | { | ||
| 36 | faad_fprintf(stderr, "Error: %s\n", | ||
diff --git a/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb b/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb index f354c99d33..311a384fc4 100644 --- a/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb +++ b/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb | |||
| @@ -12,6 +12,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/faac/faad2-src/faad2-2.8.0/${BP}.tar.gz \ | |||
| 12 | file://0001-mp4read.c-fix-stack-buffer-overflow-in-stringin-ftyp.patch \ | 12 | file://0001-mp4read.c-fix-stack-buffer-overflow-in-stringin-ftyp.patch \ |
| 13 | file://0001-Restrict-SBR-frame-length-to-960-and-1024-samples.patch \ | 13 | file://0001-Restrict-SBR-frame-length-to-960-and-1024-samples.patch \ |
| 14 | file://0001-Check-return-value-of-ltp_data.patch \ | 14 | file://0001-Check-return-value-of-ltp_data.patch \ |
| 15 | file://CVE-2021-32276-1.patch \ | ||
| 16 | file://CVE-2021-32276-2.patch \ | ||
| 15 | " | 17 | " |
| 16 | SRC_URI[md5sum] = "28f6116efdbe9378269f8a6221767d1f" | 18 | SRC_URI[md5sum] = "28f6116efdbe9378269f8a6221767d1f" |
| 17 | SRC_URI[sha256sum] = "985c3fadb9789d2815e50f4ff714511c79c2710ac27a4aaaf5c0c2662141426d" | 19 | SRC_URI[sha256sum] = "985c3fadb9789d2815e50f4ff714511c79c2710ac27a4aaaf5c0c2662141426d" |
