package/libmad: switch to debian to fix CVEs

Upstream libmad is dead since 2004 so switch to debian package to get
two patches that fix the following CVEs:
 - CVE-2017-8372: The mad_layer_III function in layer3.c in Underbit MAD
   libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to
   cause a denial of service (assertion failure and application exit)
   via a crafted audio file.
 - CVE-2017-8373: The mad_layer_III function in layer3.c in Underbit MAD
   libmad 0.15.1b allows remote attackers to cause a denial of service
   (heap-based buffer overflow and application crash) or possibly have
   unspecified other impact via a crafted audio file.
 - CVE-2017-8374: The mad_bit_skip function in bit.c in Underbit MAD
   libmad 0.15.1b allows remote attackers to cause a denial of service
   (heap-based buffer over-read and application crash) via a crafted
   audio file.

Moreover:
 - Remove third patch (replaced by optimize.diff debian patch)
 - Remove fourth patch (same patch than
   Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff)
 - Remove fifth patch (same patch than libmad.thumb.diff)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Fabrice Fontaine 2020-04-12 12:18:45 +02:00 committed by Yann E. MORIN
parent 210ccaef57
commit 858df3643f
6 changed files with 23 additions and 99 deletions

View File

@ -1,33 +0,0 @@
libmad: remove deprecated cflags (-fforce-mem)
fforce-mem has long been deprecated, and is completely removed from
gcc 4.3.x on.
---
configure | 1 -
configure.ac | 1 -
2 files changed, 2 deletions(-)
Index: libmad-0.15.1b/configure.ac
===================================================================
--- libmad-0.15.1b.orig/configure.ac
+++ libmad-0.15.1b/configure.ac
@@ -140,7 +140,6 @@
case "$optimize" in
-O|"-O "*)
optimize="-O"
- optimize="$optimize -fforce-mem"
optimize="$optimize -fforce-addr"
: #x optimize="$optimize -finline-functions"
: #- optimize="$optimize -fstrength-reduce"
Index: libmad-0.15.1b/configure
===================================================================
--- libmad-0.15.1b.orig/configure
+++ libmad-0.15.1b/configure
@@ -19099,7 +19099,6 @@
case "$optimize" in
-O|"-O "*)
optimize="-O"
- optimize="$optimize -fforce-mem"
optimize="$optimize -fforce-addr"
: #x optimize="$optimize -finline-functions"
: #- optimize="$optimize -fstrength-reduce"

View File

@ -1,40 +0,0 @@
Fixes Thumb2-related build failure
Patch below comes from the Debian libmad package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
From: Dave Martin
Subject: "rsc" doesnt exist anymore in thumb2
diff --git a/fixed.h b/fixed.h
index 4b58abf..ba4bc26 100644
--- a/fixed.h
+++ b/fixed.h
@@ -275,12 +275,25 @@ mad_fixed_t mad_f_mul_inline(mad_fixed_t x, mad_fixed_t y)
: "+r" (lo), "+r" (hi) \
: "%r" (x), "r" (y))
+#ifdef __thumb__
+/* In Thumb-2, the RSB-immediate instruction is only allowed with a zero
+ operand. If needed this code can also support Thumb-1
+ (simply append "s" to the end of the second two instructions). */
+# define MAD_F_MLN(hi, lo) \
+ asm ("rsbs %0, %0, #0\n\t" \
+ "sbc %1, %1, %1\n\t" \
+ "sub %1, %1, %2" \
+ : "+&r" (lo), "=&r" (hi) \
+ : "r" (hi) \
+ : "cc")
+#else /* ! __thumb__ */
# define MAD_F_MLN(hi, lo) \
asm ("rsbs %0, %2, #0\n\t" \
"rsc %1, %3, #0" \
- : "=r" (lo), "=r" (hi) \
+ : "=&r" (lo), "=r" (hi) \
: "0" (lo), "1" (hi) \
: "cc")
+#endif /* __thumb__ */
# define mad_f_scale64(hi, lo) \
({ mad_fixed_t __result; \

View File

@ -1,20 +0,0 @@
Fixes Thumb2 related build failure
Patch below comes from the Debian libmad package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
From: Konstantinos Margaritis <markos@debian.org>
Subject: use "adr" instead of "add" to make code ready for thumb2
--- ./imdct_l_arm.S.orig 2010-02-25 13:25:23.000000000 +0100
+++ ./imdct_l_arm.S 2010-02-25 13:27:26.000000000 +0100
@@ -468,7 +468,7 @@
@----
- add r2, pc, #(imdct36_long_karray-.-8) @ r2 = base address of Knn array (PIC safe ?)
+ adr r2, imdct36_long_karray
loop:

View File

@ -1,4 +1,6 @@
# Locally computed:
sha256 bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690 libmad-0.15.1b.tar.gz
sha256 0e21f2c6b19337d0b237dacc04f7b90a56be7f359f4c9a2ee0b202d9af0cfa69 frame_length.diff
# From http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libm/libmad/libmad_0.15.1b-10.dsc
sha256 bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690 libmad_0.15.1b.orig.tar.gz
sha256 dfeabd5d2398bf902660edc31f87ad40600f0aa732b946f864d8ee6bbf56a99c libmad_0.15.1b-10.diff.gz
# Hash for license file:
sha256 32b1062f7da84967e7019d01ab805935caa7ab7321a7ced0e30ebe75e5df1670 COPYING

View File

@ -5,12 +5,27 @@
################################################################################
LIBMAD_VERSION = 0.15.1b
LIBMAD_SITE = http://downloads.sourceforge.net/project/mad/libmad/$(LIBMAD_VERSION)
LIBMAD_PATCH = libmad_$(LIBMAD_VERSION)-10.diff.gz
LIBMAD_SOURCE = libmad_$(LIBMAD_VERSION).orig.tar.gz
LIBMAD_SITE = \
http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libm/libmad
LIBMAD_INSTALL_STAGING = YES
LIBMAD_LICENSE = GPL-2.0+
LIBMAD_LICENSE_FILES = COPYING
LIBMAD_PATCH = \
https://sources.debian.net/data/main/libm/libmad/0.15.1b-8/debian/patches/frame_length.diff
define LIBMAD_APPLY_DEBIAN_PATCHES
if [ -d $(@D)/debian/patches ]; then \
$(APPLY_PATCHES) $(@D) $(@D)/debian/patches *.patch; \
fi
endef
LIBMAD_POST_PATCH_HOOKS += LIBMAD_APPLY_DEBIAN_PATCHES
# debian/patches/md_size.diff
LIBMAD_IGNORE_CVES += CVE-2017-8372 CVE-2017-8373
# debian/patches/length-check.patch
LIBMAD_IGNORE_CVES += CVE-2017-8374
# Force autoreconf to be able to use a more recent libtool script, that
# is able to properly behave in the face of a missing C++ compiler.