Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu
Hi there,
please grant permission to upload an updated package for lame in
wheezy. The package will contain three patches that have been created
to cope with a couple of crashes that were detected by feeding fuzzed
wav file samples into the library. At least two of them appear to be
security-relevant, to say the least, and the third one fixes a nasty
crash in the frontend.
All three patches have been forwarded upstream by private mail to one
of the upstream developers. Please find a debdiff between the original
and the updated package attached.
Cheers,
Fabian
PS: I have set the distribution to wheezy-p-u. Is this correct or
should I rather set it to stable, or wheezy?
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru lame-3.99.5+repack1/debian/changelog lame-3.99.5+repack1/debian/changelog
--- lame-3.99.5+repack1/debian/changelog 2012-03-17 18:41:48.000000000 +0100
+++ lame-3.99.5+repack1/debian/changelog 2015-02-24 09:50:06.000000000 +0100
@@ -1,3 +1,18 @@
+lame (3.99.5+repack1-3wheezy1) stable-proposed-updates; urgency=medium
+
+ * Add check for invalid input sample rate, thanks Maks Naumov
+ (Closes: #775959, #777160, #777161). Thanks Jakub Wilk and
+ Brian Carpenter for the bug reports and test cases.
+ * Extend Maks Naumov's patch to also include a sanity check for
+ a valid amount of input channels (Closes: #778703).
+ * Avoid malformed wav causing floating point exception in the
+ frontend (Closes: #777159).
+ * Fix decision if sample rate ratio is an integer value or not
+ (Closes: #778529). Thanks to Henri Salo for the bug reports
+ and the fuzzed samples!
+
+ -- Fabian Greffrath <fabian+deb...@greffrath.com> Tue, 24 Feb 2015 09:46:48 +0100
+
lame (3.99.5+repack1-3) unstable; urgency=low
* Handle case on setting CFLAGS for systems where dpkg-dev (<< 1.15.7)
diff -Nru lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch
--- lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch 1970-01-01 01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch 2015-02-24 09:38:55.000000000 +0100
@@ -0,0 +1,25 @@
+From 1ea4eac3e7d57dbad42fb067a32ac1600a0397a0 Mon Sep 17 00:00:00 2001
+From: Maks Naumov <maksq...@ukr.net>
+Date: Thu, 22 Jan 2015 16:20:40 +0200
+Subject: [PATCH] Add check for invalid input sample rate
+
+Signed-off-by: Maks Naumov <maksq...@ukr.net>
+---
+ libmp3lame/lame.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/libmp3lame/lame.c
++++ b/libmp3lame/lame.c
+@@ -822,6 +822,12 @@ lame_init_params(lame_global_flags * gfp
+ }
+ #endif
+
++ if (gfp->samplerate_in < 0 || gfp->num_channels < 0) {
++ freegfc(gfc);
++ gfp->internal_flags = NULL;
++ return -1;
++ }
++
+ cfg->disable_reservoir = gfp->disable_reservoir;
+ cfg->lowpassfreq = gfp->lowpassfreq;
+ cfg->highpassfreq = gfp->highpassfreq;
diff -Nru lame-3.99.5+repack1/debian/patches/bits_per_sample.patch lame-3.99.5+repack1/debian/patches/bits_per_sample.patch
--- lame-3.99.5+repack1/debian/patches/bits_per_sample.patch 1970-01-01 01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/bits_per_sample.patch 2015-02-24 09:39:00.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Avoid malformed wav causing floating point exception (integer divide by zero)
+Author: Fabian Greffrath <fabian+deb...@greffrath.com>
+Bug-Debian: https://bugs.debian.org/777159
+
+--- a/frontend/get_audio.c
++++ b/frontend/get_audio.c
+@@ -1448,6 +1448,10 @@ parse_wave_header(lame_global_flags * gf
+ else {
+ (void) lame_set_in_samplerate(gfp, global_reader.input_samplerate);
+ }
++ /* avoid division by zero */
++ if (bits_per_sample < 1)
++ return -1;
++
+ global. pcmbitwidth = bits_per_sample;
+ global. pcm_is_unsigned_8bit = 1;
+ global. pcm_is_ieee_float = (format_tag == WAVE_FORMAT_IEEE_FLOAT ? 1 : 0);
diff -Nru lame-3.99.5+repack1/debian/patches/int_resample_ratio.patch lame-3.99.5+repack1/debian/patches/int_resample_ratio.patch
--- lame-3.99.5+repack1/debian/patches/int_resample_ratio.patch 1970-01-01 01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/int_resample_ratio.patch 2015-02-24 09:39:05.000000000 +0100
@@ -0,0 +1,29 @@
+Subject: Fix decision if sample rate ratio is an integer value or not
+ If the sample rate of the input file is sufficiently close to an
+ integer multiple of the output sample rate, the value of the intratio
+ variable is calculated incorrectly. This leads to further values
+ being miscalculated up to the joff variable which is used as an index
+ to dereference the esv->blackfilt array. This leads top an overflow
+ and causes a segmentation fault.
+Author: Fabian Greffrath <fabian+deb...@greffrath.com>
+Bug-Debian: https://bugs.debian.org/778529
+
+--- a/libmp3lame/util.c
++++ b/libmp3lame/util.c
+@@ -26,6 +26,7 @@
+ # include <config.h>
+ #endif
+
++#include <float.h>
+ #include "lame.h"
+ #include "machine.h"
+ #include "encoder.h"
+@@ -544,7 +545,7 @@ fill_buffer_resample(lame_internal_flags
+ if (bpc > BPC)
+ bpc = BPC;
+
+- intratio = (fabs(resample_ratio - floor(.5 + resample_ratio)) < .0001);
++ intratio = (fabs(resample_ratio - floor(.5 + resample_ratio)) < FLT_EPSILON);
+ fcn = 1.00 / resample_ratio;
+ if (fcn > 1.00)
+ fcn = 1.00;
diff -Nru lame-3.99.5+repack1/debian/patches/series lame-3.99.5+repack1/debian/patches/series
--- lame-3.99.5+repack1/debian/patches/series 2012-03-15 22:47:42.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/series 2015-02-24 09:41:54.000000000 +0100
@@ -1,3 +1,6 @@
07-field-width-fix.patch
parallel-builds-fix.patch
unbreak-ftbfs-gcc4.4.patch
+0001-Add-check-for-invalid-input-sample-rate.patch
+bits_per_sample.patch
+int_resample_ratio.patch
