>From the release notes:
- Fix an out-of-bounds read of maximal two bytes for truncated RVA2 frames
(oss-fuzz-bug 15975). The earlier fix around the same location needed
one thought more. Actually, another though was needed, oss-fuzz-bug 16009
documents the incomplete fix.
- Fix an invalid write of one zero byte for empty ID3v2 frames that demand
de-unsyncing (oss-fuzz-bug 16050).
- Fix dynamic build with gcc -fsanitize=address (check for all dl functions
before deciding that separate -ldl is not needed).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From https://www.mpg123.de/cgi-bin/news.cgi:
Fixes a number of bugs found by OSS-Fuzz:
* Fix out-of-bounds reads in ID3 parser for unsynced frames.
(oss-fuzz-bug 15852)
* Fix out-of-bounds read for RVA2 frames with non-delimited identifier.
(oss-fuzz-bug 15852)
* Fix implementation-defined parsing of RVA2 values.
(oss-fuzz-bug 15862)
* Fix undefined parsing of APE header for skipping. Also prevent endless loop
on premature end of supposed APE header. (oss-fuzz-bug 15864)
* Fix some syntax to make pedantic compiler happy.
The serious bugs trigger Denial of Service either via the nasty endless loop in
supposed APE tags or by crashes if the invalid reads hit a diagnostic by the OS
or, more likely, a security mechanism like the sanitizer instrumentation that
enabled finding the bugs.
I do not have CVE numbers for these bugs. I rather fix the bugs than name them.
Just update, will you?
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit fixes the warnings reported by check-package on the help
text of all package Config.in files, related to the formatting of the
help text: should start with a tab, then 2 spaces, then at most 62
characters.
The vast majority of warnings fixed were caused by too long lines. A
few warnings were related to spaces being used instead of a tab to
indent the help text.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
>From the release notes:
- Extend pow tables for layer III to properly handle files with i-stereo and
5-bit scalefactors. Never observed them for real, just as fuzzed input to
trigger the read overflow. Note: This one goes on record as CVE-2017-11126,
calling remote denial of service. While the accesses are out of bounds for
the pow tables, they still are safely within libmpg123's memory (other
static tables). Just wrong values are used for computation, no actual crash
unless you use something like GCC's AddressSanitizer, nor any information
disclosure.
- Avoid left-shifts of negative integers in layer I decoding.
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes:
- Avoid memset(NULL, 0, 0) to calm down the paranoid.
- Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten
offset from the frame flag bytes (unnoticed in practice for a long time).
Fuzzers are in the house again. This one got CVE-2017-10683.
https://sourceforge.net/p/mpg123/bugs/252/
- Avoid a mostly harmless conditional jump depending on uninitialised
fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet.
- Fix undefined shifts on signed long mask in layer3.c (worked in practice,
never right in theory). Code might be a bit faster now, even. Thanks to
Agostino Sarubbo for reporting.
dlopen() is now directly used to load output modules (and the
--with-modules-suffix option has been removed), so adjust the modules logic
to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for LGPLv2.1/LGPLv2.1+ is LGPL-2.1/LGPL-2.1+.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/LGPLv2.1(\+)?/LGPL-2.1\1/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes an out-of-bounds memory read in the ID3v2 parser for tags that
claim an unrealistically small length. This crashes mpg123 or any
application using libmpg123 with activated ID3v2 parsing.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop upstreamed patch and related autoreconf.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
There's no reason to use a shell here.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
It is often difficult to know exactly when make will expand the
variable, and usually it can only be expanded after the dependencies
have been built (e.g. pkg-config or the .pc file). Using a backtick
instead makes it very clear that it will be expanded only while
executing the command.
This change is useful for two cases:
1. The per-package staging (and host) directory will be created as part
of the configure step, so any $(shell ...) variable that is used in
the configure step will fail because the directory doesn't exist
yet.
2. 'make printvars' evaluates the variables it prints. It will therefore
trigger a lot of errors from missing .pc files and others. The
backticks, on the other hand, are not expanded, so with this change
the output of 'make printvars' becomes clean again.
This commit contains only the easy changes: replace $(shell ...) with
`...`, and also replace ' with " where needed. Follow-up commits will
tackle the more complicated cases that need additional explanation.
After this change, the following instances of $(shell ...) will remain:
- All assignments that use :=
- All variables that are used in make conditionals (which don't expand
the backticks).
- All variables that only refer to system executables and make
variables that don't change.
- The calls to check-host-* in dependencies.mk, because it is eval'ed.
[Original patch by Fabio Porcedda, but extended quite a bit by Arnout.]
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
As suggested by Gustavo, this patch bumps mpg123 to 1.20.0, and
therefore superseds the patch initially provided by Sven Neumann. In
1.20.0, there is a new CPU type arm_fpu, which will compile code for
both VFP and NEON, and choose at runtime which one to use.
Similarly for AArch64, the option --with-cpu=aarch64 will compile both
the NEON and generic decoders, and select at runtime which one to use.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mpg123 needs MMU because the application that is built with this
package uses fork. Currently it is difficult to only build the
libraries for mpg123 so disabling the package all together when there
is no MMU support.
Note: mpg123 is an optional dependency of mpd but mpd already requires
BR2_USE_MMU so there is no need to add this as a dependency.
Fixes:
http://autobuild.buildroot.net/results/5b0/5b053af566dd122ae7e58893e77d5d5f3070fb9e
Signed-off-by: Ryan Barnett <rjbarnet@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a couple of buffer overflows so it should be considered as a
security bump (no CVEs though).
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It seems pointless to disable even the default optimizations.
If at all this should be made dependant on the values of the
BR2_OPTIMIZE variables.
Signed-off-by: Sven Neumann <neumann@teufel.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Unless it was a group of sub-packages, packages was never regrouped by
category. multimedia/ was an exception to this rule.
This patch move packages/multimedia/ sub-directories to packages/. It
keeps two subdirectories for gstream 0.10 and gstreamer 1.X.
Signed-off-by: Jérôme Pouiller <jezz@sysmic.org>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
