Bug#914641: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956

To: 914641@bugs.debian.org
Cc: Fabian Greffrath <fabian@debian.org>, Reinhard Tartler <siretart@tauware.de>, "Matthew W. S. Bell" <matthew@bells23.org.uk>
Subject: Bug#914641: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956
From: Hugo Lefeuvre <hle@debian.org>
Date: Tue, 27 Aug 2019 13:49:04 -0400
Message-id: <[🔎] 20190827174904.4ho5432jesom3nxi@behemoth.owl.eu.com.local>
Reply-to: Hugo Lefeuvre <hle@debian.org>, 914641@bugs.debian.org
References: <154317884277.4840.169913633902801934.reportbug@eldamar.local>

Hi,

Following a discussion with Fabian on GitHub[0], here is a NMU for faad2 in
unstable. This NMU addresses the last few open security issues via targeted
patches, until they are integrated in the next upstream release.

Please let me know if you want me to change anything, otherwise I am waiting
for your ack to upload.

regards,
Hugo

[0] https://github.com/knik0/faad2/pull/38

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

diff -Nru faad2-2.8.8/debian/changelog faad2-2.8.8/debian/changelog
--- faad2-2.8.8/debian/changelog	2019-06-07 14:07:34.000000000 -0400
+++ faad2-2.8.8/debian/changelog	2019-08-27 13:29:39.000000000 -0400
@@ -1,3 +1,15 @@
+faad2 (2.8.8-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload with maintainer's permission.
+  * CVE-2019-6956: Buffer over read in the function ps_mix_phase()
+    (libfaad/ps_dec.c) (Closes: #914641).
+  * CVE-2018-20196: Stack buffer overflow in the function calculate_gain
+    (libfaad/sbr_hfadj.c).
+  * CVE-2018-20199, CVE-2018-20360: NULL pointer dereference in the function
+    ifilter_bank (libfaad/filtbank.c).
+
+ -- Hugo Lefeuvre <hle@debian.org>  Tue, 27 Aug 2019 13:29:39 -0400
+
 faad2 (2.8.8-3) unstable; urgency=high
 
   * Team upload.
diff -Nru faad2-2.8.8/debian/patches/CVE-2018-20196.patch faad2-2.8.8/debian/patches/CVE-2018-20196.patch
--- faad2-2.8.8/debian/patches/CVE-2018-20196.patch	1969-12-31 19:00:00.000000000 -0500
+++ faad2-2.8.8/debian/patches/CVE-2018-20196.patch	2019-08-27 13:29:39.000000000 -0400
@@ -0,0 +1,48 @@
+Description: fix stack based buffer overflow in calculate_gain (libfaad/sbr_hfadj.c)
+ sbr_fbt: sbr->M should not exceed MAX_M
+ .
+ sbr->M is set by derived_frequency_table() from user-passed input
+ without checking for > MAX_M.
+ .
+ This leads to out-of-bounds accesses later, crashes and potential
+ security relevant issues. It should be considered a fatal error for
+ the SBR block.
+ .
+ return error code if sbr->M > MAX_M.
+ .
+ also, in some cases sbr_extension_data() ignores the return value of
+ calc_sbr_tables, probably assuming that sbr is always valid. It should
+ almost certainly not do that.
+Author: Hugo Lefeuvre <hle@debian.org>
+Origin: upstream, https://github.com/knik0/faad2/commit/6aeeaa1af0caf986daf22
+--- a/libfaad/sbr_fbt.c	2009-05-31 03:02:54.000000000 -0400
++++ b/libfaad/sbr_fbt.c	2019-08-26 09:14:35.368320494 -0400
+@@ -526,6 +526,8 @@
+     }
+ 
+     sbr->M = sbr->f_table_res[HI_RES][sbr->N_high] - sbr->f_table_res[HI_RES][0];
++    if (sbr->M > MAX_M)
++        return 1;
+     sbr->kx = sbr->f_table_res[HI_RES][0];
+     if (sbr->kx > 32)
+         return 1;
+--- a/libfaad/sbr_syntax.c	2009-05-31 03:02:54.000000000 -0400
++++ b/libfaad/sbr_syntax.c	2019-08-26 09:15:14.108163215 -0400
+@@ -196,7 +196,7 @@
+             /* if an error occured with the new header values revert to the old ones */
+             if (rt > 0)
+             {
+-                calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
++                result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+                     saved_samplerate_mode, saved_freq_scale,
+                     saved_alter_scale, saved_xover_band);
+             }
+@@ -215,7 +215,7 @@
+             if ((result > 0) &&
+                 (sbr->Reset || (sbr->bs_header_flag && sbr->just_seeked)))
+             {
+-                calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
++                result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+                     saved_samplerate_mode, saved_freq_scale,
+                     saved_alter_scale, saved_xover_band);          
+             }
diff -Nru faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch
--- faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch	1969-12-31 19:00:00.000000000 -0500
+++ faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch	2019-08-27 13:29:39.000000000 -0400
@@ -0,0 +1,49 @@
+Description: fix NULL pointer dereference in ifilter_bank (libfaad/filtbank.c)
+ specrec: better handle unexpected PS
+ .
+ Parametric Stereo (PS) can arrive at any moment in input files. PS
+ changes the number of output channels and therefore requires more
+ allocated memory in various structures from hDecoder.
+ .
+ The current faad2 code attempts to perform allocation surgery in
+ hDecoder to recover from this. This works well when there is only one
+ frame channel, else it creates large number of memory corruption
+ issues.
+ .
+ If there is more than one input channel, return cleanly with error
+ code. It would be nice to handle this, but this is likely to be a lot
+ of work and is beyond the scope of a security fix.
+ .
+ This patch addresses CVE-2018-20360 and CVE-2018-20199.
+Author: Hugo Lefeuvre <hle@debian.org>
+Origin: upstream, https://github.com/knik0/faad2/commit/3b80a57483a6bc822d3ce3c
+--- a/libfaad/specrec.c	2009-05-31 03:02:54.000000000 -0400
++++ b/libfaad/specrec.c	2019-08-26 09:19:49.688596494 -0400
+@@ -915,18 +915,18 @@
+         /* element_output_channels not set yet */
+         hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
+     } else if (hDecoder->element_output_channels[hDecoder->fr_ch_ele] != output_channels) {
+-        /* element inconsistency */
+-
+-        /* this only happens if PS is actually found but not in the first frame
++        /* element inconsistency
++         * this only happens if PS is actually found but not in the first frame
+          * this means that there is only 1 bitstream element!
+          */
+ 
+-        /* reset the allocation */
+-        hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0;
+-
+-        hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
+-
+-        //return 21;
++        if (hDecoder->fr_channels == 1) {
++            /* reset the allocation */
++            hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0;
++            hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
++        } else {
++            return 21;
++        }
+     }
+ 
+     if (hDecoder->element_alloced[hDecoder->fr_ch_ele] == 0)
diff -Nru faad2-2.8.8/debian/patches/CVE-2019-6956.patch faad2-2.8.8/debian/patches/CVE-2019-6956.patch
--- faad2-2.8.8/debian/patches/CVE-2019-6956.patch	1969-12-31 19:00:00.000000000 -0500
+++ faad2-2.8.8/debian/patches/CVE-2019-6956.patch	2019-08-27 13:29:39.000000000 -0400
@@ -0,0 +1,35 @@
+Description: fix buffer over read in ps_mix_phase (libfaad/ps_dec.c)
+ ps_dec: sanitize iid_index before mixing
+ .
+ index range is supposed to be withing -7 and 7 or -15 and 15 depending on
+ iid_mode (see Table 8.24, ISO/IEC 14496-3:2005).
+ .
+ Indexes outside these boundaries are likely to be errors and should be
+ sanitized to avoid memory corruption. Replace any index under
+ -no_iid_steps (-7 or -15 depending on iid_mode) by -no_iid_steps. Replace
+ any index above no_iid_steps by no_iid_steps. Try to process further.
+Author: Hugo Lefeuvre <hle@debian.org>
+Origin: upstream, https://github.com/knik0/faad2/commit/6823e6610c9af1b0080cb22
+--- a/libfaad/ps_dec.c	2009-05-31 03:02:54.000000000 -0400
++++ b/libfaad/ps_dec.c	2019-08-26 09:26:01.393490550 -0400
+@@ -1508,6 +1508,20 @@
+ 
+                 //printf("%d\n", ps->iid_index[env][bk]);
+ 
++                /* index range is supposed to be -7...7 or -15...15 depending on iid_mode
++                   (Table 8.24, ISO/IEC 14496-3:2005).
++                   if it is outside these boundaries, this is most likely an error. sanitize
++                   it and try to process further. */
++                if (ps->iid_index[env][bk] < -no_iid_steps) {
++                    fprintf(stderr, "Warning: invalid iid_index: %d < %d\n", ps->iid_index[env][bk],
++                        -no_iid_steps);
++                    ps->iid_index[env][bk] = -no_iid_steps;
++                } else if (ps->iid_index[env][bk] > no_iid_steps) {
++                    fprintf(stderr, "Warning: invalid iid_index: %d > %d\n", ps->iid_index[env][bk],
++                        no_iid_steps);
++                    ps->iid_index[env][bk] = no_iid_steps;
++                }
++
+                 /* calculate the scalefactors c_1 and c_2 from the intensity differences */
+                 c_1 = sf_iid[no_iid_steps + ps->iid_index[env][bk]];
+                 c_2 = sf_iid[no_iid_steps - ps->iid_index[env][bk]];
diff -Nru faad2-2.8.8/debian/patches/series faad2-2.8.8/debian/patches/series
--- faad2-2.8.8/debian/patches/series	2019-06-07 14:03:24.000000000 -0400
+++ faad2-2.8.8/debian/patches/series	2019-08-27 13:29:39.000000000 -0400
@@ -2,3 +2,7 @@
 0009-syntax.c-check-for-syntax-element-inconsistencies.patch
 0010-sbr_hfadj-sanitize-frequency-band-borders.patch
 0004-Fix-a-couple-buffer-overflows.patch
+
+CVE-2018-20196.patch
+CVE-2018-20360-20199.patch
+CVE-2019-6956.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: blender_2.80+dfsg-3_source.changes ACCEPTED into unstable
Next by Date: Processing of mpg123_1.25.12-1_source.changes
Previous by thread: blender_2.80+dfsg-3_source.changes ACCEPTED into unstable
Next by thread: Bug#914641: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956
Index(es):
- Date
- Thread