Bug#779083: wheezy-pu: package lame/3.99.5+repack1-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#779083: wheezy-pu: package lame/3.99.5+repack1-3
From: Fabian Greffrath <fabian+debian@greffrath.com>
Date: Tue, 24 Feb 2015 11:59:33 +0100
Message-id: <[🔎] 20150224105933.20313.18422.reportbug@kff50.ghi.rwth-aachen.de>
Reply-to: Fabian Greffrath <fabian+debian@greffrath.com>, 779083@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hi there,

please grant permission to upload an updated package for lame in
wheezy. The package will contain three patches that have been created
to cope with a couple of crashes that were detected by feeding fuzzed
wav file samples into the library. At least two of them appear to be
security-relevant, to say the least, and the third one fixes a nasty
crash in the frontend.

All three patches have been forwarded upstream by private mail to one
of the upstream developers. Please find a debdiff between the original
and the updated package attached.

Cheers,

Fabian

PS: I have set the distribution to wheezy-p-u. Is this correct or
should I rather set it to stable, or wheezy?


-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru lame-3.99.5+repack1/debian/changelog lame-3.99.5+repack1/debian/changelog
--- lame-3.99.5+repack1/debian/changelog	2012-03-17 18:41:48.000000000 +0100
+++ lame-3.99.5+repack1/debian/changelog	2015-02-24 09:50:06.000000000 +0100
@@ -1,3 +1,18 @@
+lame (3.99.5+repack1-3wheezy1) stable-proposed-updates; urgency=medium
+
+  * Add check for invalid input sample rate, thanks Maks Naumov
+    (Closes: #775959, #777160, #777161). Thanks Jakub Wilk and
+    Brian Carpenter for the bug reports and test cases.
+  * Extend Maks Naumov's patch to also include a sanity check for
+    a valid amount of input channels (Closes: #778703).
+  * Avoid malformed wav causing floating point exception in the
+    frontend (Closes: #777159).
+  * Fix decision if sample rate ratio is an integer value or not
+    (Closes: #778529). Thanks to Henri Salo for the bug reports
+    and the fuzzed samples!
+
+ -- Fabian Greffrath <fabian+debian@greffrath.com>  Tue, 24 Feb 2015 09:46:48 +0100
+
 lame (3.99.5+repack1-3) unstable; urgency=low
 
   * Handle case on setting CFLAGS for systems where dpkg-dev (<< 1.15.7)
diff -Nru lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch
--- lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch	1970-01-01 01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/0001-Add-check-for-invalid-input-sample-rate.patch	2015-02-24 09:38:55.000000000 +0100
@@ -0,0 +1,25 @@
+From 1ea4eac3e7d57dbad42fb067a32ac1600a0397a0 Mon Sep 17 00:00:00 2001
+From: Maks Naumov <maksqwe1@ukr.net>
+Date: Thu, 22 Jan 2015 16:20:40 +0200
+Subject: [PATCH] Add check for invalid input sample rate
+
+Signed-off-by: Maks Naumov <maksqwe1@ukr.net>
+---
+ libmp3lame/lame.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/libmp3lame/lame.c
++++ b/libmp3lame/lame.c
+@@ -822,6 +822,12 @@ lame_init_params(lame_global_flags * gfp
+     }
+ #endif
+ 
++    if (gfp->samplerate_in < 0 || gfp->num_channels < 0) {
++        freegfc(gfc);
++        gfp->internal_flags = NULL;
++        return -1;
++    }
++
+     cfg->disable_reservoir = gfp->disable_reservoir;
+     cfg->lowpassfreq = gfp->lowpassfreq;
+     cfg->highpassfreq = gfp->highpassfreq;
diff -Nru lame-3.99.5+repack1/debian/patches/bits_per_sample.patch lame-3.99.5+repack1/debian/patches/bits_per_sample.patch
--- lame-3.99.5+repack1/debian/patches/bits_per_sample.patch	1970-01-01 01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/bits_per_sample.patch	2015-02-24 09:39:00.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Avoid malformed wav causing floating point exception (integer divide by zero) 
+Author: Fabian Greffrath <fabian+debian@greffrath.com>
+Bug-Debian: https://bugs.debian.org/777159
+
+--- a/frontend/get_audio.c
++++ b/frontend/get_audio.c
+@@ -1448,6 +1448,10 @@ parse_wave_header(lame_global_flags * gf
+         else {
+             (void) lame_set_in_samplerate(gfp, global_reader.input_samplerate);
+         }
++        /* avoid division by zero */
++        if (bits_per_sample < 1)
++            return -1;
++
+         global. pcmbitwidth = bits_per_sample;
+         global. pcm_is_unsigned_8bit = 1;
+         global. pcm_is_ieee_float = (format_tag == WAVE_FORMAT_IEEE_FLOAT ? 1 : 0);
diff -Nru lame-3.99.5+repack1/debian/patches/int_resample_ratio.patch lame-3.99.5+repack1/debian/patches/int_resample_ratio.patch
--- lame-3.99.5+repack1/debian/patches/int_resample_ratio.patch	1970-01-01 01:00:00.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/int_resample_ratio.patch	2015-02-24 09:39:05.000000000 +0100
@@ -0,0 +1,29 @@
+Subject: Fix decision if sample rate ratio is an integer value or not
+ If the sample rate of the input file is sufficiently close to an
+ integer multiple of the output sample rate, the value of the intratio
+ variable is calculated incorrectly. This leads to further values
+ being miscalculated up to the joff variable which is used as an index
+ to dereference the esv->blackfilt array. This leads top an overflow
+ and causes a segmentation fault.
+Author: Fabian Greffrath <fabian+debian@greffrath.com>
+Bug-Debian: https://bugs.debian.org/778529
+
+--- a/libmp3lame/util.c
++++ b/libmp3lame/util.c
+@@ -26,6 +26,7 @@
+ # include <config.h>
+ #endif
+ 
++#include <float.h>
+ #include "lame.h"
+ #include "machine.h"
+ #include "encoder.h"
+@@ -544,7 +545,7 @@ fill_buffer_resample(lame_internal_flags
+     if (bpc > BPC)
+         bpc = BPC;
+ 
+-    intratio = (fabs(resample_ratio - floor(.5 + resample_ratio)) < .0001);
++    intratio = (fabs(resample_ratio - floor(.5 + resample_ratio)) < FLT_EPSILON);
+     fcn = 1.00 / resample_ratio;
+     if (fcn > 1.00)
+         fcn = 1.00;
diff -Nru lame-3.99.5+repack1/debian/patches/series lame-3.99.5+repack1/debian/patches/series
--- lame-3.99.5+repack1/debian/patches/series	2012-03-15 22:47:42.000000000 +0100
+++ lame-3.99.5+repack1/debian/patches/series	2015-02-24 09:41:54.000000000 +0100
@@ -1,3 +1,6 @@
 07-field-width-fix.patch
 parallel-builds-fix.patch
 unbreak-ftbfs-gcc4.4.patch
+0001-Add-check-for-invalid-input-sample-rate.patch
+bits_per_sample.patch
+int_resample_ratio.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#779083: wheezy-pu: package lame/3.99.5+repack1-3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#779083: wheezy-pu: package lame/3.99.5+repack1-3
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#779083: wheezy-pu: package lame/3.99.5+repack1-3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#779080: unblock (pre-approval): gtk+2.0/2.24.25-2
Next by Date: Bug#779075: unblock: partman-target/94
Previous by thread: Bug#779080: unblock (pre-approval): gtk+2.0/2.24.25-2
Next by thread: Processed: Re: Bug#779083: wheezy-pu: package lame/3.99.5+repack1-3
Index(es):
- Date
- Thread