--- libmad-0.15.1b.orig/debian/changelog +++ libmad-0.15.1b/debian/changelog @@ -0,0 +1,365 @@ +libmad (0.15.1b-9ubuntu16.04.1) xenial-security; urgency=medium + + * Merge from Debian testing, remaining changes: + - Disable architecture specific optimisations on ARM, as there is a bug in + this codepath which causes segfaults, and the assembler is very old + (likely bitrotted). (LP: #989846) + + -- Mike Salvatore Thu, 25 Oct 2018 10:47:07 -0400 + +libmad (0.15.1b-9) unstable; urgency=high + + * Properly check the size of the main data. The previous patch + only checked that it could fit in the buffer, but didn't ensure there + was actually enough room free in the buffer. This was assigned both + CVE-2017-8372 and CVE-2017-8373, but they are really the same, just a + different way to detect it. (Closes: #287519) + * Rewrite patch to check the size of buffer. It now checks it before reading + it instead of afterwards checking that we did read too much. This now also + covers parsing the frame and layer3, not just layer 1 and 2. This was + original reported in #508133. CVE-2017-8374 mentions a case in layer 3. + + -- Kurt Roeckx Sun, 28 Jan 2018 16:28:46 +0100 + +libmad (0.15.1b-8.1) unstable; urgency=medium + + * Non-maintainer upload. + * Remove Clément Stenac from Uploaders (Closes: #868708) + + [ Helmut Grohne ] + * Move mad.pc to a multiarch location. (Closes: #850461) + + -- Manuel A. Fernandez Montecelo Tue, 31 Oct 2017 22:16:36 +0100 + +libmad (0.15.1b-8ubuntu1) trusty; urgency=low + + * Merge from Debian testing, remaining changes: + - Disable architecture specific optimisations on ARM, as there is a bug in + this codepath which causes segfaults, and the assembler is very old + (likely bitrotted). (LP: #989846) + + -- Matthew Fischer Mon, 21 Oct 2013 21:25:24 -0600 + +libmad (0.15.1b-8) unstable; urgency=low + + * Add multiarch support. (Closes: #653676) + Patch by Steve Langasek + * Use dh-autoreconf to update libtool so that it works on x32 + (Closes: #700437) + + -- Kurt Roeckx Mon, 20 May 2013 18:02:18 +0200 + +libmad (0.15.1b-7ubuntu2) raring; urgency=low + + * Disable architecture specific optimisations on ARM, as there is a bug in + this codepath which causes segfaults, and the assembler is very old + (likely bitrotted). (LP: #989846) + + -- Iain Lane Wed, 12 Dec 2012 12:10:33 +0000 + +libmad (0.15.1b-7ubuntu1) precise; urgency=low + + * Merge from Debian testing, remaining changes: + - Build for multiarch. + - Drop libmad.la, no longer needed. + - Drop redundant build target in debian/rules that ignores all the cdbs + autotools handling. + + -- Steve Langasek Mon, 06 Feb 2012 12:19:01 -0800 + +libmad (0.15.1b-7) unstable; urgency=low + + * Fix arm's MAD_F_MLN thumb case causing problems on arhmf. Patch + by Dave Martin (Closes: #656814) + * Add ${misc:Depends} to the Depends. + + -- Kurt Roeckx Sun, 22 Jan 2012 23:02:29 +0100 + +libmad (0.15.1b-6ubuntu1) precise; urgency=low + + * Build for multiarch. + * Drop libmad.la, no longer needed. + * Drop redundant build target in debian/rules that ignores all the cdbs + autotools handling. + + -- Steve Langasek Thu, 29 Dec 2011 22:46:46 -0800 + +libmad (0.15.1b-6) unstable; urgency=low + + [ Konstantinos Margaritis ] + * Add support for armhf (Closes: #596936) + - libmad.thumb.diff: use "adr" instead of "add" to make code ready for + thumb2 + - Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff: fix another + ftbfs with thumb2 as "rsc" doesnt exist anymore - thanks to Dave + Martin for this patch + + -- Kurt Roeckx Tue, 29 Mar 2011 22:26:22 +0200 + +libmad (0.15.1b-5) unstable; urgency=low + + * gcc-4.4 removed an assembler constraint on mips/mipsel. Use the new + way of doing it. (Closes: #568418) + + -- Kurt Roeckx Fri, 19 Feb 2010 20:51:00 +0100 + +libmad (0.15.1b-4) unstable; urgency=low + + * On an invalid mpeg file we can go past the end of the buffer. + (Closes: #508133) + + -- Kurt Roeckx Tue, 23 Dec 2008 21:38:34 +0100 + +libmad (0.15.1b-3) unstable; urgency=low + + * Acknowledge NMU + * Use DEB_DH_MAKESHLIBS_ARGS_libmad0 instead to set shlibs. + * Update Clément Stenac's email address to use zorglub@debian.org + * Add build dependency on autotools-dev, quilt + * Don't use -O plus some other -f options, just use -O2. (Closes: #415279) + * Use the 64bit fixed point math on amd64 to have a higher quality + output than the default. (Closes: #465438) + * Bump shlibs since it changes the size of mad_build on amd64. + * Add compat file, level 5. Change build dependency of debhelper to 5. + * Don't set -lm in the mad.pc file. libmad doesn't use any math function. + * Remove libmad0 Depends on pkg-config. + * Change to Standards-Version 3.7.3: + - Change ${Source-Version} into ${binary:Version} + + -- Kurt Roeckx Sat, 15 Mar 2008 13:51:31 +0000 + +libmad (0.15.1b-2.1) unstable; urgency=high + + * Non-maintainer upload, not targetted for Sarge. + * Urgency high because this is generating uploads with broken depends + that may be propagating to testing (see #311488). + * debian/rules: set DEB_DH_MAKESHLIBS_ARGS_ALL = -V 'libmad0 (>= 0.15.1b)' + to restore the updated shlibs lost in the switch to CDBS + (closes: #310311). + + -- Jordi Mallach Wed, 1 Jun 2005 17:12:24 +0200 + +libmad (0.15.1b-2) unstable; urgency=low + + * Sam Clegg : + * debian/control: update Maintainer: and Uploaders: (closes: #300097) + * debian/rules: convert to CDBS + * debian/control: build-depend on debhelper >= 4.1.0 + * debian/libmad0.postinst: removed since debhelper runs ldconfig for us. + * debian/libmad0*.files: removed; use dh_install instead. + * Clément Stenac : + * Better copyright file + * Kurt Roeckx + * Add watch file. + + -- Sam Clegg Sun, 8 May 2005 18:59:49 +0100 + +libmad (0.15.1b-1.1) unstable; urgency=low + + * Orphaning this package, setting maintainer to QA. + + -- Kyle McMartin Thu, 17 Mar 2005 10:59:11 -0500 + +libmad (0.15.1b-1) unstable; urgency=low + + * New upstream version. (closes: #252902) + * Removed TODO from installed documentation. + * Added minimad.c to the libmad0-dev documentation. Thanks to + Mario Lang for the patch. (closes: #249067) + + -- Kyle McMartin Sat, 5 Jun 2004 18:52:00 -0400 + +libmad (0.15.0b-3) unstable; urgency=low + + * Updated section from devel to libdevel as per mail. + + -- Kyle McMartin Tue, 21 Oct 2003 22:40:08 -0400 + +libmad (0.15.0b-2) unstable; urgency=low + + * Updated pkgconfig Version entry for mad (closes: #203656) + + -- Kyle McMartin Tue, 21 Oct 2003 22:09:04 -0400 + +libmad (0.15.0b-1) unstable; urgency=low + + * New upstream version(s). + * Split package into each library, as upstream has done. + + -- Kyle McMartin Sat, 21 Jun 2003 14:21:42 -0400 + +mad (0.14.2b-7) unstable; urgency=low + + * Clean up some lintian warnings. + * Fixed id3tag.pc, accidently had -L instead of -I. + + -- Kyle McMartin Tue, 28 Jan 2003 09:45:02 -0500 + +mad (0.14.2b-6) unstable; urgency=medium + + * Updated config.* (closes: #168663) + + -- Kyle McMartin Thu, 14 Nov 2002 18:41:29 -0500 + +mad (0.14.2b-5) unstable; urgency=medium + + * Added build-dep on libesd0-dev, this should fix some + problems people have been having when using esd as the + output device... (closes: #150823) + + -- Kyle McMartin Wed, 06 Nov 2002 18:20:18 -0500 + +mad (0.14.2b-4) unstable; urgency=low + + * added pkgconfig entry, and dependancy on pkg-config. (closes: #144481) + + -- Kyle McMartin Mon, 05 Aug 2002 14:37:00 -0400 + +mad (0.14.2b-3) unstable; urgency=high + + * updated libid3tag0-dev depends to account for zlib1g-dev (closes: #142611) + + -- Kyle McMartin Thu, 18 Apr 2002 19:37:00 -0500 + +mad (0.14.2b-2) unstable; urgency=high + + * fix for the shlibs rc bug (closes: #136196) + + -- Kyle McMartin Thu, 28 Feb 2002 18:21:40 -0500 + +mad (0.14.2b-1) unstable; urgency=low + + * new upstream version + * new maintainer + * new version fixes enum (closes: #129178) + * closing old fixed bug [missing symlink to libmad.so.0] (closes: #119350) + + -- Kyle McMartin Wed, 16 Jan 2002 22:09:58 -0500 + +mad (0.14.1b-4) unstable; urgency=low + + * yet another stupid maintainer mistakes release + * fix the call to dh_makeshlibs, I neglected to add proper + arguments for the new libid3tag0 library (closes: #119146) + * now that the shlibs are sorted out, madplay will have the correct depends + (closes: #119792) + + -- Sean 'Shaleh' Perry Thu, 15 Nov 2001 22:11:24 -0800 + +mad (0.14.1b-3) unstable; urgency=medium + + * duh, id3tag's headers ended up in libmad-dev. Closes: #118625. + + -- Sean 'Shaleh' Perry Wed, 7 Nov 2001 13:45:53 -0800 + +mad (0.14.1b-2) unstable; urgency=medium + + * Added versioned depends info for piecemeal updaters. (Closes: #117646) + + -- Sean 'Shaleh' Perry Wed, 7 Nov 2001 08:10:42 -0800 + +mad (0.14.1b-1) unstable; urgency=low + + * reverted package name to libmad0(-dev). The upstream fixed it's SONAME + issues, yay. + * added libid3tag(-dev), the upstream now supports the installation of this + as a separate entity (closes: #116321) + * -dev packages are now in Section: devel (closes: #116710) + * supports DEB_BUILD_OPTIONS for debug (closes: #104013) + + -- Sean 'Shaleh' Perry Tue, 23 Oct 2001 11:08:53 -0700 + +mad (0.14.0b-3) unstable; urgency=low + + * added a conflicts on libmad0 to the lib and -dev packages, closes: #116581 + * updated config.{sub,guess}, closes: #116577 + + -- Sean 'Shaleh' Perry Sun, 21 Oct 2001 16:26:39 -0700 + +mad (0.14.0b-2) unstable; urgency=low + + * D'oh, not binary compatible. The every changing SONAME problem. + * chnaged library package name to match SONAME. This is horrible because + now I have to change the package name for every release. However there + is no alternative. closes: 116305. + + -- Sean 'Shaleh' Perry Fri, 19 Oct 2001 14:30:29 -0700 + +mad (0.14.0b-1) unstable; urgency=low + + * New upstream release + * source now build-depends on zlib + + -- Sean 'Shaleh' Perry Thu, 18 Oct 2001 21:59:28 -0700 + +mad (0.13.0b-2.1) unstable; urgency=low + * Run libtoolize to get support for new architectures. Closes: #96616 + + -- LaMont Jones Mon, 9 Jul 2001 21:39:34 -0600 + +mad (0.13.0b-2) unstable; urgency=low + + * Now build-depend on gettext (closes: #94964) + + -- Sean 'Shaleh' Perry Mon, 23 Apr 2001 11:29:21 -0700 + +mad (0.13.0b-1) unstable; urgency=low + + * new upstream release + * manpage cleaned up, Closes: #87165 + + -- Sean 'Shaleh' Perry Wed, 11 Apr 2001 18:40:08 -0700 + +mad (0.12.5b-1) unstable; urgency=low + + * New upstream, closes: #92825 + * updated upstream changelog + + -- Sean 'Shaleh' Perry Tue, 3 Apr 2001 15:11:05 -0700 + +mad (0.12.4b-1) unstable; urgency=low + + * New upstream version + + -- Sean 'Shaleh' Perry Mon, 12 Feb 2001 14:16:21 -0800 + +mad (0.12.3b-2) unstable; urgency=low + + * Oops, wrong section + * left off the Closes: #84103 + + -- Sean 'Shaleh' Perry Thu, 8 Feb 2001 12:17:12 -0800 + +mad (0.12.3b-1) unstable; urgency=low + + * New upstream version + * added a madplay package + + -- Sean 'Shaleh' Perry Wed, 7 Feb 2001 12:04:28 -0800 + +mad (0.11.4b-1) unstable; urgency=low + + * New upstream release + * added libmad0 package containing the shared library + + -- Sean 'Shaleh' Perry Mon, 2 Oct 2000 17:38:01 -0700 + +mad (0.11.0b-0) unstable; urgency=low + + * New upstream release + + -- Sean 'Shaleh' Perry Mon, 5 Jun 2000 14:25:39 -0700 + +mad (0.10.3b-0) unstable; urgency=low + + * New upstream release + + -- Sean 'Shaleh' Perry Thu, 1 Jun 2000 15:05:02 -0700 + +mad (0.10.2b-0) unstable; urgency=low + + * Initial Release. + + -- Sean 'Shaleh' Perry Tue, 23 May 2000 12:25:00 -0700 + + --- libmad-0.15.1b.orig/debian/compat +++ libmad-0.15.1b/debian/compat @@ -0,0 +1 @@ +5 --- libmad-0.15.1b.orig/debian/control +++ libmad-0.15.1b/debian/control @@ -0,0 +1,35 @@ +Source: libmad +Priority: optional +Section: sound +Build-Depends: debhelper (>= 8.1.3~), gettext, cdbs (>= 0.4.93~), autotools-dev, quilt, dh-autoreconf +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Mad Maintainers +Uploaders: Kurt Roeckx , Sam Clegg +Standards-Version: 3.7.3 + +Package: libmad0 +Architecture: any +Multi-Arch: same +Section: libs +Pre-Depends: ${misc:Pre-Depends} +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: MPEG audio decoder library + MAD is an MPEG audio decoder. It currently only supports the MPEG 1 + standard, but fully implements all three audio layers (Layer I, Layer II, + and Layer III, the latter often colloquially known as MP3.) + . + MAD has the following special features: + - 100% fixed-point (integer) computation + - completely new implementation based on the ISO/IEC 11172-3 standard + - distributed under the terms of the GNU General Public License (GPL) + +Package: libmad0-dev +Architecture: any +Section: libdevel +Depends: libmad0 (=${binary:Version}), ${misc:Depends} +Description: MPEG audio decoder development library + MAD is an MPEG audio decoder. It currently only supports the MPEG 1 + standard, but fully implements all three audio layers (Layer I, Layer II, + and Layer III, the latter often colloquially known as MP3.) + . + This is the package you need to develop or compile applications that use MAD. --- libmad-0.15.1b.orig/debian/copyright +++ libmad-0.15.1b/debian/copyright @@ -0,0 +1,26 @@ +This package was debianized by Sean 'Shaleh' Perry on +Tue, 23 May 2000 12:25:00 -0700. + +It was downloaded from http://www.underbit.com/products/mad/ + +Upstream Author: Robert Leslie + +Copyright (C) 2000-2004 Underbit Technologies, Inc. + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2, or (at your option) any +later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + --- libmad-0.15.1b.orig/debian/libmad0-dev.dirs +++ libmad-0.15.1b/debian/libmad0-dev.dirs @@ -0,0 +1,2 @@ +usr/lib +usr/include --- libmad-0.15.1b.orig/debian/libmad0-dev.docs +++ libmad-0.15.1b/debian/libmad0-dev.docs @@ -0,0 +1,2 @@ +CREDITS +README --- libmad-0.15.1b.orig/debian/libmad0-dev.examples +++ libmad-0.15.1b/debian/libmad0-dev.examples @@ -0,0 +1 @@ +minimad.c --- libmad-0.15.1b.orig/debian/libmad0-dev.files +++ libmad-0.15.1b/debian/libmad0-dev.files @@ -0,0 +1,4 @@ +usr/include/mad.h +usr/lib/libmad.a +usr/lib/libmad.la +usr/lib/libmad.so --- libmad-0.15.1b.orig/debian/libmad0-dev.install +++ libmad-0.15.1b/debian/libmad0-dev.install @@ -0,0 +1,3 @@ +debian/tmp/usr/include/mad.h /usr/include +debian/tmp/usr/lib/*/libmad.a +debian/tmp/usr/lib/*/libmad.so --- libmad-0.15.1b.orig/debian/libmad0.dirs +++ libmad-0.15.1b/debian/libmad0.dirs @@ -0,0 +1 @@ +usr/lib --- libmad-0.15.1b.orig/debian/libmad0.docs +++ libmad-0.15.1b/debian/libmad0.docs @@ -0,0 +1,2 @@ +CREDITS +README --- libmad-0.15.1b.orig/debian/libmad0.files +++ libmad-0.15.1b/debian/libmad0.files @@ -0,0 +1 @@ +usr/lib/libmad.so.* --- libmad-0.15.1b.orig/debian/libmad0.install +++ libmad-0.15.1b/debian/libmad0.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/*/libmad.so.* --- libmad-0.15.1b.orig/debian/mad.pc +++ libmad-0.15.1b/debian/mad.pc @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=${exec_prefix}/lib +includedir=${prefix}/include + +Name: mad +Description: MPEG Audio Decoder +Requires: +Version: 0.15.0b +Libs: -L${libdir} -lmad +Cflags: -I${includedir} --- libmad-0.15.1b.orig/debian/patches/Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff +++ libmad-0.15.1b/debian/patches/Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff @@ -0,0 +1,34 @@ +From: Dave Martin +Subject: "rsc" doesnt exist anymore in thumb2 + +diff --git a/fixed.h b/fixed.h +index 4b58abf..ba4bc26 100644 +--- a/fixed.h ++++ b/fixed.h +@@ -275,12 +275,25 @@ mad_fixed_t mad_f_mul_inline(mad_fixed_t x, mad_fixed_t y) + : "+r" (lo), "+r" (hi) \ + : "%r" (x), "r" (y)) + ++#ifdef __thumb__ ++/* In Thumb-2, the RSB-immediate instruction is only allowed with a zero ++ operand. If needed this code can also support Thumb-1 ++ (simply append "s" to the end of the second two instructions). */ ++# define MAD_F_MLN(hi, lo) \ ++ asm ("rsbs %0, %0, #0\n\t" \ ++ "sbc %1, %1, %1\n\t" \ ++ "sub %1, %1, %2" \ ++ : "+&r" (lo), "=&r" (hi) \ ++ : "r" (hi) \ ++ : "cc") ++#else /* ! __thumb__ */ + # define MAD_F_MLN(hi, lo) \ + asm ("rsbs %0, %2, #0\n\t" \ + "rsc %1, %3, #0" \ +- : "=r" (lo), "=r" (hi) \ ++ : "=&r" (lo), "=r" (hi) \ + : "0" (lo), "1" (hi) \ + : "cc") ++#endif /* __thumb__ */ + + # define mad_f_scale64(hi, lo) \ + ({ mad_fixed_t __result; \ --- libmad-0.15.1b.orig/debian/patches/amd64-64bit.diff +++ libmad-0.15.1b/debian/patches/amd64-64bit.diff @@ -0,0 +1,12 @@ +Index: libmad-0.15.1b/configure.ac +=================================================================== +--- libmad-0.15.1b.orig/configure.ac 2008-03-07 20:33:05.000000000 +0000 ++++ libmad-0.15.1b/configure.ac 2008-03-07 20:33:31.000000000 +0000 +@@ -233,6 +233,7 @@ + then + case "$host" in + i?86-*) FPM="INTEL" ;; ++ x86_64*) FPM="64BIT" ;; + arm*-*) FPM="ARM" ;; + mips*-*) FPM="MIPS" ;; + sparc*-*) FPM="SPARC" ;; --- libmad-0.15.1b.orig/debian/patches/length-check.patch +++ libmad-0.15.1b/debian/patches/length-check.patch @@ -0,0 +1,817 @@ +From: Kurt Roeckx +Date: Sun, 28 Jan 2018 19:26:36 +0100 +Subject: Check the size before reading with mad_bit_read + +There are various cases where it attemps to read past the end of the buffer +using mad_bit_read(). Most functions didn't even know the size of the buffer +they were reading from. + +Index: libmad-0.15.1b/bit.c +=================================================================== +--- libmad-0.15.1b.orig/bit.c ++++ libmad-0.15.1b/bit.c +@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi + { + register unsigned long value; + ++ if (len == 0) ++ return 0; ++ + if (bitptr->left == CHAR_BIT) + bitptr->cache = *bitptr->byte; + +Index: libmad-0.15.1b/frame.c +=================================================================== +--- libmad-0.15.1b.orig/frame.c ++++ libmad-0.15.1b/frame.c +@@ -120,11 +120,18 @@ static + int decode_header(struct mad_header *header, struct mad_stream *stream) + { + unsigned int index; ++ struct mad_bitptr bufend_ptr; + + header->flags = 0; + header->private_bits = 0; + ++ mad_bit_init(&bufend_ptr, stream->bufend); ++ + /* header() */ ++ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) { ++ stream->error = MAD_ERROR_BUFLEN; ++ return -1; ++ } + + /* syncword */ + mad_bit_skip(&stream->ptr, 11); +@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea + /* error_check() */ + + /* crc_check */ +- if (header->flags & MAD_FLAG_PROTECTION) ++ if (header->flags & MAD_FLAG_PROTECTION) { ++ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) { ++ stream->error = MAD_ERROR_BUFLEN; ++ return -1; ++ } + header->crc_target = mad_bit_read(&stream->ptr, 16); ++ } + + return 0; + } +@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header + stream->error = MAD_ERROR_BUFLEN; + goto fail; + } +- else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) { ++ else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) { + /* mark point where frame sync word was expected */ + stream->this_frame = ptr; + stream->next_frame = ptr + 1; +@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header + ptr = mad_bit_nextbyte(&stream->ptr); + } + ++ stream->error = MAD_ERROR_NONE; ++ + /* begin processing */ + stream->this_frame = ptr; + stream->next_frame = ptr + 1; /* possibly bogus sync word */ +@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header + /* check that a valid frame header follows this frame */ + + ptr = stream->next_frame; +- if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) { ++ if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) { + ptr = stream->next_frame = stream->this_frame + 1; + goto sync; + } +Index: libmad-0.15.1b/layer12.c +=================================================================== +--- libmad-0.15.1b.orig/layer12.c ++++ libmad-0.15.1b/layer12.c +@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = { + * DESCRIPTION: decode one requantized Layer I sample from a bitstream + */ + static +-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb) ++mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream) + { + mad_fixed_t sample; ++ struct mad_bitptr frameend_ptr; + ++ mad_bit_init(&frameend_ptr, stream->next_frame); ++ ++ if (mad_bit_length(ptr, &frameend_ptr) < nb) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return 0; ++ } + sample = mad_bit_read(ptr, nb); + + /* invert most significant bit, extend sign, then scale to fixed format */ +@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea + struct mad_header *header = &frame->header; + unsigned int nch, bound, ch, s, sb, nb; + unsigned char allocation[2][32], scalefactor[2][32]; ++ struct mad_bitptr bufend_ptr, frameend_ptr; ++ ++ mad_bit_init(&bufend_ptr, stream->bufend); ++ mad_bit_init(&frameend_ptr, stream->next_frame); + + nch = MAD_NCHANNELS(header); + +@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea + /* check CRC word */ + + if (header->flags & MAD_FLAG_PROTECTION) { ++ if (mad_bit_length(&stream->ptr, &bufend_ptr) ++ < 4 * (bound * nch + (32 - bound))) { ++ stream->error = MAD_ERROR_BADCRC; ++ return -1; ++ } + header->crc_check = + mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)), + header->crc_check); +@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea + + for (sb = 0; sb < bound; ++sb) { + for (ch = 0; ch < nch; ++ch) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + nb = mad_bit_read(&stream->ptr, 4); + + if (nb == 15) { +@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea + } + + for (sb = bound; sb < 32; ++sb) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + nb = mad_bit_read(&stream->ptr, 4); + + if (nb == 15) { +@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea + for (sb = 0; sb < 32; ++sb) { + for (ch = 0; ch < nch; ++ch) { + if (allocation[ch][sb]) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6); + + # if defined(OPT_STRICT) +@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea + for (ch = 0; ch < nch; ++ch) { + nb = allocation[ch][sb]; + frame->sbsample[ch][s][sb] = nb ? +- mad_f_mul(I_sample(&stream->ptr, nb), ++ mad_f_mul(I_sample(&stream->ptr, nb, stream), + sf_table[scalefactor[ch][sb]]) : 0; ++ if (stream->error != 0) ++ return -1; + } + } + +@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea + if ((nb = allocation[0][sb])) { + mad_fixed_t sample; + +- sample = I_sample(&stream->ptr, nb); ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } ++ sample = I_sample(&stream->ptr, nb, stream); ++ if (stream->error != 0) ++ return -1; + + for (ch = 0; ch < nch; ++ch) { + frame->sbsample[ch][s][sb] = +@@ -280,13 +321,21 @@ struct quantclass { + static + void II_samples(struct mad_bitptr *ptr, + struct quantclass const *quantclass, +- mad_fixed_t output[3]) ++ mad_fixed_t output[3], struct mad_stream *stream) + { + unsigned int nb, s, sample[3]; ++ struct mad_bitptr frameend_ptr; ++ ++ mad_bit_init(&frameend_ptr, stream->next_frame); + + if ((nb = quantclass->group)) { + unsigned int c, nlevels; + ++ if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return; ++ } + /* degrouping */ + c = mad_bit_read(ptr, quantclass->bits); + nlevels = quantclass->nlevels; +@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr, + else { + nb = quantclass->bits; + +- for (s = 0; s < 3; ++s) ++ for (s = 0; s < 3; ++s) { ++ if (mad_bit_length(ptr, &frameend_ptr) < nb) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return; ++ } + sample[s] = mad_bit_read(ptr, nb); ++ } + } + + for (s = 0; s < 3; ++s) { +@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre + unsigned char const *offsets; + unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3]; + mad_fixed_t samples[3]; ++ struct mad_bitptr frameend_ptr; ++ ++ mad_bit_init(&frameend_ptr, stream->next_frame); + + nch = MAD_NCHANNELS(header); + +@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre + for (sb = 0; sb < bound; ++sb) { + nbal = bitalloc_table[offsets[sb]].nbal; + +- for (ch = 0; ch < nch; ++ch) ++ for (ch = 0; ch < nch; ++ch) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal); ++ } + } + + for (sb = bound; sb < sblimit; ++sb) { + nbal = bitalloc_table[offsets[sb]].nbal; + ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + allocation[0][sb] = + allocation[1][sb] = mad_bit_read(&stream->ptr, nbal); + } +@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre + + for (sb = 0; sb < sblimit; ++sb) { + for (ch = 0; ch < nch; ++ch) { +- if (allocation[ch][sb]) ++ if (allocation[ch][sb]) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2); ++ } + } + } + +@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre + for (sb = 0; sb < sblimit; ++sb) { + for (ch = 0; ch < nch; ++ch) { + if (allocation[ch][sb]) { ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6); + + switch (scfsi[ch][sb]) { +@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre + break; + + case 0: ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6); + /* fall through */ + + case 1: + case 3: ++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6); + } + +@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre + if ((index = allocation[ch][sb])) { + index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; + +- II_samples(&stream->ptr, &qc_table[index], samples); ++ II_samples(&stream->ptr, &qc_table[index], samples, stream); ++ if (stream->error != 0) ++ return -1; + + for (s = 0; s < 3; ++s) { + frame->sbsample[ch][3 * gr + s][sb] = +@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre + if ((index = allocation[0][sb])) { + index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; + +- II_samples(&stream->ptr, &qc_table[index], samples); ++ II_samples(&stream->ptr, &qc_table[index], samples, stream); ++ if (stream->error != 0) ++ return -1; + + for (ch = 0; ch < nch; ++ch) { + for (s = 0; s < 3; ++s) { +Index: libmad-0.15.1b/layer3.c +=================================================================== +--- libmad-0.15.1b.orig/layer3.c ++++ libmad-0.15.1b/layer3.c +@@ -598,7 +598,8 @@ enum mad_error III_sideinfo(struct mad_b + static + unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr, + struct channel *channel, +- struct channel *gr1ch, int mode_extension) ++ struct channel *gr1ch, int mode_extension, ++ unsigned int bits_left, unsigned int *part2_length) + { + struct mad_bitptr start; + unsigned int scalefac_compress, index, slen[4], part, n, i; +@@ -644,8 +645,12 @@ unsigned int III_scalefactors_lsf(struct + + n = 0; + for (part = 0; part < 4; ++part) { +- for (i = 0; i < nsfb[part]; ++i) ++ for (i = 0; i < nsfb[part]; ++i) { ++ if (bits_left < slen[part]) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[n++] = mad_bit_read(ptr, slen[part]); ++ bits_left -= slen[part]; ++ } + } + + while (n < 39) +@@ -690,7 +695,10 @@ unsigned int III_scalefactors_lsf(struct + max = (1 << slen[part]) - 1; + + for (i = 0; i < nsfb[part]; ++i) { ++ if (bits_left < slen[part]) ++ return MAD_ERROR_BADSCFSI; + is_pos = mad_bit_read(ptr, slen[part]); ++ bits_left -= slen[part]; + + channel->scalefac[n] = is_pos; + gr1ch->scalefac[n++] = (is_pos == max); +@@ -703,7 +711,8 @@ unsigned int III_scalefactors_lsf(struct + } + } + +- return mad_bit_length(&start, ptr); ++ *part2_length = mad_bit_length(&start, ptr); ++ return MAD_ERROR_NONE; + } + + /* +@@ -712,7 +721,8 @@ unsigned int III_scalefactors_lsf(struct + */ + static + unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel, +- struct channel const *gr0ch, unsigned int scfsi) ++ struct channel const *gr0ch, unsigned int scfsi, ++ unsigned int bits_left, unsigned int *part2_length) + { + struct mad_bitptr start; + unsigned int slen1, slen2, sfbi; +@@ -728,12 +738,20 @@ unsigned int III_scalefactors(struct mad + sfbi = 0; + + nsfb = (channel->flags & mixed_block_flag) ? 8 + 3 * 3 : 6 * 3; +- while (nsfb--) ++ while (nsfb--) { ++ if (bits_left < slen1) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi++] = mad_bit_read(ptr, slen1); ++ bits_left -= slen1; ++ } + + nsfb = 6 * 3; +- while (nsfb--) ++ while (nsfb--) { ++ if (bits_left < slen2) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi++] = mad_bit_read(ptr, slen2); ++ bits_left -= slen2; ++ } + + nsfb = 1 * 3; + while (nsfb--) +@@ -745,8 +763,12 @@ unsigned int III_scalefactors(struct mad + channel->scalefac[sfbi] = gr0ch->scalefac[sfbi]; + } + else { +- for (sfbi = 0; sfbi < 6; ++sfbi) ++ for (sfbi = 0; sfbi < 6; ++sfbi) { ++ if (bits_left < slen1) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi] = mad_bit_read(ptr, slen1); ++ bits_left -= slen1; ++ } + } + + if (scfsi & 0x4) { +@@ -754,8 +776,12 @@ unsigned int III_scalefactors(struct mad + channel->scalefac[sfbi] = gr0ch->scalefac[sfbi]; + } + else { +- for (sfbi = 6; sfbi < 11; ++sfbi) ++ for (sfbi = 6; sfbi < 11; ++sfbi) { ++ if (bits_left < slen1) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi] = mad_bit_read(ptr, slen1); ++ bits_left -= slen1; ++ } + } + + if (scfsi & 0x2) { +@@ -763,8 +789,12 @@ unsigned int III_scalefactors(struct mad + channel->scalefac[sfbi] = gr0ch->scalefac[sfbi]; + } + else { +- for (sfbi = 11; sfbi < 16; ++sfbi) ++ for (sfbi = 11; sfbi < 16; ++sfbi) { ++ if (bits_left < slen2) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi] = mad_bit_read(ptr, slen2); ++ bits_left -= slen2; ++ } + } + + if (scfsi & 0x1) { +@@ -772,14 +802,19 @@ unsigned int III_scalefactors(struct mad + channel->scalefac[sfbi] = gr0ch->scalefac[sfbi]; + } + else { +- for (sfbi = 16; sfbi < 21; ++sfbi) ++ for (sfbi = 16; sfbi < 21; ++sfbi) { ++ if (bits_left < slen2) ++ return MAD_ERROR_BADSCFSI; + channel->scalefac[sfbi] = mad_bit_read(ptr, slen2); ++ bits_left -= slen2; ++ } + } + + channel->scalefac[21] = 0; + } + +- return mad_bit_length(&start, ptr); ++ *part2_length = mad_bit_length(&start, ptr); ++ return MAD_ERROR_NONE; + } + + /* +@@ -933,19 +968,17 @@ static + enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576], + struct channel *channel, + unsigned char const *sfbwidth, +- unsigned int part2_length) ++ signed int part3_length) + { + signed int exponents[39], exp; + signed int const *expptr; + struct mad_bitptr peek; +- signed int bits_left, cachesz; ++ signed int bits_left, cachesz, fakebits; + register mad_fixed_t *xrptr; + mad_fixed_t const *sfbound; + register unsigned long bitcache; + +- bits_left = (signed) channel->part2_3_length - (signed) part2_length; +- if (bits_left < 0) +- return MAD_ERROR_BADPART3LEN; ++ bits_left = part3_length; + + III_exponents(channel, sfbwidth, exponents); + +@@ -956,8 +989,12 @@ enum mad_error III_huffdecode(struct mad + cachesz = mad_bit_bitsleft(&peek); + cachesz += ((32 - 1 - 24) + (24 - cachesz)) & ~7; + ++ if (bits_left < cachesz) { ++ cachesz = bits_left; ++ } + bitcache = mad_bit_read(&peek, cachesz); + bits_left -= cachesz; ++ fakebits = 0; + + xrptr = &xr[0]; + +@@ -986,7 +1023,7 @@ enum mad_error III_huffdecode(struct mad + + big_values = channel->big_values; + +- while (big_values-- && cachesz + bits_left > 0) { ++ while (big_values-- && cachesz + bits_left - fakebits > 0) { + union huffpair const *pair; + unsigned int clumpsz, value; + register mad_fixed_t requantized; +@@ -1023,10 +1060,19 @@ enum mad_error III_huffdecode(struct mad + unsigned int bits; + + bits = ((32 - 1 - 21) + (21 - cachesz)) & ~7; ++ if (bits_left < bits) { ++ bits = bits_left; ++ } + bitcache = (bitcache << bits) | mad_bit_read(&peek, bits); + cachesz += bits; + bits_left -= bits; + } ++ if (cachesz < 21) { ++ unsigned int bits = 21 - cachesz; ++ bitcache <<= bits; ++ cachesz += bits; ++ fakebits += bits; ++ } + + /* hcod (0..19) */ + +@@ -1041,6 +1087,8 @@ enum mad_error III_huffdecode(struct mad + } + + cachesz -= pair->value.hlen; ++ if (cachesz < fakebits) ++ return MAD_ERROR_BADHUFFDATA; + + if (linbits) { + /* x (0..14) */ +@@ -1054,10 +1102,15 @@ enum mad_error III_huffdecode(struct mad + + case 15: + if (cachesz < linbits + 2) { +- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16); +- cachesz += 16; +- bits_left -= 16; ++ unsigned int bits = 16; ++ if (bits_left < 16) ++ bits = bits_left; ++ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits); ++ cachesz += bits; ++ bits_left -= bits; + } ++ if (cachesz - fakebits < linbits) ++ return MAD_ERROR_BADHUFFDATA; + + value += MASK(bitcache, cachesz, linbits); + cachesz -= linbits; +@@ -1074,6 +1127,8 @@ enum mad_error III_huffdecode(struct mad + } + + x_final: ++ if (cachesz - fakebits < 1) ++ return MAD_ERROR_BADHUFFDATA; + xrptr[0] = MASK1BIT(bitcache, cachesz--) ? + -requantized : requantized; + } +@@ -1089,10 +1144,15 @@ enum mad_error III_huffdecode(struct mad + + case 15: + if (cachesz < linbits + 1) { +- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16); +- cachesz += 16; +- bits_left -= 16; ++ unsigned int bits = 16; ++ if (bits_left < 16) ++ bits = bits_left; ++ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits); ++ cachesz += bits; ++ bits_left -= bits; + } ++ if (cachesz - fakebits < linbits) ++ return MAD_ERROR_BADHUFFDATA; + + value += MASK(bitcache, cachesz, linbits); + cachesz -= linbits; +@@ -1109,6 +1169,8 @@ enum mad_error III_huffdecode(struct mad + } + + y_final: ++ if (cachesz - fakebits < 1) ++ return MAD_ERROR_BADHUFFDATA; + xrptr[1] = MASK1BIT(bitcache, cachesz--) ? + -requantized : requantized; + } +@@ -1128,6 +1190,8 @@ enum mad_error III_huffdecode(struct mad + requantized = reqcache[value] = III_requantize(value, exp); + } + ++ if (cachesz - fakebits < 1) ++ return MAD_ERROR_BADHUFFDATA; + xrptr[0] = MASK1BIT(bitcache, cachesz--) ? + -requantized : requantized; + } +@@ -1146,6 +1210,8 @@ enum mad_error III_huffdecode(struct mad + requantized = reqcache[value] = III_requantize(value, exp); + } + ++ if (cachesz - fakebits < 1) ++ return MAD_ERROR_BADHUFFDATA; + xrptr[1] = MASK1BIT(bitcache, cachesz--) ? + -requantized : requantized; + } +@@ -1155,9 +1221,6 @@ enum mad_error III_huffdecode(struct mad + } + } + +- if (cachesz + bits_left < 0) +- return MAD_ERROR_BADHUFFDATA; /* big_values overrun */ +- + /* count1 */ + { + union huffquad const *table; +@@ -1167,15 +1230,24 @@ enum mad_error III_huffdecode(struct mad + + requantized = III_requantize(1, exp); + +- while (cachesz + bits_left > 0 && xrptr <= &xr[572]) { ++ while (cachesz + bits_left - fakebits > 0 && xrptr <= &xr[572]) { + union huffquad const *quad; + + /* hcod (1..6) */ + + if (cachesz < 10) { +- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16); +- cachesz += 16; +- bits_left -= 16; ++ unsigned int bits = 16; ++ if (bits_left < 16) ++ bits = bits_left; ++ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits); ++ cachesz += bits; ++ bits_left -= bits; ++ } ++ if (cachesz < 10) { ++ unsigned int bits = 10 - cachesz; ++ bitcache <<= bits; ++ cachesz += bits; ++ fakebits += bits; + } + + quad = &table[MASK(bitcache, cachesz, 4)]; +@@ -1188,6 +1260,11 @@ enum mad_error III_huffdecode(struct mad + MASK(bitcache, cachesz, quad->ptr.bits)]; + } + ++ if (cachesz - fakebits < quad->value.hlen + quad->value.v ++ + quad->value.w + quad->value.x + quad->value.y) ++ /* We don't have enough bits to read one more entry, consider them ++ * stuffing bits. */ ++ break; + cachesz -= quad->value.hlen; + + if (xrptr == sfbound) { +@@ -1236,22 +1313,8 @@ enum mad_error III_huffdecode(struct mad + + xrptr += 2; + } +- +- if (cachesz + bits_left < 0) { +-# if 0 && defined(DEBUG) +- fprintf(stderr, "huffman count1 overrun (%d bits)\n", +- -(cachesz + bits_left)); +-# endif +- +- /* technically the bitstream is misformatted, but apparently +- some encoders are just a bit sloppy with stuffing bits */ +- +- xrptr -= 4; +- } + } + +- assert(-bits_left <= MAD_BUFFER_GUARD * CHAR_BIT); +- + # if 0 && defined(DEBUG) + if (bits_left < 0) + fprintf(stderr, "read %d bits too many\n", -bits_left); +@@ -2348,10 +2411,11 @@ void III_freqinver(mad_fixed_t sample[18 + */ + static + enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame, +- struct sideinfo *si, unsigned int nch) ++ struct sideinfo *si, unsigned int nch, unsigned int md_len) + { + struct mad_header *header = &frame->header; + unsigned int sfreqi, ngr, gr; ++ int bits_left = md_len * CHAR_BIT; + + { + unsigned int sfreq; +@@ -2383,6 +2447,7 @@ enum mad_error III_decode(struct mad_bit + for (ch = 0; ch < nch; ++ch) { + struct channel *channel = &granule->ch[ch]; + unsigned int part2_length; ++ unsigned int part3_length; + + sfbwidth[ch] = sfbwidth_table[sfreqi].l; + if (channel->block_type == 2) { +@@ -2391,18 +2456,30 @@ enum mad_error III_decode(struct mad_bit + } + + if (header->flags & MAD_FLAG_LSF_EXT) { +- part2_length = III_scalefactors_lsf(ptr, channel, ++ error = III_scalefactors_lsf(ptr, channel, + ch == 0 ? 0 : &si->gr[1].ch[1], +- header->mode_extension); ++ header->mode_extension, bits_left, &part2_length); + } + else { +- part2_length = III_scalefactors(ptr, channel, &si->gr[0].ch[ch], +- gr == 0 ? 0 : si->scfsi[ch]); ++ error = III_scalefactors(ptr, channel, &si->gr[0].ch[ch], ++ gr == 0 ? 0 : si->scfsi[ch], bits_left, &part2_length); + } ++ if (error) ++ return error; ++ ++ bits_left -= part2_length; + +- error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part2_length); ++ if (part2_length > channel->part2_3_length) ++ return MAD_ERROR_BADPART3LEN; ++ ++ part3_length = channel->part2_3_length - part2_length; ++ if (part3_length > bits_left) ++ return MAD_ERROR_BADPART3LEN; ++ ++ error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part3_length); + if (error) + return error; ++ bits_left -= part3_length; + } + + /* joint stereo processing */ +@@ -2519,11 +2596,13 @@ int mad_layer_III(struct mad_stream *str + unsigned int nch, priv_bitlen, next_md_begin = 0; + unsigned int si_len, data_bitlen, md_len; + unsigned int frame_space, frame_used, frame_free; +- struct mad_bitptr ptr; ++ struct mad_bitptr ptr, bufend_ptr; + struct sideinfo si; + enum mad_error error; + int result = 0; + ++ mad_bit_init(&bufend_ptr, stream->bufend); ++ + /* allocate Layer III dynamic structures */ + + if (stream->main_data == 0) { +@@ -2587,14 +2666,15 @@ int mad_layer_III(struct mad_stream *str + unsigned long header; + + mad_bit_init(&peek, stream->next_frame); ++ if (mad_bit_length(&peek, &bufend_ptr) >= 57) { ++ header = mad_bit_read(&peek, 32); ++ if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) { ++ if (!(header & 0x00010000L)) /* protection_bit */ ++ mad_bit_skip(&peek, 16); /* crc_check */ + +- header = mad_bit_read(&peek, 32); +- if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) { +- if (!(header & 0x00010000L)) /* protection_bit */ +- mad_bit_skip(&peek, 16); /* crc_check */ +- +- next_md_begin = +- mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8); ++ next_md_begin = ++ mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8); ++ } + } + + mad_bit_finish(&peek); +@@ -2653,7 +2733,7 @@ int mad_layer_III(struct mad_stream *str + /* decode main_data */ + + if (result == 0) { +- error = III_decode(&ptr, frame, &si, nch); ++ error = III_decode(&ptr, frame, &si, nch, md_len); + if (error) { + stream->error = error; + result = -1; --- libmad-0.15.1b.orig/debian/patches/libmad.thumb.diff +++ libmad-0.15.1b/debian/patches/libmad.thumb.diff @@ -0,0 +1,14 @@ +From: Konstantinos Margaritis +Subject: use "adr" instead of "add" to make code ready for thumb2 + +--- ./imdct_l_arm.S.orig 2010-02-25 13:25:23.000000000 +0100 ++++ ./imdct_l_arm.S 2010-02-25 13:27:26.000000000 +0100 +@@ -468,7 +468,7 @@ + + @---- + +- add r2, pc, #(imdct36_long_karray-.-8) @ r2 = base address of Knn array (PIC safe ?) ++ adr r2, imdct36_long_karray + + + loop: --- libmad-0.15.1b.orig/debian/patches/md_size.diff +++ libmad-0.15.1b/debian/patches/md_size.diff @@ -0,0 +1,58 @@ +From: Kurt Roeckx +Date: Sun, 28 Jan 2018 15:44:08 +0100 +Subject: Check the size of the main data + +The main data to decode a frame can come from the current frame and part of the +previous frame, the so called bit reservoir. si.main_data_begin is the part of +the previous frame we need for this frame. frame_space is the amount of main +data that can be in this frame, and next_md_begin is the part of this frame that +is going to be used for the next frame. + +The maximum amount of data from a previous frame that the format allows is 511 +bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2 +at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881. +So those defines are not large enough: + # define MAD_BUFFER_GUARD 8 + # define MAD_BUFFER_MDLEN (511 + 2048 + MAD_BUFFER_GUARD) + +There is also support for a "free" bitrate which allows you to create any frame +size, which can be larger than the buffer. + +Changing the defines is not an option since it's part of the ABI, so we check +that the main data fits in the bufer. + +The previous frame data is stored in *stream->main_data and contains +stream->md_len bytes. If stream->md_len is larger than the data we +need from the previous frame (si.main_data_begin) it still wouldn't fit +in the buffer, so just keep the data that we need. + +Index: libmad-0.15.1b/layer3.c +=================================================================== +--- libmad-0.15.1b.orig/layer3.c ++++ libmad-0.15.1b/layer3.c +@@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream *str + next_md_begin = 0; + + md_len = si.main_data_begin + frame_space - next_md_begin; ++ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) { ++ stream->error = MAD_ERROR_LOSTSYNC; ++ stream->sync = 0; ++ return -1; ++ } + + frame_used = 0; + +@@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream *str + } + } + else { +- mad_bit_init(&ptr, +- *stream->main_data + stream->md_len - si.main_data_begin); ++ memmove(stream->main_data, ++ *stream->main_data + stream->md_len - si.main_data_begin, ++ si.main_data_begin); ++ stream->md_len = si.main_data_begin; ++ mad_bit_init(&ptr, *stream->main_data); + + if (md_len > si.main_data_begin) { + assert(stream->md_len + md_len - --- libmad-0.15.1b.orig/debian/patches/mips-gcc4.4.diff +++ libmad-0.15.1b/debian/patches/mips-gcc4.4.diff @@ -0,0 +1,25 @@ +From: Aurelien Jarno +Subject: Different constraints for mips with gcc-4.4 + +This asm constraints has been removed from gcc 4.4, that's why it was not +failing before. See http://gcc.gnu.org/gcc-4.4/changes.html for more +details, including a description of the new way to do it. + +--- libmad-0.15.1b.orig/fixed.h ++++ libmad-0.15.1b/fixed.h +@@ -297,6 +297,14 @@ + + /* --- MIPS ---------------------------------------------------------------- */ + ++# elif defined(FPM_MIPS) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4)) ++ typedef unsigned int u64_di_t __attribute__ ((mode (DI))); ++# define MAD_F_MLX(hi, lo, x, y) \ ++ do { \ ++ u64_di_t __ll = (u64_di_t) (x) * (y); \ ++ hi = __ll >> 32; \ ++ lo = __ll; \ ++ } while (0) + # elif defined(FPM_MIPS) + + /* + --- libmad-0.15.1b.orig/debian/patches/optimize.diff +++ libmad-0.15.1b/debian/patches/optimize.diff @@ -0,0 +1,77 @@ +Index: libmad-0.15.1b/configure.ac +=================================================================== +--- libmad-0.15.1b.orig/configure.ac 2008-03-07 20:31:23.000000000 +0000 ++++ libmad-0.15.1b/configure.ac 2008-03-07 20:34:26.000000000 +0000 +@@ -124,71 +124,7 @@ + + if test "$GCC" = yes + then +- if test -z "$arch" +- then +- case "$host" in +- i386-*) ;; +- i?86-*) arch="-march=i486" ;; +- arm*-empeg-*) arch="-march=armv4 -mtune=strongarm1100" ;; +- armv4*-*) arch="-march=armv4 -mtune=strongarm" ;; +- powerpc-*) ;; +- mips*-agenda-*) arch="-mcpu=vr4100" ;; +- mips*-luxsonor-*) arch="-mips1 -mcpu=r3000 -Wa,-m4010" ;; +- esac +- fi +- +- case "$optimize" in +- -O|"-O "*) +- optimize="-O" +- optimize="$optimize -fforce-mem" +- optimize="$optimize -fforce-addr" +- : #x optimize="$optimize -finline-functions" +- : #- optimize="$optimize -fstrength-reduce" +- optimize="$optimize -fthread-jumps" +- optimize="$optimize -fcse-follow-jumps" +- optimize="$optimize -fcse-skip-blocks" +- : #x optimize="$optimize -frerun-cse-after-loop" +- : #x optimize="$optimize -frerun-loop-opt" +- : #x optimize="$optimize -fgcse" +- optimize="$optimize -fexpensive-optimizations" +- optimize="$optimize -fregmove" +- : #* optimize="$optimize -fdelayed-branch" +- : #x optimize="$optimize -fschedule-insns" +- optimize="$optimize -fschedule-insns2" +- : #? optimize="$optimize -ffunction-sections" +- : #? optimize="$optimize -fcaller-saves" +- : #> optimize="$optimize -funroll-loops" +- : #> optimize="$optimize -funroll-all-loops" +- : #x optimize="$optimize -fmove-all-movables" +- : #x optimize="$optimize -freduce-all-givs" +- : #? optimize="$optimize -fstrict-aliasing" +- : #* optimize="$optimize -fstructure-noalias" +- +- case "$host" in +- arm*-*) +- optimize="$optimize -fstrength-reduce" +- ;; +- mips*-*) +- optimize="$optimize -fstrength-reduce" +- optimize="$optimize -finline-functions" +- ;; +- i?86-*) +- optimize="$optimize -fstrength-reduce" +- ;; +- powerpc-apple-*) +- # this triggers an internal compiler error with gcc2 +- : #optimize="$optimize -fstrength-reduce" +- +- # this is really only beneficial with gcc3 +- : #optimize="$optimize -finline-functions" +- ;; +- *) +- # this sometimes provokes bugs in gcc 2.95.2 +- : #optimize="$optimize -fstrength-reduce" +- ;; +- esac +- ;; +- esac ++ optimize="-O2" + fi + + case "$host" in --- libmad-0.15.1b.orig/debian/patches/series +++ libmad-0.15.1b/debian/patches/series @@ -0,0 +1,7 @@ +optimize.diff +amd64-64bit.diff +Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff +libmad.thumb.diff +mips-gcc4.4.diff +md_size.diff +length-check.patch --- libmad-0.15.1b.orig/debian/rules +++ libmad-0.15.1b/debian/rules @@ -0,0 +1,33 @@ +#!/usr/bin/make -f +# makefile for libmad + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +DEB_DH_MAKESHLIBS_ARGS_libmad0 = -V 'libmad0 (>= 0.15.1b-3)' + +include /usr/share/dpkg/architecture.mk +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/class/autotools.mk +include /usr/share/cdbs/1/rules/patchsys-quilt.mk +include /usr/share/cdbs/1/rules/autoreconf.mk + +export AUTOMAKE = automake --foreign + +DEB_CONFIGURE_EXTRA_FLAGS=--enable-shared --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) +ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) +DEB_CONFIGURE_EXTRA_FLAGS += --enable-profiling --enable-debugging +else +DEB_CONFIGURE_EXTRA_FLAGS += --disable-profiling --disable-debugging +endif + +ifneq (,$(findstring $(DEB_HOST_ARCH),armel armhf)) +DEB_CONFIGURE_EXTRA_FLAGS += --disable-aso +endif + +clean:: + # annoying lintian errors + rm -f config.cache libz/config.log libz/config.status + +install/libmad0-dev:: + install -m644 -D debian/mad.pc debian/libmad0-dev/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig/mad.pc --- libmad-0.15.1b.orig/debian/watch +++ libmad-0.15.1b/debian/watch @@ -0,0 +1,2 @@ +version=2 +ftp://ftp.mars.org/mpeg/libmad-(.*)\.tar\.gz debian uupdate