[Secure-testing-team] security issue in libfaad2

Menno Bakker info at audiocoding.com
Tue Dec 16 01:10:40 UTC 2008 

Hi Nico,

Ok I did some more digging: Together with that patch for specrec.c you
should at least include the following patches:

http://faac.cvs.sourceforge.net/viewvc/faac/faad2/libfaad/error.c?r1=1.32&r2=1.33&diff_format=u
http://faac.cvs.sourceforge.net/viewvc/faac/faad2/libfaad/error.h?r1=1.26&r2=1.27&diff_format=u

I'm not sure if that solves the crash you mention though. But the
returned error value might cause the array of error strings to be
accessed out of bounds if you don't apply those 2 patches.
There were a couple of patches I applied a few days after that specrec.c one:

http://faac.cvs.sourceforge.net/viewvc/faac/faad2/libfaad/structs.h?r1=1.47&r2=1.48&diff_format=u
http://faac.cvs.sourceforge.net/viewvc/faac/faad2/libfaad/ps_dec.c?r1=1.14&r2=1.15&diff_format=u
http://faac.cvs.sourceforge.net/viewvc/faac/faad2/libfaad/decoder.c?r1=1.114&r2=1.115&diff_format=u

Other than that only 1 file changed, twice even, common.h. But those
were not affecting GCC compiles as far as I can see.

Hope this helps.

Regards,
Menno


On Sun, Dec 14, 2008 at 9:07 AM, Nico Golde
<debian-secure-testing+ml at ngolde.de> wrote:
> Hi,
> sorry for coming back to you that late...
> * Menno Bakker <info at audiocoding.com> [2008-12-04 00:51]:
>> Ah yes, I'm sorry. I seem to remember that it is this one (hope the
>> link works for you):
>>
>> http://faac.cvs.sourceforge.net/viewvc/faac/faad2/libfaad/specrec.c?r1=1.60&r2=1.61&diff_format=u
>>
>> If that's not it, please let me know, then I will have to look a bit deeper.
>
> It indeed changed the behaviour but it still segfaults
> around (filtbank.c):
> 245         for (i = 0; i < nlong; i+=4)
> 246         {
> 247             time_out[i]   = overlap[i]   + MUL_F(transf_buf[i],window_long_prev[i]);
> 248             time_out[i+1] = overlap[i+1] + MUL_F(transf_buf[i+1],window_long_prev[i+1]);
> 249             time_out[i+2] = overlap[i+2] + MUL_F(transf_buf[i+2],window_long_prev[i+2]);
> 250             time_out[i+3] = overlap[i+3] + MUL_F(transf_buf[i+3],window_long_prev[i+3]);
> 251         }
>
>
> A complete backtrace is attached. Can you remember of any other fix related to this?
>
> Cheers
> Nico
>
> --
> Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
> For security reasons, all text in this mail is double-rot13 encrypted.
>

More information about the Secure-testing-team mailing list