faad2: patch CVE-2021-32276

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32276

Pick the patches from the PR[1] that resolved the issue[2] referenced by
the NVD advisory.

[1]: https://github.com/knik0/faad2/pull/66
[2]: https://github.com/knik0/faad2/issues/58

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-1.patch

@@ -0,0 +1,83 @@
+From 586ac8cf550b63a1d87ec105ea4bf20b6f406591 Mon Sep 17 00:00:00 2001
+From: Andrew Wesie <awesie@gmail.com>
+Date: Fri, 9 Oct 2020 08:19:48 -0500
+Subject: [PATCH] Check for error after each channel decode.
+
+hInfo->error is reset within the decode_* functions. This caused the decoder
+to ignore errors for some channels in the error resilience (ER) code path.
+
+Fixes #58.
+
+CVE: CVE-2021-32276
+Upstream-Status: Backport [https://github.com/knik0/faad2/commit/b58840121d1827b4b6c7617e2431589af1776ddc]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libfaad/syntax.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/libfaad/syntax.c b/libfaad/syntax.c
+index 4e57efd..af48cd1 100644
+--- a/libfaad/syntax.c
++++ b/libfaad/syntax.c
+@@ -523,37 +523,61 @@ void raw_data_block(NeAACDecStruct *hDecoder, NeAACDecFrameInfo *hInfo,
+             break;
+         case 3:
+             decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
++            if (hInfo->error > 0)
++                return;
+             decode_cpe(hDecoder, hInfo, ld, ID_CPE);
+             if (hInfo->error > 0)
+                 return;
+             break;
+         case 4:
+             decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
++            if (hInfo->error > 0)
++                return;
+             decode_cpe(hDecoder, hInfo, ld, ID_CPE);
++            if (hInfo->error > 0)
++                return;
+             decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
+             if (hInfo->error > 0)
+                 return;
+             break;
+         case 5:
+             decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
++            if (hInfo->error > 0)
++                return;
+             decode_cpe(hDecoder, hInfo, ld, ID_CPE);
++            if (hInfo->error > 0)
++                return;
+             decode_cpe(hDecoder, hInfo, ld, ID_CPE);
+             if (hInfo->error > 0)
+                 return;
+             break;
+         case 6:
+             decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
++            if (hInfo->error > 0)
++                return;
+             decode_cpe(hDecoder, hInfo, ld, ID_CPE);
++            if (hInfo->error > 0)
++                return;
+             decode_cpe(hDecoder, hInfo, ld, ID_CPE);
++            if (hInfo->error > 0)
++                return;
+             decode_sce_lfe(hDecoder, hInfo, ld, ID_LFE);
+             if (hInfo->error > 0)
+                 return;
+             break;
+         case 7: /* 8 channels */
+             decode_sce_lfe(hDecoder, hInfo, ld, ID_SCE);
++            if (hInfo->error > 0)
++                return;
+             decode_cpe(hDecoder, hInfo, ld, ID_CPE);
++            if (hInfo->error > 0)
++                return;
+             decode_cpe(hDecoder, hInfo, ld, ID_CPE);
++            if (hInfo->error > 0)
++                return;
+             decode_cpe(hDecoder, hInfo, ld, ID_CPE);
++            if (hInfo->error > 0)
++                return;
+             decode_sce_lfe(hDecoder, hInfo, ld, ID_LFE);
+             if (hInfo->error > 0)
+                 return;

meta-oe/recipes-multimedia/faad2/faad2/CVE-2021-32276-2.patch

@@ -0,0 +1,36 @@
+From bac3c71781465bb92286e89ef326161bd2500cb4 Mon Sep 17 00:00:00 2001
+From: Andrew Wesie <awesie@gmail.com>
+Date: Fri, 9 Oct 2020 08:55:52 -0500
+Subject: [PATCH] Check for inconsistent number of channels.
+
+The frontend does not support audio output when the number of channels
+changes between frames. Check if the number of decoded channels matches the
+number of audio output channels.
+
+It is possible that this condition should be detected in the decoder instead
+of the frontend.
+
+Fixes crash from afl-fuzz.
+
+CVE: CVE-2021-32276
+Upstream-Status: Backport [https://github.com/knik0/faad2/commit/4ed30d3d232b6a7a150cc06aed14eb47e4eda14e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ frontend/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/frontend/main.c b/frontend/main.c
+index 3b0850d..39d5276 100644
+--- a/frontend/main.c
++++ b/frontend/main.c
+@@ -693,6 +693,10 @@ static int decodeAACfile(char *aacfile, char *sndfile, char *adts_fn, int to_std
+         /* update buffer indices */
+         advance_buffer(&b, frameInfo.bytesconsumed);
+ 
++        /* check if the inconsistent number of channels */
++        if (aufile != NULL && frameInfo.channels != aufile->channels)
++            frameInfo.error = 12;
++
+         if (frameInfo.error > 0)
+         {
+             faad_fprintf(stderr, "Error: %s\n",

meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb

@@ -12,6 +12,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/faac/faad2-src/faad2-2.8.0/${BP}.tar.gz \
            file://0001-mp4read.c-fix-stack-buffer-overflow-in-stringin-ftyp.patch \
            file://0001-Restrict-SBR-frame-length-to-960-and-1024-samples.patch \
            file://0001-Check-return-value-of-ltp_data.patch \
+           file://CVE-2021-32276-1.patch \
+           file://CVE-2021-32276-2.patch \
            "
 SRC_URI[md5sum] = "28f6116efdbe9378269f8a6221767d1f"
 SRC_URI[sha256sum] = "985c3fadb9789d2815e50f4ff714511c79c2710ac27a4aaaf5c0c2662141426d"