|
| 1 | +2.11.0: |
| 2 | + [ Eugène Filin ] |
| 3 | + * Fix incorrect variable initialization |
| 4 | + |
| 5 | + [ Eugene Kliuchnikov ] |
| 6 | + * CI/CD, build, etc |
| 7 | + |
| 8 | + - setup GitHub workflows; test build under MSVC, OSX, MSYS2, Linux |
| 9 | + - add CMake build system |
| 10 | + - additionally add Bazel build |
| 11 | + - remove automake and MSVC project files |
| 12 | + - add fuzzers that cover almost all decoder code |
| 13 | + - setup fuzzing for various builds: (no-)FIXED_POINT / (no-)DRM |
| 14 | + - remove dead code |
| 15 | + - address differes compilers warnings |
| 16 | + - move version to distingished place that different build systems can read |
| 17 | + |
| 18 | + * "Safe" bugs |
| 19 | + |
| 20 | + "Safe" means that it is unlikely to be exploited; those affect the decoded |
| 21 | + result for (most likely) extreme inputs. Some fixes are useful only for |
| 22 | + "FIXED_POINT" build, since it has more restrictions on intermediate values. |
| 23 | + |
| 24 | + - "negative range" in estimate_current_envelope |
| 25 | + - integer overflow in channel downmixing |
| 26 | + - integer overflow in estimate_envelope |
| 27 | + - integer overflows caused by "practical infinite" gain |
| 28 | + - integer overflows in HF adjustment code |
| 29 | + - several "left shift of negative value" |
| 30 | + - priming RNG to avoid using values that does not look random at all |
| 31 | + - do not drop the first frame of output; other decoders don't do this |
| 32 | + - touching uninitialized values in lt_update_state |
| 33 | + - touching uninitialized values in bit-reader buffers |
| 34 | + |
| 35 | + * "Almost Safe" bugs |
| 36 | + |
| 37 | + "Almost safe" means that those are unlinkly to be exploited; if those surface |
| 38 | + depends on build options / environment. |
| 39 | + |
| 40 | + - division by zero in HF (noise?) generator and scale factor adjustment |
| 41 | + - division by zero gen_rand_vector |
| 42 | + |
| 43 | + * "Unsafe" bugs |
| 44 | + |
| 45 | + "Unsafe" means that those can cause crash, or could somehow else be exploited. |
| 46 | + |
| 47 | + - CLI: accessing unallocated memory in mp4info (corrupted / zero-samples input) (CVE-2023-38857) |
| 48 | + - CLI: out-of-bounds when parsing mp4 header |
| 49 | + - CLI: crash because of wrong mp4 frame offset calculation (CVE-2023-38857) |
| 50 | + - error handling rvlc_decode_scale_factors (CPU bomb?) |
| 51 | + - null pointer dereference (in DRM + PS build) |
| 52 | + - index-out-of-bounds / stack-buffer-overflow in decode_sce_lfe |
| 53 | + (for streams with PCE) |
| 54 | + - stack-buffer-overflow in pns_decode |
| 55 | + - null pointer derefernce (when channels change their type in the middle |
| 56 | + of the stream) |
| 57 | + - infinite loop on currupted stream |
| 58 | + - add practial limits for scale factors; otherwise calculated NaN/Inf values |
| 59 | + could confuse further logic, resulting in access-out-of-bounds |
| 60 | + - check sf_index in window_grouping_info to avoid access-out-of-bounds |
| 61 | + - clamp bs_pointer values to avoid access-out-of-bounds |
| 62 | + - infinite loop in fill_element |
| 63 | + - sanitize input values in ps_mix_phase to avoid access-out-of-bounds |
| 64 | + - fix internal decoder buffer size calculation to avoid heap-out-of-bounds |
| 65 | + - calculate channel length multiplier even if main channel is already allocated |
| 66 | + to avoid heap-out-of-bounds |
| 67 | + - reserve enough slots for channels in decode_sce_lfe |
| 68 | + to avoid heap-out-of-bounds |
| 69 | + |
| 70 | + [ David Korczynski ] |
| 71 | + * Fuzzing integration with oss-fuzz |
| 72 | + |
| 73 | + [ Steveice10 ] |
| 74 | + * Add define option to disable SBR/PS support |
| 75 | + * Fix coefficient table selection in tns_decode_coef |
| 76 | + |
1 | 77 | 2.10.1: |
2 | 78 | [David Korczynski] |
3 | 79 | * Reject buffers of zero size. |
|
0 commit comments