mpg123-1.32.9

NEWS

@@ -1,3 +1,13 @@
+1.32.9
+------
+- libmpg123:
+-- enable 64 bit offset path for MSVCRT and avoid warnings about
+   MS's game about POSIX API with and without underscores (bug 373).
+-- Increase the library patchlevel, as was forgotten on previous
+   release. Now you can check for distversion >= 1.32.8 or
+   mpg123 libversion >= 48 patchlevel 3 to see if you're vulnerable
+   to CVE-2024-10573.
+
 1.32.8
 ------
 - libmpg123:
@@ -6,7 +16,7 @@
    (github PR 15).
 -- Prevent premature application of header info into decoding structure,
    at worst having triggered out-of-bounds writes of decoded PCM data
-   (bug 322, again).
+   (bug 322, again). The bug got named CVE-2024-10573.
 - out123: Show --quiet in --longhelp.
 
 1.32.7

TODO

@@ -1,3 +1,6 @@
+One current thing: Cleanup mpg123_noise() ... remove that accidentally public symbol
+or make it official. The functionality is in syn123 and it was never documented.
+
 Things that need to be done...
 
 ... as always, mostly outdated.

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for mpg123 1.32.8.
+# Generated by GNU Autoconf 2.71 for mpg123 1.32.9.
 #
 # Report bugs to <maintainer@mpg123.org>.
 #
@@ -621,8 +621,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='mpg123'
 PACKAGE_TARNAME='mpg123'
-PACKAGE_VERSION='1.32.8'
-PACKAGE_STRING='mpg123 1.32.8'
+PACKAGE_VERSION='1.32.9'
+PACKAGE_STRING='mpg123 1.32.9'
 PACKAGE_BUGREPORT='maintainer@mpg123.org'
 PACKAGE_URL=''
 
@@ -1727,7 +1727,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mpg123 1.32.8 to adapt to many kinds of systems.
+\`configure' configures mpg123 1.32.9 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1798,7 +1798,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mpg123 1.32.8:";;
+     short | recursive ) echo "Configuration of mpg123 1.32.9:";;
    esac
   cat <<\_ACEOF
 
@@ -2076,7 +2076,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-mpg123 configure 1.32.8
+mpg123 configure 1.32.9
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2621,7 +2621,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mpg123 $as_me 1.32.8, which was
+It was created by mpg123 $as_me 1.32.9, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -3390,7 +3390,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 
-LIBMPG123_VERSION=48:2:48
+LIBMPG123_VERSION=48:3:48
 LIBOUT123_VERSION=5:1:5
 LIBSYN123_VERSION=2:3:2
 
@@ -3991,7 +3991,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='mpg123'
- VERSION='1.32.8'
+ VERSION='1.32.9'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -22453,7 +22453,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by mpg123 $as_me 1.32.8, which was
+This file was extended by mpg123 $as_me 1.32.9, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22521,7 +22521,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-mpg123 config.status 1.32.8
+mpg123 config.status 1.32.9
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 

mpg123.spec

@@ -3,7 +3,7 @@
 # - devel packages for alsa, sdl, etc... to build the respective output modules.
 Summary:	The fast console mpeg audio decoder/player.
 Name:		mpg123
-Version:	1.32.8
+Version:	1.32.9
 Release:	1
 URL:		http://www.mpg123.org/
 License:	GPL

src/compat/compat.c

@@ -88,7 +88,7 @@ int INT123_compat_open(const char *filename, int flags)
 open_fallback:
 #endif
 
-#if (defined(WIN32) && !defined (__CYGWIN__))
+#if defined(MPG123_COMPAT_MSVCRT_IO)
 	/* MSDN says POSIX function is deprecated beginning in Visual C++ 2005 */
 	/* Try plain old _open(), if it fails, do nothing */
 	ret = _open(filename, flags|_O_BINARY, _S_IREAD | _S_IWRITE);
@@ -138,12 +138,16 @@ fopen_ok:
 
 FILE* INT123_compat_fdopen(int fd, const char *mode)
 {
+#if defined(MPG123_COMPAT_MSVCRT_IO)
+	return _fdopen(fd, mode);
+#else
 	return fdopen(fd, mode);
+#endif
 }
 
 int INT123_compat_close(int infd)
 {
-#if (defined(WIN32) && !defined (__CYGWIN__)) /* MSDN says POSIX function is deprecated beginning in Visual C++ 2005 */
+#if defined(MPG123_COMPAT_MSVCRT_IO)
 	return _close(infd);
 #else
 	return close(infd);

src/compat/compat.h

@@ -110,7 +110,42 @@
 
 typedef unsigned char byte;
 
+#if (defined(_UCRT) || defined(_MSC_VER) || (defined(__MINGW32__) || defined(__MINGW64__)) || (defined(__WATCOMC__) && defined(__NT__))) && !defined(__CYGWIN__)
+#define MPG123_COMPAT_MSVCRT_IO
+#endif
+
+#if defined(MPG123_COMPAT_MSVCRT_IO)
+#if defined(_UCRT)
+// needs to get checked separately from MSVC and MinGW becuase it is also used by native Clang on Windows
+#ifndef MPG123_COMPAT_MSVCRT_IO_64
+#define MPG123_COMPAT_MSVCRT_IO_64
+#endif
+#endif
 #if defined(_MSC_VER)
+#if (_MSC_VER >= 1200)
+// >= VC6
+#ifndef MPG123_COMPAT_MSVCRT_IO_64
+#define MPG123_COMPAT_MSVCRT_IO_64
+#endif
+#endif
+#endif
+#if defined(__MINGW32__) || defined(__MINGW64__)
+#if (defined(__MSVCRT__) || defined(_UCRT)) && !defined(__CRTDLL__)
+#ifndef MPG123_COMPAT_MSVCRT_IO_64
+#define MPG123_COMPAT_MSVCRT_IO_64
+#endif
+#endif
+#endif
+#if defined(__WATCOMC__) && defined(__NT__)
+#if (__WATCOMC__ >= 1100)
+#ifndef MPG123_COMPAT_MSVCRT_IO_64
+#define MPG123_COMPAT_MSVCRT_IO_64
+#endif
+#endif
+#endif
+#endif
+
+#if defined(HAVE__SETMODE) || defined(HAVE_SETMODE) || defined(MPG123_COMPAT_MSVCRT_IO)
 // For _setmode(), at least.
 #include <io.h>
 #endif

src/include/mpg123.h

@@ -19,7 +19,7 @@
  */
 #define MPG123_API_VERSION 48
 /** library patch level at client build time */
-#define MPG123_PATCHLEVEL  2
+#define MPG123_PATCHLEVEL  3
 
 #ifndef MPG123_EXPORT
 /** Defines needed for MS Visual Studio(tm) DLL builds.

src/libmpg123/lfs_wrap.c

@@ -137,7 +137,11 @@ static void wrap_io_cleanup(void *handle)
 	if(ioh->my_fd >= 0)
 	{
 		mdebug("closing my fd %d", ioh->my_fd);
+#if defined(MPG123_COMPAT_MSVCRT_IO)
+		_close(ioh->my_fd);
+#else
 		close(ioh->my_fd);
+#endif
 		ioh->my_fd = -1;
 	}
 }
@@ -699,6 +703,35 @@ static int64_t wrap_lseek(void *handle, int64_t offset, int whence)
 	return -1;
 }
 
+// Defining a wrapper to the native read to be sure the prototype matches.
+// There are platforms where it is read(int, void*, unsigned int).
+// We know that we read small chunks where the difference does not matter. Could
+// apply specific hackery, use a common compat_read() (INT123_unintr_read()?) with system
+// specifics.
+static mpg123_ssize_t fallback_read(int fd, void *buf, size_t count)
+{
+#if defined(MPG123_COMPAT_MSVCRT_IO)
+	if(count > UINT_MAX)
+	{
+		errno = EOVERFLOW;
+		return -1;
+	}
+	return _read(fd, buf, (unsigned int)count);
+#else
+	return read(fd, buf, count);
+#endif
+}
+
+static off_t fallback_lseek(int fd, off_t offset, int whence)
+{
+#if defined(MPG123_COMPAT_MSVCRT_IO)
+	// Off_t is 32 bit and does fit into long. We know that.
+	return _lseek(fd, (long)offset, whence);
+#else
+	return lseek(fd, offset, whence);
+#endif
+}
+
 // This is assuming an internally opened file, which usually will be
 // using 64 bit offsets. It keeps reading on on trivial interruptions.
 // I guess any file descriptor that matches the libc should work fine.
@@ -730,7 +763,7 @@ static int internal_read64(void *handle, void *buf, size_t bytes, size_t *got_by
 		}
 #endif
 		errno = 0;
-		ptrdiff_t part = read(fd, (char*)buf+got, bytes);
+		ptrdiff_t part = fallback_read(fd, (char*)buf+got, bytes);
 		if(part > 0) // == 0 is end of file
 		{
 			SATURATE_SUB(bytes, part, 0)
@@ -755,13 +788,15 @@ static int64_t internal_lseek64(void *handle, int64_t offset, int whence)
 	struct wrap_data* ioh = handle;
 #ifdef LFS_LARGEFILE_64
 	return lseek64(ioh->fd, offset, whence);
+#elif defined(MPG123_COMPAT_MSVCRT_IO_64)
+	return _lseeki64(ioh->fd, offset, whence);
 #else
 	if(offset < OFF_MIN || offset > OFF_MAX)
 	{
 		errno = EOVERFLOW;
 		return -1;
 	}
-	return lseek(ioh->fd, (off_t)offset, whence);
+	return fallback_lseek(ioh->fd, (off_t)offset, whence);
 #endif
 }
 
@@ -861,16 +896,6 @@ int INT123_wrap_open(mpg123_handle *mh, void *handle, const char *path, int fd,
 
 // So, native off_t reader replacement.
 
-// Defining a wrapper to the native read to be sure the prototype matches.
-// There are platforms where it is read(int, void*, unsigned int).
-// We know that we read small chunks where the difference does not matter. Could
-// apply specific hackery, use a common compat_read() (INT123_unintr_read()?) with system
-// specifics.
-static mpg123_ssize_t fallback_read(int fd, void *buf, size_t count)
-{
-	return read(fd, buf, count);
-}
-
 // In forced 64 bit offset mode, the only definitions of these are
 // the _64 ones.
 #ifdef FORCED_OFF_64
@@ -902,7 +927,7 @@ int attribute_align_arg mpg123_replace_reader(mpg123_handle *mh, mpg123_ssize_t
 		ioh->iotype = IO_FD;
 		ioh->fd = -1; /* On next mpg123_open_fd(), this gets a value. */
 		ioh->r_read = r_read != NULL ? r_read : fallback_read;
-		ioh->r_lseek = r_lseek != NULL ? r_lseek : lseek;
+		ioh->r_lseek = r_lseek != NULL ? r_lseek : fallback_lseek;
 	}
 
 	/* The real reader replacement will happen while opening. */

src/version.h

@@ -16,7 +16,7 @@
 // only single spaces as separator to ease parsing by build scripts
 #define MPG123_MAJOR 1
 #define MPG123_MINOR 32
-#define MPG123_PATCH 8
+#define MPG123_PATCH 9
 // Don't get too wild with that to avoid confusing m4. No brackets.
 // Also, it should fit well into a sane file name for the tarball.
 #define MPG123_SUFFIX ""