--- libmad-0.15.1b.orig/debian/changelog
+++ libmad-0.15.1b/debian/changelog
@@ -0,0 +1,365 @@
+libmad (0.15.1b-9ubuntu16.04.1) xenial-security; urgency=medium
+
+ * Merge from Debian testing, remaining changes:
+ - Disable architecture specific optimisations on ARM, as there is a bug in
+ this codepath which causes segfaults, and the assembler is very old
+ (likely bitrotted). (LP: #989846)
+
+ -- Mike Salvatore Thu, 25 Oct 2018 10:47:07 -0400
+
+libmad (0.15.1b-9) unstable; urgency=high
+
+ * Properly check the size of the main data. The previous patch
+ only checked that it could fit in the buffer, but didn't ensure there
+ was actually enough room free in the buffer. This was assigned both
+ CVE-2017-8372 and CVE-2017-8373, but they are really the same, just a
+ different way to detect it. (Closes: #287519)
+ * Rewrite patch to check the size of buffer. It now checks it before reading
+ it instead of afterwards checking that we did read too much. This now also
+ covers parsing the frame and layer3, not just layer 1 and 2. This was
+ original reported in #508133. CVE-2017-8374 mentions a case in layer 3.
+
+ -- Kurt Roeckx Sun, 28 Jan 2018 16:28:46 +0100
+
+libmad (0.15.1b-8.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Remove Clément Stenac from Uploaders (Closes: #868708)
+
+ [ Helmut Grohne ]
+ * Move mad.pc to a multiarch location. (Closes: #850461)
+
+ -- Manuel A. Fernandez Montecelo Tue, 31 Oct 2017 22:16:36 +0100
+
+libmad (0.15.1b-8ubuntu1) trusty; urgency=low
+
+ * Merge from Debian testing, remaining changes:
+ - Disable architecture specific optimisations on ARM, as there is a bug in
+ this codepath which causes segfaults, and the assembler is very old
+ (likely bitrotted). (LP: #989846)
+
+ -- Matthew Fischer Mon, 21 Oct 2013 21:25:24 -0600
+
+libmad (0.15.1b-8) unstable; urgency=low
+
+ * Add multiarch support. (Closes: #653676)
+ Patch by Steve Langasek
+ * Use dh-autoreconf to update libtool so that it works on x32
+ (Closes: #700437)
+
+ -- Kurt Roeckx Mon, 20 May 2013 18:02:18 +0200
+
+libmad (0.15.1b-7ubuntu2) raring; urgency=low
+
+ * Disable architecture specific optimisations on ARM, as there is a bug in
+ this codepath which causes segfaults, and the assembler is very old
+ (likely bitrotted). (LP: #989846)
+
+ -- Iain Lane Wed, 12 Dec 2012 12:10:33 +0000
+
+libmad (0.15.1b-7ubuntu1) precise; urgency=low
+
+ * Merge from Debian testing, remaining changes:
+ - Build for multiarch.
+ - Drop libmad.la, no longer needed.
+ - Drop redundant build target in debian/rules that ignores all the cdbs
+ autotools handling.
+
+ -- Steve Langasek Mon, 06 Feb 2012 12:19:01 -0800
+
+libmad (0.15.1b-7) unstable; urgency=low
+
+ * Fix arm's MAD_F_MLN thumb case causing problems on arhmf. Patch
+ by Dave Martin (Closes: #656814)
+ * Add ${misc:Depends} to the Depends.
+
+ -- Kurt Roeckx Sun, 22 Jan 2012 23:02:29 +0100
+
+libmad (0.15.1b-6ubuntu1) precise; urgency=low
+
+ * Build for multiarch.
+ * Drop libmad.la, no longer needed.
+ * Drop redundant build target in debian/rules that ignores all the cdbs
+ autotools handling.
+
+ -- Steve Langasek Thu, 29 Dec 2011 22:46:46 -0800
+
+libmad (0.15.1b-6) unstable; urgency=low
+
+ [ Konstantinos Margaritis ]
+ * Add support for armhf (Closes: #596936)
+ - libmad.thumb.diff: use "adr" instead of "add" to make code ready for
+ thumb2
+ - Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff: fix another
+ ftbfs with thumb2 as "rsc" doesnt exist anymore - thanks to Dave
+ Martin for this patch
+
+ -- Kurt Roeckx Tue, 29 Mar 2011 22:26:22 +0200
+
+libmad (0.15.1b-5) unstable; urgency=low
+
+ * gcc-4.4 removed an assembler constraint on mips/mipsel. Use the new
+ way of doing it. (Closes: #568418)
+
+ -- Kurt Roeckx Fri, 19 Feb 2010 20:51:00 +0100
+
+libmad (0.15.1b-4) unstable; urgency=low
+
+ * On an invalid mpeg file we can go past the end of the buffer.
+ (Closes: #508133)
+
+ -- Kurt Roeckx Tue, 23 Dec 2008 21:38:34 +0100
+
+libmad (0.15.1b-3) unstable; urgency=low
+
+ * Acknowledge NMU
+ * Use DEB_DH_MAKESHLIBS_ARGS_libmad0 instead to set shlibs.
+ * Update Clément Stenac's email address to use zorglub@debian.org
+ * Add build dependency on autotools-dev, quilt
+ * Don't use -O plus some other -f options, just use -O2. (Closes: #415279)
+ * Use the 64bit fixed point math on amd64 to have a higher quality
+ output than the default. (Closes: #465438)
+ * Bump shlibs since it changes the size of mad_build on amd64.
+ * Add compat file, level 5. Change build dependency of debhelper to 5.
+ * Don't set -lm in the mad.pc file. libmad doesn't use any math function.
+ * Remove libmad0 Depends on pkg-config.
+ * Change to Standards-Version 3.7.3:
+ - Change ${Source-Version} into ${binary:Version}
+
+ -- Kurt Roeckx Sat, 15 Mar 2008 13:51:31 +0000
+
+libmad (0.15.1b-2.1) unstable; urgency=high
+
+ * Non-maintainer upload, not targetted for Sarge.
+ * Urgency high because this is generating uploads with broken depends
+ that may be propagating to testing (see #311488).
+ * debian/rules: set DEB_DH_MAKESHLIBS_ARGS_ALL = -V 'libmad0 (>= 0.15.1b)'
+ to restore the updated shlibs lost in the switch to CDBS
+ (closes: #310311).
+
+ -- Jordi Mallach Wed, 1 Jun 2005 17:12:24 +0200
+
+libmad (0.15.1b-2) unstable; urgency=low
+
+ * Sam Clegg :
+ * debian/control: update Maintainer: and Uploaders: (closes: #300097)
+ * debian/rules: convert to CDBS
+ * debian/control: build-depend on debhelper >= 4.1.0
+ * debian/libmad0.postinst: removed since debhelper runs ldconfig for us.
+ * debian/libmad0*.files: removed; use dh_install instead.
+ * Clément Stenac :
+ * Better copyright file
+ * Kurt Roeckx
+ * Add watch file.
+
+ -- Sam Clegg Sun, 8 May 2005 18:59:49 +0100
+
+libmad (0.15.1b-1.1) unstable; urgency=low
+
+ * Orphaning this package, setting maintainer to QA.
+
+ -- Kyle McMartin Thu, 17 Mar 2005 10:59:11 -0500
+
+libmad (0.15.1b-1) unstable; urgency=low
+
+ * New upstream version. (closes: #252902)
+ * Removed TODO from installed documentation.
+ * Added minimad.c to the libmad0-dev documentation. Thanks to
+ Mario Lang for the patch. (closes: #249067)
+
+ -- Kyle McMartin Sat, 5 Jun 2004 18:52:00 -0400
+
+libmad (0.15.0b-3) unstable; urgency=low
+
+ * Updated section from devel to libdevel as per mail.
+
+ -- Kyle McMartin Tue, 21 Oct 2003 22:40:08 -0400
+
+libmad (0.15.0b-2) unstable; urgency=low
+
+ * Updated pkgconfig Version entry for mad (closes: #203656)
+
+ -- Kyle McMartin Tue, 21 Oct 2003 22:09:04 -0400
+
+libmad (0.15.0b-1) unstable; urgency=low
+
+ * New upstream version(s).
+ * Split package into each library, as upstream has done.
+
+ -- Kyle McMartin Sat, 21 Jun 2003 14:21:42 -0400
+
+mad (0.14.2b-7) unstable; urgency=low
+
+ * Clean up some lintian warnings.
+ * Fixed id3tag.pc, accidently had -L instead of -I.
+
+ -- Kyle McMartin Tue, 28 Jan 2003 09:45:02 -0500
+
+mad (0.14.2b-6) unstable; urgency=medium
+
+ * Updated config.* (closes: #168663)
+
+ -- Kyle McMartin Thu, 14 Nov 2002 18:41:29 -0500
+
+mad (0.14.2b-5) unstable; urgency=medium
+
+ * Added build-dep on libesd0-dev, this should fix some
+ problems people have been having when using esd as the
+ output device... (closes: #150823)
+
+ -- Kyle McMartin Wed, 06 Nov 2002 18:20:18 -0500
+
+mad (0.14.2b-4) unstable; urgency=low
+
+ * added pkgconfig entry, and dependancy on pkg-config. (closes: #144481)
+
+ -- Kyle McMartin Mon, 05 Aug 2002 14:37:00 -0400
+
+mad (0.14.2b-3) unstable; urgency=high
+
+ * updated libid3tag0-dev depends to account for zlib1g-dev (closes: #142611)
+
+ -- Kyle McMartin Thu, 18 Apr 2002 19:37:00 -0500
+
+mad (0.14.2b-2) unstable; urgency=high
+
+ * fix for the shlibs rc bug (closes: #136196)
+
+ -- Kyle McMartin Thu, 28 Feb 2002 18:21:40 -0500
+
+mad (0.14.2b-1) unstable; urgency=low
+
+ * new upstream version
+ * new maintainer
+ * new version fixes enum (closes: #129178)
+ * closing old fixed bug [missing symlink to libmad.so.0] (closes: #119350)
+
+ -- Kyle McMartin Wed, 16 Jan 2002 22:09:58 -0500
+
+mad (0.14.1b-4) unstable; urgency=low
+
+ * yet another stupid maintainer mistakes release
+ * fix the call to dh_makeshlibs, I neglected to add proper
+ arguments for the new libid3tag0 library (closes: #119146)
+ * now that the shlibs are sorted out, madplay will have the correct depends
+ (closes: #119792)
+
+ -- Sean 'Shaleh' Perry Thu, 15 Nov 2001 22:11:24 -0800
+
+mad (0.14.1b-3) unstable; urgency=medium
+
+ * duh, id3tag's headers ended up in libmad-dev. Closes: #118625.
+
+ -- Sean 'Shaleh' Perry Wed, 7 Nov 2001 13:45:53 -0800
+
+mad (0.14.1b-2) unstable; urgency=medium
+
+ * Added versioned depends info for piecemeal updaters. (Closes: #117646)
+
+ -- Sean 'Shaleh' Perry Wed, 7 Nov 2001 08:10:42 -0800
+
+mad (0.14.1b-1) unstable; urgency=low
+
+ * reverted package name to libmad0(-dev). The upstream fixed it's SONAME
+ issues, yay.
+ * added libid3tag(-dev), the upstream now supports the installation of this
+ as a separate entity (closes: #116321)
+ * -dev packages are now in Section: devel (closes: #116710)
+ * supports DEB_BUILD_OPTIONS for debug (closes: #104013)
+
+ -- Sean 'Shaleh' Perry Tue, 23 Oct 2001 11:08:53 -0700
+
+mad (0.14.0b-3) unstable; urgency=low
+
+ * added a conflicts on libmad0 to the lib and -dev packages, closes: #116581
+ * updated config.{sub,guess}, closes: #116577
+
+ -- Sean 'Shaleh' Perry Sun, 21 Oct 2001 16:26:39 -0700
+
+mad (0.14.0b-2) unstable; urgency=low
+
+ * D'oh, not binary compatible. The every changing SONAME problem.
+ * chnaged library package name to match SONAME. This is horrible because
+ now I have to change the package name for every release. However there
+ is no alternative. closes: 116305.
+
+ -- Sean 'Shaleh' Perry Fri, 19 Oct 2001 14:30:29 -0700
+
+mad (0.14.0b-1) unstable; urgency=low
+
+ * New upstream release
+ * source now build-depends on zlib
+
+ -- Sean 'Shaleh' Perry Thu, 18 Oct 2001 21:59:28 -0700
+
+mad (0.13.0b-2.1) unstable; urgency=low
+ * Run libtoolize to get support for new architectures. Closes: #96616
+
+ -- LaMont Jones Mon, 9 Jul 2001 21:39:34 -0600
+
+mad (0.13.0b-2) unstable; urgency=low
+
+ * Now build-depend on gettext (closes: #94964)
+
+ -- Sean 'Shaleh' Perry Mon, 23 Apr 2001 11:29:21 -0700
+
+mad (0.13.0b-1) unstable; urgency=low
+
+ * new upstream release
+ * manpage cleaned up, Closes: #87165
+
+ -- Sean 'Shaleh' Perry Wed, 11 Apr 2001 18:40:08 -0700
+
+mad (0.12.5b-1) unstable; urgency=low
+
+ * New upstream, closes: #92825
+ * updated upstream changelog
+
+ -- Sean 'Shaleh' Perry Tue, 3 Apr 2001 15:11:05 -0700
+
+mad (0.12.4b-1) unstable; urgency=low
+
+ * New upstream version
+
+ -- Sean 'Shaleh' Perry Mon, 12 Feb 2001 14:16:21 -0800
+
+mad (0.12.3b-2) unstable; urgency=low
+
+ * Oops, wrong section
+ * left off the Closes: #84103
+
+ -- Sean 'Shaleh' Perry Thu, 8 Feb 2001 12:17:12 -0800
+
+mad (0.12.3b-1) unstable; urgency=low
+
+ * New upstream version
+ * added a madplay package
+
+ -- Sean 'Shaleh' Perry Wed, 7 Feb 2001 12:04:28 -0800
+
+mad (0.11.4b-1) unstable; urgency=low
+
+ * New upstream release
+ * added libmad0 package containing the shared library
+
+ -- Sean 'Shaleh' Perry Mon, 2 Oct 2000 17:38:01 -0700
+
+mad (0.11.0b-0) unstable; urgency=low
+
+ * New upstream release
+
+ -- Sean 'Shaleh' Perry Mon, 5 Jun 2000 14:25:39 -0700
+
+mad (0.10.3b-0) unstable; urgency=low
+
+ * New upstream release
+
+ -- Sean 'Shaleh' Perry Thu, 1 Jun 2000 15:05:02 -0700
+
+mad (0.10.2b-0) unstable; urgency=low
+
+ * Initial Release.
+
+ -- Sean 'Shaleh' Perry Tue, 23 May 2000 12:25:00 -0700
+
+
--- libmad-0.15.1b.orig/debian/compat
+++ libmad-0.15.1b/debian/compat
@@ -0,0 +1 @@
+5
--- libmad-0.15.1b.orig/debian/control
+++ libmad-0.15.1b/debian/control
@@ -0,0 +1,35 @@
+Source: libmad
+Priority: optional
+Section: sound
+Build-Depends: debhelper (>= 8.1.3~), gettext, cdbs (>= 0.4.93~), autotools-dev, quilt, dh-autoreconf
+Maintainer: Ubuntu Developers
+XSBC-Original-Maintainer: Mad Maintainers
+Uploaders: Kurt Roeckx , Sam Clegg
+Standards-Version: 3.7.3
+
+Package: libmad0
+Architecture: any
+Multi-Arch: same
+Section: libs
+Pre-Depends: ${misc:Pre-Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: MPEG audio decoder library
+ MAD is an MPEG audio decoder. It currently only supports the MPEG 1
+ standard, but fully implements all three audio layers (Layer I, Layer II,
+ and Layer III, the latter often colloquially known as MP3.)
+ .
+ MAD has the following special features:
+ - 100% fixed-point (integer) computation
+ - completely new implementation based on the ISO/IEC 11172-3 standard
+ - distributed under the terms of the GNU General Public License (GPL)
+
+Package: libmad0-dev
+Architecture: any
+Section: libdevel
+Depends: libmad0 (=${binary:Version}), ${misc:Depends}
+Description: MPEG audio decoder development library
+ MAD is an MPEG audio decoder. It currently only supports the MPEG 1
+ standard, but fully implements all three audio layers (Layer I, Layer II,
+ and Layer III, the latter often colloquially known as MP3.)
+ .
+ This is the package you need to develop or compile applications that use MAD.
--- libmad-0.15.1b.orig/debian/copyright
+++ libmad-0.15.1b/debian/copyright
@@ -0,0 +1,26 @@
+This package was debianized by Sean 'Shaleh' Perry on
+Tue, 23 May 2000 12:25:00 -0700.
+
+It was downloaded from http://www.underbit.com/products/mad/
+
+Upstream Author: Robert Leslie
+
+Copyright (C) 2000-2004 Underbit Technologies, Inc.
+
+This program is free software; you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by the
+Free Software Foundation; either version 2, or (at your option) any
+later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+On Debian GNU/Linux systems, the complete text of the GNU General
+Public License can be found in `/usr/share/common-licenses/GPL'.
+
--- libmad-0.15.1b.orig/debian/libmad0-dev.dirs
+++ libmad-0.15.1b/debian/libmad0-dev.dirs
@@ -0,0 +1,2 @@
+usr/lib
+usr/include
--- libmad-0.15.1b.orig/debian/libmad0-dev.docs
+++ libmad-0.15.1b/debian/libmad0-dev.docs
@@ -0,0 +1,2 @@
+CREDITS
+README
--- libmad-0.15.1b.orig/debian/libmad0-dev.examples
+++ libmad-0.15.1b/debian/libmad0-dev.examples
@@ -0,0 +1 @@
+minimad.c
--- libmad-0.15.1b.orig/debian/libmad0-dev.files
+++ libmad-0.15.1b/debian/libmad0-dev.files
@@ -0,0 +1,4 @@
+usr/include/mad.h
+usr/lib/libmad.a
+usr/lib/libmad.la
+usr/lib/libmad.so
--- libmad-0.15.1b.orig/debian/libmad0-dev.install
+++ libmad-0.15.1b/debian/libmad0-dev.install
@@ -0,0 +1,3 @@
+debian/tmp/usr/include/mad.h /usr/include
+debian/tmp/usr/lib/*/libmad.a
+debian/tmp/usr/lib/*/libmad.so
--- libmad-0.15.1b.orig/debian/libmad0.dirs
+++ libmad-0.15.1b/debian/libmad0.dirs
@@ -0,0 +1 @@
+usr/lib
--- libmad-0.15.1b.orig/debian/libmad0.docs
+++ libmad-0.15.1b/debian/libmad0.docs
@@ -0,0 +1,2 @@
+CREDITS
+README
--- libmad-0.15.1b.orig/debian/libmad0.files
+++ libmad-0.15.1b/debian/libmad0.files
@@ -0,0 +1 @@
+usr/lib/libmad.so.*
--- libmad-0.15.1b.orig/debian/libmad0.install
+++ libmad-0.15.1b/debian/libmad0.install
@@ -0,0 +1 @@
+debian/tmp/usr/lib/*/libmad.so.*
--- libmad-0.15.1b.orig/debian/mad.pc
+++ libmad-0.15.1b/debian/mad.pc
@@ -0,0 +1,11 @@
+prefix=/usr
+exec_prefix=${prefix}
+libdir=${exec_prefix}/lib
+includedir=${prefix}/include
+
+Name: mad
+Description: MPEG Audio Decoder
+Requires:
+Version: 0.15.0b
+Libs: -L${libdir} -lmad
+Cflags: -I${includedir}
--- libmad-0.15.1b.orig/debian/patches/Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff
+++ libmad-0.15.1b/debian/patches/Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff
@@ -0,0 +1,34 @@
+From: Dave Martin
+Subject: "rsc" doesnt exist anymore in thumb2
+
+diff --git a/fixed.h b/fixed.h
+index 4b58abf..ba4bc26 100644
+--- a/fixed.h
++++ b/fixed.h
+@@ -275,12 +275,25 @@ mad_fixed_t mad_f_mul_inline(mad_fixed_t x, mad_fixed_t y)
+ : "+r" (lo), "+r" (hi) \
+ : "%r" (x), "r" (y))
+
++#ifdef __thumb__
++/* In Thumb-2, the RSB-immediate instruction is only allowed with a zero
++ operand. If needed this code can also support Thumb-1
++ (simply append "s" to the end of the second two instructions). */
++# define MAD_F_MLN(hi, lo) \
++ asm ("rsbs %0, %0, #0\n\t" \
++ "sbc %1, %1, %1\n\t" \
++ "sub %1, %1, %2" \
++ : "+&r" (lo), "=&r" (hi) \
++ : "r" (hi) \
++ : "cc")
++#else /* ! __thumb__ */
+ # define MAD_F_MLN(hi, lo) \
+ asm ("rsbs %0, %2, #0\n\t" \
+ "rsc %1, %3, #0" \
+- : "=r" (lo), "=r" (hi) \
++ : "=&r" (lo), "=r" (hi) \
+ : "0" (lo), "1" (hi) \
+ : "cc")
++#endif /* __thumb__ */
+
+ # define mad_f_scale64(hi, lo) \
+ ({ mad_fixed_t __result; \
--- libmad-0.15.1b.orig/debian/patches/amd64-64bit.diff
+++ libmad-0.15.1b/debian/patches/amd64-64bit.diff
@@ -0,0 +1,12 @@
+Index: libmad-0.15.1b/configure.ac
+===================================================================
+--- libmad-0.15.1b.orig/configure.ac 2008-03-07 20:33:05.000000000 +0000
++++ libmad-0.15.1b/configure.ac 2008-03-07 20:33:31.000000000 +0000
+@@ -233,6 +233,7 @@
+ then
+ case "$host" in
+ i?86-*) FPM="INTEL" ;;
++ x86_64*) FPM="64BIT" ;;
+ arm*-*) FPM="ARM" ;;
+ mips*-*) FPM="MIPS" ;;
+ sparc*-*) FPM="SPARC" ;;
--- libmad-0.15.1b.orig/debian/patches/length-check.patch
+++ libmad-0.15.1b/debian/patches/length-check.patch
@@ -0,0 +1,817 @@
+From: Kurt Roeckx
+Date: Sun, 28 Jan 2018 19:26:36 +0100
+Subject: Check the size before reading with mad_bit_read
+
+There are various cases where it attemps to read past the end of the buffer
+using mad_bit_read(). Most functions didn't even know the size of the buffer
+they were reading from.
+
+Index: libmad-0.15.1b/bit.c
+===================================================================
+--- libmad-0.15.1b.orig/bit.c
++++ libmad-0.15.1b/bit.c
+@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
+ {
+ register unsigned long value;
+
++ if (len == 0)
++ return 0;
++
+ if (bitptr->left == CHAR_BIT)
+ bitptr->cache = *bitptr->byte;
+
+Index: libmad-0.15.1b/frame.c
+===================================================================
+--- libmad-0.15.1b.orig/frame.c
++++ libmad-0.15.1b/frame.c
+@@ -120,11 +120,18 @@ static
+ int decode_header(struct mad_header *header, struct mad_stream *stream)
+ {
+ unsigned int index;
++ struct mad_bitptr bufend_ptr;
+
+ header->flags = 0;
+ header->private_bits = 0;
+
++ mad_bit_init(&bufend_ptr, stream->bufend);
++
+ /* header() */
++ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
++ stream->error = MAD_ERROR_BUFLEN;
++ return -1;
++ }
+
+ /* syncword */
+ mad_bit_skip(&stream->ptr, 11);
+@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
+ /* error_check() */
+
+ /* crc_check */
+- if (header->flags & MAD_FLAG_PROTECTION)
++ if (header->flags & MAD_FLAG_PROTECTION) {
++ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
++ stream->error = MAD_ERROR_BUFLEN;
++ return -1;
++ }
+ header->crc_target = mad_bit_read(&stream->ptr, 16);
++ }
+
+ return 0;
+ }
+@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header
+ stream->error = MAD_ERROR_BUFLEN;
+ goto fail;
+ }
+- else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++ else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ /* mark point where frame sync word was expected */
+ stream->this_frame = ptr;
+ stream->next_frame = ptr + 1;
+@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header
+ ptr = mad_bit_nextbyte(&stream->ptr);
+ }
+
++ stream->error = MAD_ERROR_NONE;
++
+ /* begin processing */
+ stream->this_frame = ptr;
+ stream->next_frame = ptr + 1; /* possibly bogus sync word */
+@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header
+ /* check that a valid frame header follows this frame */
+
+ ptr = stream->next_frame;
+- if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++ if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ ptr = stream->next_frame = stream->this_frame + 1;
+ goto sync;
+ }
+Index: libmad-0.15.1b/layer12.c
+===================================================================
+--- libmad-0.15.1b.orig/layer12.c
++++ libmad-0.15.1b/layer12.c
+@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
+ * DESCRIPTION: decode one requantized Layer I sample from a bitstream
+ */
+ static
+-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
++mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
+ {
+ mad_fixed_t sample;
++ struct mad_bitptr frameend_ptr;
+
++ mad_bit_init(&frameend_ptr, stream->next_frame);
++
++ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return 0;
++ }
+ sample = mad_bit_read(ptr, nb);
+
+ /* invert most significant bit, extend sign, then scale to fixed format */
+@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
+ struct mad_header *header = &frame->header;
+ unsigned int nch, bound, ch, s, sb, nb;
+ unsigned char allocation[2][32], scalefactor[2][32];
++ struct mad_bitptr bufend_ptr, frameend_ptr;
++
++ mad_bit_init(&bufend_ptr, stream->bufend);
++ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ nch = MAD_NCHANNELS(header);
+
+@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
+ /* check CRC word */
+
+ if (header->flags & MAD_FLAG_PROTECTION) {
++ if (mad_bit_length(&stream->ptr, &bufend_ptr)
++ < 4 * (bound * nch + (32 - bound))) {
++ stream->error = MAD_ERROR_BADCRC;
++ return -1;
++ }
+ header->crc_check =
+ mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
+ header->crc_check);
+@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
+
+ for (sb = 0; sb < bound; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ nb = mad_bit_read(&stream->ptr, 4);
+
+ if (nb == 15) {
+@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
+ }
+
+ for (sb = bound; sb < 32; ++sb) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ nb = mad_bit_read(&stream->ptr, 4);
+
+ if (nb == 15) {
+@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
+ for (sb = 0; sb < 32; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
+ if (allocation[ch][sb]) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
+
+ # if defined(OPT_STRICT)
+@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
+ for (ch = 0; ch < nch; ++ch) {
+ nb = allocation[ch][sb];
+ frame->sbsample[ch][s][sb] = nb ?
+- mad_f_mul(I_sample(&stream->ptr, nb),
++ mad_f_mul(I_sample(&stream->ptr, nb, stream),
+ sf_table[scalefactor[ch][sb]]) : 0;
++ if (stream->error != 0)
++ return -1;
+ }
+ }
+
+@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
+ if ((nb = allocation[0][sb])) {
+ mad_fixed_t sample;
+
+- sample = I_sample(&stream->ptr, nb);
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
++ sample = I_sample(&stream->ptr, nb, stream);
++ if (stream->error != 0)
++ return -1;
+
+ for (ch = 0; ch < nch; ++ch) {
+ frame->sbsample[ch][s][sb] =
+@@ -280,13 +321,21 @@ struct quantclass {
+ static
+ void II_samples(struct mad_bitptr *ptr,
+ struct quantclass const *quantclass,
+- mad_fixed_t output[3])
++ mad_fixed_t output[3], struct mad_stream *stream)
+ {
+ unsigned int nb, s, sample[3];
++ struct mad_bitptr frameend_ptr;
++
++ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ if ((nb = quantclass->group)) {
+ unsigned int c, nlevels;
+
++ if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return;
++ }
+ /* degrouping */
+ c = mad_bit_read(ptr, quantclass->bits);
+ nlevels = quantclass->nlevels;
+@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
+ else {
+ nb = quantclass->bits;
+
+- for (s = 0; s < 3; ++s)
++ for (s = 0; s < 3; ++s) {
++ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return;
++ }
+ sample[s] = mad_bit_read(ptr, nb);
++ }
+ }
+
+ for (s = 0; s < 3; ++s) {
+@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
+ unsigned char const *offsets;
+ unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
+ mad_fixed_t samples[3];
++ struct mad_bitptr frameend_ptr;
++
++ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ nch = MAD_NCHANNELS(header);
+
+@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
+ for (sb = 0; sb < bound; ++sb) {
+ nbal = bitalloc_table[offsets[sb]].nbal;
+
+- for (ch = 0; ch < nch; ++ch)
++ for (ch = 0; ch < nch; ++ch) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
++ }
+ }
+
+ for (sb = bound; sb < sblimit; ++sb) {
+ nbal = bitalloc_table[offsets[sb]].nbal;
+
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ allocation[0][sb] =
+ allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
+ }
+@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre
+
+ for (sb = 0; sb < sblimit; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
+- if (allocation[ch][sb])
++ if (allocation[ch][sb]) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
++ }
+ }
+ }
+
+@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre
+ for (sb = 0; sb < sblimit; ++sb) {
+ for (ch = 0; ch < nch; ++ch) {
+ if (allocation[ch][sb]) {
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
+
+ switch (scfsi[ch][sb]) {
+@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre
+ break;
+
+ case 0:
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
+ /* fall through */
+
+ case 1:
+ case 3:
++ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+ scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
+ }
+
+@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre
+ if ((index = allocation[ch][sb])) {
+ index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+
+- II_samples(&stream->ptr, &qc_table[index], samples);
++ II_samples(&stream->ptr, &qc_table[index], samples, stream);
++ if (stream->error != 0)
++ return -1;
+
+ for (s = 0; s < 3; ++s) {
+ frame->sbsample[ch][3 * gr + s][sb] =
+@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre
+ if ((index = allocation[0][sb])) {
+ index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+
+- II_samples(&stream->ptr, &qc_table[index], samples);
++ II_samples(&stream->ptr, &qc_table[index], samples, stream);
++ if (stream->error != 0)
++ return -1;
+
+ for (ch = 0; ch < nch; ++ch) {
+ for (s = 0; s < 3; ++s) {
+Index: libmad-0.15.1b/layer3.c
+===================================================================
+--- libmad-0.15.1b.orig/layer3.c
++++ libmad-0.15.1b/layer3.c
+@@ -598,7 +598,8 @@ enum mad_error III_sideinfo(struct mad_b
+ static
+ unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
+ struct channel *channel,
+- struct channel *gr1ch, int mode_extension)
++ struct channel *gr1ch, int mode_extension,
++ unsigned int bits_left, unsigned int *part2_length)
+ {
+ struct mad_bitptr start;
+ unsigned int scalefac_compress, index, slen[4], part, n, i;
+@@ -644,8 +645,12 @@ unsigned int III_scalefactors_lsf(struct
+
+ n = 0;
+ for (part = 0; part < 4; ++part) {
+- for (i = 0; i < nsfb[part]; ++i)
++ for (i = 0; i < nsfb[part]; ++i) {
++ if (bits_left < slen[part])
++ return MAD_ERROR_BADSCFSI;
+ channel->scalefac[n++] = mad_bit_read(ptr, slen[part]);
++ bits_left -= slen[part];
++ }
+ }
+
+ while (n < 39)
+@@ -690,7 +695,10 @@ unsigned int III_scalefactors_lsf(struct
+ max = (1 << slen[part]) - 1;
+
+ for (i = 0; i < nsfb[part]; ++i) {
++ if (bits_left < slen[part])
++ return MAD_ERROR_BADSCFSI;
+ is_pos = mad_bit_read(ptr, slen[part]);
++ bits_left -= slen[part];
+
+ channel->scalefac[n] = is_pos;
+ gr1ch->scalefac[n++] = (is_pos == max);
+@@ -703,7 +711,8 @@ unsigned int III_scalefactors_lsf(struct
+ }
+ }
+
+- return mad_bit_length(&start, ptr);
++ *part2_length = mad_bit_length(&start, ptr);
++ return MAD_ERROR_NONE;
+ }
+
+ /*
+@@ -712,7 +721,8 @@ unsigned int III_scalefactors_lsf(struct
+ */
+ static
+ unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
+- struct channel const *gr0ch, unsigned int scfsi)
++ struct channel const *gr0ch, unsigned int scfsi,
++ unsigned int bits_left, unsigned int *part2_length)
+ {
+ struct mad_bitptr start;
+ unsigned int slen1, slen2, sfbi;
+@@ -728,12 +738,20 @@ unsigned int III_scalefactors(struct mad
+ sfbi = 0;
+
+ nsfb = (channel->flags & mixed_block_flag) ? 8 + 3 * 3 : 6 * 3;
+- while (nsfb--)
++ while (nsfb--) {
++ if (bits_left < slen1)
++ return MAD_ERROR_BADSCFSI;
+ channel->scalefac[sfbi++] = mad_bit_read(ptr, slen1);
++ bits_left -= slen1;
++ }
+
+ nsfb = 6 * 3;
+- while (nsfb--)
++ while (nsfb--) {
++ if (bits_left < slen2)
++ return MAD_ERROR_BADSCFSI;
+ channel->scalefac[sfbi++] = mad_bit_read(ptr, slen2);
++ bits_left -= slen2;
++ }
+
+ nsfb = 1 * 3;
+ while (nsfb--)
+@@ -745,8 +763,12 @@ unsigned int III_scalefactors(struct mad
+ channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+ }
+ else {
+- for (sfbi = 0; sfbi < 6; ++sfbi)
++ for (sfbi = 0; sfbi < 6; ++sfbi) {
++ if (bits_left < slen1)
++ return MAD_ERROR_BADSCFSI;
+ channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
++ bits_left -= slen1;
++ }
+ }
+
+ if (scfsi & 0x4) {
+@@ -754,8 +776,12 @@ unsigned int III_scalefactors(struct mad
+ channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+ }
+ else {
+- for (sfbi = 6; sfbi < 11; ++sfbi)
++ for (sfbi = 6; sfbi < 11; ++sfbi) {
++ if (bits_left < slen1)
++ return MAD_ERROR_BADSCFSI;
+ channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
++ bits_left -= slen1;
++ }
+ }
+
+ if (scfsi & 0x2) {
+@@ -763,8 +789,12 @@ unsigned int III_scalefactors(struct mad
+ channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+ }
+ else {
+- for (sfbi = 11; sfbi < 16; ++sfbi)
++ for (sfbi = 11; sfbi < 16; ++sfbi) {
++ if (bits_left < slen2)
++ return MAD_ERROR_BADSCFSI;
+ channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
++ bits_left -= slen2;
++ }
+ }
+
+ if (scfsi & 0x1) {
+@@ -772,14 +802,19 @@ unsigned int III_scalefactors(struct mad
+ channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+ }
+ else {
+- for (sfbi = 16; sfbi < 21; ++sfbi)
++ for (sfbi = 16; sfbi < 21; ++sfbi) {
++ if (bits_left < slen2)
++ return MAD_ERROR_BADSCFSI;
+ channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
++ bits_left -= slen2;
++ }
+ }
+
+ channel->scalefac[21] = 0;
+ }
+
+- return mad_bit_length(&start, ptr);
++ *part2_length = mad_bit_length(&start, ptr);
++ return MAD_ERROR_NONE;
+ }
+
+ /*
+@@ -933,19 +968,17 @@ static
+ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
+ struct channel *channel,
+ unsigned char const *sfbwidth,
+- unsigned int part2_length)
++ signed int part3_length)
+ {
+ signed int exponents[39], exp;
+ signed int const *expptr;
+ struct mad_bitptr peek;
+- signed int bits_left, cachesz;
++ signed int bits_left, cachesz, fakebits;
+ register mad_fixed_t *xrptr;
+ mad_fixed_t const *sfbound;
+ register unsigned long bitcache;
+
+- bits_left = (signed) channel->part2_3_length - (signed) part2_length;
+- if (bits_left < 0)
+- return MAD_ERROR_BADPART3LEN;
++ bits_left = part3_length;
+
+ III_exponents(channel, sfbwidth, exponents);
+
+@@ -956,8 +989,12 @@ enum mad_error III_huffdecode(struct mad
+ cachesz = mad_bit_bitsleft(&peek);
+ cachesz += ((32 - 1 - 24) + (24 - cachesz)) & ~7;
+
++ if (bits_left < cachesz) {
++ cachesz = bits_left;
++ }
+ bitcache = mad_bit_read(&peek, cachesz);
+ bits_left -= cachesz;
++ fakebits = 0;
+
+ xrptr = &xr[0];
+
+@@ -986,7 +1023,7 @@ enum mad_error III_huffdecode(struct mad
+
+ big_values = channel->big_values;
+
+- while (big_values-- && cachesz + bits_left > 0) {
++ while (big_values-- && cachesz + bits_left - fakebits > 0) {
+ union huffpair const *pair;
+ unsigned int clumpsz, value;
+ register mad_fixed_t requantized;
+@@ -1023,10 +1060,19 @@ enum mad_error III_huffdecode(struct mad
+ unsigned int bits;
+
+ bits = ((32 - 1 - 21) + (21 - cachesz)) & ~7;
++ if (bits_left < bits) {
++ bits = bits_left;
++ }
+ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
+ cachesz += bits;
+ bits_left -= bits;
+ }
++ if (cachesz < 21) {
++ unsigned int bits = 21 - cachesz;
++ bitcache <<= bits;
++ cachesz += bits;
++ fakebits += bits;
++ }
+
+ /* hcod (0..19) */
+
+@@ -1041,6 +1087,8 @@ enum mad_error III_huffdecode(struct mad
+ }
+
+ cachesz -= pair->value.hlen;
++ if (cachesz < fakebits)
++ return MAD_ERROR_BADHUFFDATA;
+
+ if (linbits) {
+ /* x (0..14) */
+@@ -1054,10 +1102,15 @@ enum mad_error III_huffdecode(struct mad
+
+ case 15:
+ if (cachesz < linbits + 2) {
+- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
+- cachesz += 16;
+- bits_left -= 16;
++ unsigned int bits = 16;
++ if (bits_left < 16)
++ bits = bits_left;
++ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
++ cachesz += bits;
++ bits_left -= bits;
+ }
++ if (cachesz - fakebits < linbits)
++ return MAD_ERROR_BADHUFFDATA;
+
+ value += MASK(bitcache, cachesz, linbits);
+ cachesz -= linbits;
+@@ -1074,6 +1127,8 @@ enum mad_error III_huffdecode(struct mad
+ }
+
+ x_final:
++ if (cachesz - fakebits < 1)
++ return MAD_ERROR_BADHUFFDATA;
+ xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
+ -requantized : requantized;
+ }
+@@ -1089,10 +1144,15 @@ enum mad_error III_huffdecode(struct mad
+
+ case 15:
+ if (cachesz < linbits + 1) {
+- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
+- cachesz += 16;
+- bits_left -= 16;
++ unsigned int bits = 16;
++ if (bits_left < 16)
++ bits = bits_left;
++ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
++ cachesz += bits;
++ bits_left -= bits;
+ }
++ if (cachesz - fakebits < linbits)
++ return MAD_ERROR_BADHUFFDATA;
+
+ value += MASK(bitcache, cachesz, linbits);
+ cachesz -= linbits;
+@@ -1109,6 +1169,8 @@ enum mad_error III_huffdecode(struct mad
+ }
+
+ y_final:
++ if (cachesz - fakebits < 1)
++ return MAD_ERROR_BADHUFFDATA;
+ xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
+ -requantized : requantized;
+ }
+@@ -1128,6 +1190,8 @@ enum mad_error III_huffdecode(struct mad
+ requantized = reqcache[value] = III_requantize(value, exp);
+ }
+
++ if (cachesz - fakebits < 1)
++ return MAD_ERROR_BADHUFFDATA;
+ xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
+ -requantized : requantized;
+ }
+@@ -1146,6 +1210,8 @@ enum mad_error III_huffdecode(struct mad
+ requantized = reqcache[value] = III_requantize(value, exp);
+ }
+
++ if (cachesz - fakebits < 1)
++ return MAD_ERROR_BADHUFFDATA;
+ xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
+ -requantized : requantized;
+ }
+@@ -1155,9 +1221,6 @@ enum mad_error III_huffdecode(struct mad
+ }
+ }
+
+- if (cachesz + bits_left < 0)
+- return MAD_ERROR_BADHUFFDATA; /* big_values overrun */
+-
+ /* count1 */
+ {
+ union huffquad const *table;
+@@ -1167,15 +1230,24 @@ enum mad_error III_huffdecode(struct mad
+
+ requantized = III_requantize(1, exp);
+
+- while (cachesz + bits_left > 0 && xrptr <= &xr[572]) {
++ while (cachesz + bits_left - fakebits > 0 && xrptr <= &xr[572]) {
+ union huffquad const *quad;
+
+ /* hcod (1..6) */
+
+ if (cachesz < 10) {
+- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
+- cachesz += 16;
+- bits_left -= 16;
++ unsigned int bits = 16;
++ if (bits_left < 16)
++ bits = bits_left;
++ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
++ cachesz += bits;
++ bits_left -= bits;
++ }
++ if (cachesz < 10) {
++ unsigned int bits = 10 - cachesz;
++ bitcache <<= bits;
++ cachesz += bits;
++ fakebits += bits;
+ }
+
+ quad = &table[MASK(bitcache, cachesz, 4)];
+@@ -1188,6 +1260,11 @@ enum mad_error III_huffdecode(struct mad
+ MASK(bitcache, cachesz, quad->ptr.bits)];
+ }
+
++ if (cachesz - fakebits < quad->value.hlen + quad->value.v
++ + quad->value.w + quad->value.x + quad->value.y)
++ /* We don't have enough bits to read one more entry, consider them
++ * stuffing bits. */
++ break;
+ cachesz -= quad->value.hlen;
+
+ if (xrptr == sfbound) {
+@@ -1236,22 +1313,8 @@ enum mad_error III_huffdecode(struct mad
+
+ xrptr += 2;
+ }
+-
+- if (cachesz + bits_left < 0) {
+-# if 0 && defined(DEBUG)
+- fprintf(stderr, "huffman count1 overrun (%d bits)\n",
+- -(cachesz + bits_left));
+-# endif
+-
+- /* technically the bitstream is misformatted, but apparently
+- some encoders are just a bit sloppy with stuffing bits */
+-
+- xrptr -= 4;
+- }
+ }
+
+- assert(-bits_left <= MAD_BUFFER_GUARD * CHAR_BIT);
+-
+ # if 0 && defined(DEBUG)
+ if (bits_left < 0)
+ fprintf(stderr, "read %d bits too many\n", -bits_left);
+@@ -2348,10 +2411,11 @@ void III_freqinver(mad_fixed_t sample[18
+ */
+ static
+ enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame,
+- struct sideinfo *si, unsigned int nch)
++ struct sideinfo *si, unsigned int nch, unsigned int md_len)
+ {
+ struct mad_header *header = &frame->header;
+ unsigned int sfreqi, ngr, gr;
++ int bits_left = md_len * CHAR_BIT;
+
+ {
+ unsigned int sfreq;
+@@ -2383,6 +2447,7 @@ enum mad_error III_decode(struct mad_bit
+ for (ch = 0; ch < nch; ++ch) {
+ struct channel *channel = &granule->ch[ch];
+ unsigned int part2_length;
++ unsigned int part3_length;
+
+ sfbwidth[ch] = sfbwidth_table[sfreqi].l;
+ if (channel->block_type == 2) {
+@@ -2391,18 +2456,30 @@ enum mad_error III_decode(struct mad_bit
+ }
+
+ if (header->flags & MAD_FLAG_LSF_EXT) {
+- part2_length = III_scalefactors_lsf(ptr, channel,
++ error = III_scalefactors_lsf(ptr, channel,
+ ch == 0 ? 0 : &si->gr[1].ch[1],
+- header->mode_extension);
++ header->mode_extension, bits_left, &part2_length);
+ }
+ else {
+- part2_length = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
+- gr == 0 ? 0 : si->scfsi[ch]);
++ error = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
++ gr == 0 ? 0 : si->scfsi[ch], bits_left, &part2_length);
+ }
++ if (error)
++ return error;
++
++ bits_left -= part2_length;
+
+- error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part2_length);
++ if (part2_length > channel->part2_3_length)
++ return MAD_ERROR_BADPART3LEN;
++
++ part3_length = channel->part2_3_length - part2_length;
++ if (part3_length > bits_left)
++ return MAD_ERROR_BADPART3LEN;
++
++ error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part3_length);
+ if (error)
+ return error;
++ bits_left -= part3_length;
+ }
+
+ /* joint stereo processing */
+@@ -2519,11 +2596,13 @@ int mad_layer_III(struct mad_stream *str
+ unsigned int nch, priv_bitlen, next_md_begin = 0;
+ unsigned int si_len, data_bitlen, md_len;
+ unsigned int frame_space, frame_used, frame_free;
+- struct mad_bitptr ptr;
++ struct mad_bitptr ptr, bufend_ptr;
+ struct sideinfo si;
+ enum mad_error error;
+ int result = 0;
+
++ mad_bit_init(&bufend_ptr, stream->bufend);
++
+ /* allocate Layer III dynamic structures */
+
+ if (stream->main_data == 0) {
+@@ -2587,14 +2666,15 @@ int mad_layer_III(struct mad_stream *str
+ unsigned long header;
+
+ mad_bit_init(&peek, stream->next_frame);
++ if (mad_bit_length(&peek, &bufend_ptr) >= 57) {
++ header = mad_bit_read(&peek, 32);
++ if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
++ if (!(header & 0x00010000L)) /* protection_bit */
++ mad_bit_skip(&peek, 16); /* crc_check */
+
+- header = mad_bit_read(&peek, 32);
+- if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
+- if (!(header & 0x00010000L)) /* protection_bit */
+- mad_bit_skip(&peek, 16); /* crc_check */
+-
+- next_md_begin =
+- mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
++ next_md_begin =
++ mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
++ }
+ }
+
+ mad_bit_finish(&peek);
+@@ -2653,7 +2733,7 @@ int mad_layer_III(struct mad_stream *str
+ /* decode main_data */
+
+ if (result == 0) {
+- error = III_decode(&ptr, frame, &si, nch);
++ error = III_decode(&ptr, frame, &si, nch, md_len);
+ if (error) {
+ stream->error = error;
+ result = -1;
--- libmad-0.15.1b.orig/debian/patches/libmad.thumb.diff
+++ libmad-0.15.1b/debian/patches/libmad.thumb.diff
@@ -0,0 +1,14 @@
+From: Konstantinos Margaritis
+Subject: use "adr" instead of "add" to make code ready for thumb2
+
+--- ./imdct_l_arm.S.orig 2010-02-25 13:25:23.000000000 +0100
++++ ./imdct_l_arm.S 2010-02-25 13:27:26.000000000 +0100
+@@ -468,7 +468,7 @@
+
+ @----
+
+- add r2, pc, #(imdct36_long_karray-.-8) @ r2 = base address of Knn array (PIC safe ?)
++ adr r2, imdct36_long_karray
+
+
+ loop:
--- libmad-0.15.1b.orig/debian/patches/md_size.diff
+++ libmad-0.15.1b/debian/patches/md_size.diff
@@ -0,0 +1,58 @@
+From: Kurt Roeckx
+Date: Sun, 28 Jan 2018 15:44:08 +0100
+Subject: Check the size of the main data
+
+The main data to decode a frame can come from the current frame and part of the
+previous frame, the so called bit reservoir. si.main_data_begin is the part of
+the previous frame we need for this frame. frame_space is the amount of main
+data that can be in this frame, and next_md_begin is the part of this frame that
+is going to be used for the next frame.
+
+The maximum amount of data from a previous frame that the format allows is 511
+bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2
+at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881.
+So those defines are not large enough:
+ # define MAD_BUFFER_GUARD 8
+ # define MAD_BUFFER_MDLEN (511 + 2048 + MAD_BUFFER_GUARD)
+
+There is also support for a "free" bitrate which allows you to create any frame
+size, which can be larger than the buffer.
+
+Changing the defines is not an option since it's part of the ABI, so we check
+that the main data fits in the bufer.
+
+The previous frame data is stored in *stream->main_data and contains
+stream->md_len bytes. If stream->md_len is larger than the data we
+need from the previous frame (si.main_data_begin) it still wouldn't fit
+in the buffer, so just keep the data that we need.
+
+Index: libmad-0.15.1b/layer3.c
+===================================================================
+--- libmad-0.15.1b.orig/layer3.c
++++ libmad-0.15.1b/layer3.c
+@@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream *str
+ next_md_begin = 0;
+
+ md_len = si.main_data_begin + frame_space - next_md_begin;
++ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) {
++ stream->error = MAD_ERROR_LOSTSYNC;
++ stream->sync = 0;
++ return -1;
++ }
+
+ frame_used = 0;
+
+@@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream *str
+ }
+ }
+ else {
+- mad_bit_init(&ptr,
+- *stream->main_data + stream->md_len - si.main_data_begin);
++ memmove(stream->main_data,
++ *stream->main_data + stream->md_len - si.main_data_begin,
++ si.main_data_begin);
++ stream->md_len = si.main_data_begin;
++ mad_bit_init(&ptr, *stream->main_data);
+
+ if (md_len > si.main_data_begin) {
+ assert(stream->md_len + md_len -
--- libmad-0.15.1b.orig/debian/patches/mips-gcc4.4.diff
+++ libmad-0.15.1b/debian/patches/mips-gcc4.4.diff
@@ -0,0 +1,25 @@
+From: Aurelien Jarno
+Subject: Different constraints for mips with gcc-4.4
+
+This asm constraints has been removed from gcc 4.4, that's why it was not
+failing before. See http://gcc.gnu.org/gcc-4.4/changes.html for more
+details, including a description of the new way to do it.
+
+--- libmad-0.15.1b.orig/fixed.h
++++ libmad-0.15.1b/fixed.h
+@@ -297,6 +297,14 @@
+
+ /* --- MIPS ---------------------------------------------------------------- */
+
++# elif defined(FPM_MIPS) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4))
++ typedef unsigned int u64_di_t __attribute__ ((mode (DI)));
++# define MAD_F_MLX(hi, lo, x, y) \
++ do { \
++ u64_di_t __ll = (u64_di_t) (x) * (y); \
++ hi = __ll >> 32; \
++ lo = __ll; \
++ } while (0)
+ # elif defined(FPM_MIPS)
+
+ /*
+
--- libmad-0.15.1b.orig/debian/patches/optimize.diff
+++ libmad-0.15.1b/debian/patches/optimize.diff
@@ -0,0 +1,77 @@
+Index: libmad-0.15.1b/configure.ac
+===================================================================
+--- libmad-0.15.1b.orig/configure.ac 2008-03-07 20:31:23.000000000 +0000
++++ libmad-0.15.1b/configure.ac 2008-03-07 20:34:26.000000000 +0000
+@@ -124,71 +124,7 @@
+
+ if test "$GCC" = yes
+ then
+- if test -z "$arch"
+- then
+- case "$host" in
+- i386-*) ;;
+- i?86-*) arch="-march=i486" ;;
+- arm*-empeg-*) arch="-march=armv4 -mtune=strongarm1100" ;;
+- armv4*-*) arch="-march=armv4 -mtune=strongarm" ;;
+- powerpc-*) ;;
+- mips*-agenda-*) arch="-mcpu=vr4100" ;;
+- mips*-luxsonor-*) arch="-mips1 -mcpu=r3000 -Wa,-m4010" ;;
+- esac
+- fi
+-
+- case "$optimize" in
+- -O|"-O "*)
+- optimize="-O"
+- optimize="$optimize -fforce-mem"
+- optimize="$optimize -fforce-addr"
+- : #x optimize="$optimize -finline-functions"
+- : #- optimize="$optimize -fstrength-reduce"
+- optimize="$optimize -fthread-jumps"
+- optimize="$optimize -fcse-follow-jumps"
+- optimize="$optimize -fcse-skip-blocks"
+- : #x optimize="$optimize -frerun-cse-after-loop"
+- : #x optimize="$optimize -frerun-loop-opt"
+- : #x optimize="$optimize -fgcse"
+- optimize="$optimize -fexpensive-optimizations"
+- optimize="$optimize -fregmove"
+- : #* optimize="$optimize -fdelayed-branch"
+- : #x optimize="$optimize -fschedule-insns"
+- optimize="$optimize -fschedule-insns2"
+- : #? optimize="$optimize -ffunction-sections"
+- : #? optimize="$optimize -fcaller-saves"
+- : #> optimize="$optimize -funroll-loops"
+- : #> optimize="$optimize -funroll-all-loops"
+- : #x optimize="$optimize -fmove-all-movables"
+- : #x optimize="$optimize -freduce-all-givs"
+- : #? optimize="$optimize -fstrict-aliasing"
+- : #* optimize="$optimize -fstructure-noalias"
+-
+- case "$host" in
+- arm*-*)
+- optimize="$optimize -fstrength-reduce"
+- ;;
+- mips*-*)
+- optimize="$optimize -fstrength-reduce"
+- optimize="$optimize -finline-functions"
+- ;;
+- i?86-*)
+- optimize="$optimize -fstrength-reduce"
+- ;;
+- powerpc-apple-*)
+- # this triggers an internal compiler error with gcc2
+- : #optimize="$optimize -fstrength-reduce"
+-
+- # this is really only beneficial with gcc3
+- : #optimize="$optimize -finline-functions"
+- ;;
+- *)
+- # this sometimes provokes bugs in gcc 2.95.2
+- : #optimize="$optimize -fstrength-reduce"
+- ;;
+- esac
+- ;;
+- esac
++ optimize="-O2"
+ fi
+
+ case "$host" in
--- libmad-0.15.1b.orig/debian/patches/series
+++ libmad-0.15.1b/debian/patches/series
@@ -0,0 +1,7 @@
+optimize.diff
+amd64-64bit.diff
+Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff
+libmad.thumb.diff
+mips-gcc4.4.diff
+md_size.diff
+length-check.patch
--- libmad-0.15.1b.orig/debian/rules
+++ libmad-0.15.1b/debian/rules
@@ -0,0 +1,33 @@
+#!/usr/bin/make -f
+# makefile for libmad
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+DEB_DH_MAKESHLIBS_ARGS_libmad0 = -V 'libmad0 (>= 0.15.1b-3)'
+
+include /usr/share/dpkg/architecture.mk
+include /usr/share/cdbs/1/rules/debhelper.mk
+include /usr/share/cdbs/1/class/autotools.mk
+include /usr/share/cdbs/1/rules/patchsys-quilt.mk
+include /usr/share/cdbs/1/rules/autoreconf.mk
+
+export AUTOMAKE = automake --foreign
+
+DEB_CONFIGURE_EXTRA_FLAGS=--enable-shared --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH)
+ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
+DEB_CONFIGURE_EXTRA_FLAGS += --enable-profiling --enable-debugging
+else
+DEB_CONFIGURE_EXTRA_FLAGS += --disable-profiling --disable-debugging
+endif
+
+ifneq (,$(findstring $(DEB_HOST_ARCH),armel armhf))
+DEB_CONFIGURE_EXTRA_FLAGS += --disable-aso
+endif
+
+clean::
+ # annoying lintian errors
+ rm -f config.cache libz/config.log libz/config.status
+
+install/libmad0-dev::
+ install -m644 -D debian/mad.pc debian/libmad0-dev/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig/mad.pc
--- libmad-0.15.1b.orig/debian/watch
+++ libmad-0.15.1b/debian/watch
@@ -0,0 +1,2 @@
+version=2
+ftp://ftp.mars.org/mpeg/libmad-(.*)\.tar\.gz debian uupdate