Enlightened Sound Daemon was one of the earlier solutions to the old
"multiple programs can't open /dev/audio at once" problem that was once
a thing we had to worry about.
Eventually, it was adopted as part of GNOME. GNOME lost interest in it
about a decade ago and dropped it in favour of PulseAudio, newer
applications are generally uninterested in supporting it. Last release
was in 2008 and support for newer OS APIs is pretty nonexistent.
Several years ago the original website disappeared.
https://en.wikipedia.org/wiki/Enlightened_Sound_Daemonhttps://tracker.debian.org/news/999428/removed-0241-11-from-unstable/
This is a bugfix release solely for bug 280 in the parser:
libmpg123
Reset the flag for having a frame to decode before trying to parse a new one. This prevents very unkind behaviour (crashes) when combinging mpg123_scan() with decoding later on for damaged streams that have a mixture of different MPEG versions.
libmpg123:
Fix an out-of-bounds read of maximal two bytes for truncated RVA2 frames (oss-fuzz-bug 15975). The earlier fix around the same location needed one thought more. Actually, another though was needed, oss-fuzz-bug 16009 documents the incomplete fix.
Fix an invalid write of one zero byte for empty ID3v2 frames that demand de-unsyncing (oss-fuzz-bug 16050).
Correct preprocessor syntax in mangle.h, no #error in a #define line. (bug 273, thanks to nmlgc).
libmpg123:
* Fix out-of-bounds reads in ID3 parser for unsynced frames. (oss-fuzz-bug 15852)
* Fix out-of-bounds read for RVA2 frames with non-delimited identifier. (oss-fuzz-bug 15852)
* Fix implementation-defined parsing of RVA2 values. (oss-fuzz-bug 15862)
* Fix undefined parsing of APE header for skipping. Also prevent endless loop on premature end of supposed APE header. (oss-fuzz-bug 15864)
* Fix some syntax to make pedantic compiler happy.
The serious bugs trigger Denial of Service either via the nasty endless
loop in supposed APE tags or by crashes if the invalid reads hit a
diagnostic by the OS or, more likely, a security mechanism like the
sanitizer instrumentation that enabled finding the bugs.
I do not have CVE numbers for these bugs.
I rather fix the bugs than name them. Just update, will you?
There briefly was a 1.25.9 release which was superseeded by 1.25.10 before a public announcement. Both amount to these fixes:
libout123: Fix error messages beginning from OUT123_ARG_ERROR (bug 261).
mpg123: Fix --icy-interval handling to work with stream from stdin. (curl | mpg123 --icy-interval=n -)
libmpg123: Fix another invalid read and segfault on damaged (fuzzed) files with part2_3_length == 0 (set maxband=1, pulled from upcoming 1.26.0).
1.25.8
------
- mpg123:
-- Also disable cursor/video games for empty TERM (not just unset and dumb).
- libmpg123:
-- Accept changing mode extension bits when looking for next header for
detecting free-format streams (bug 257).
-- Fix compute_bpf() for free format streams (needed to estimate track
length and working fuzzy seeking in absence of an Info tag).
1.25.7
------
- mpg123:
-- Do not play with cursor and inverse video for progress bar
when TERM=dumb.
-- Fix parsing of host port for numerical IPv6 addresses (just did
not work before, only for textual host names).
- libmpg123:
-- Proper fix for the xrpnt overflow problems by correctly
initialising certain tables for MPEG 2.x layer III. The checks that
catch the resulting overflow are still in place, but likely superfluous
now. Note that this means certain valid files would have been misdecoded
before, if anyone actually produced them. Thanks to Robert Hegemann for
the fix!
-- Silently handle granules with part2_3_length == 0, but
scalefac_compress != 0 (ignore the latter).
1.25.5
------
- Avoid another buffer read overflow in the ID3 parser on 32 bit platforms
(bug 254).
1.25.4
------
- Better configure checks for i?86-apple-darwin (bug 253).
- libmpg123:
-- Prevent harmless call to memcpy(NULL, NULL, 0).
-- More early checking of ID3v2 encoding values to avoid bogus text being
stored.
1.25.3
------
- libmpg123:
-- Better checks for xrpnt overflow in III_dequantize_sample() before each
use, avoiding false positives and catching cases that were rendered
harmless by alignment-enlarged buffers.
1.25.2
------
- libmpg123:
-- Extend pow tables for layer III to properly handle files with i-stereo and
5-bit scalefactors. Never observed them for real, just as fuzzed input to
trigger the read overflow. Note: This one goes on record as CVE-2017-11126,
calling remote denial of service. While the accesses are out of bounds for
the pow tables, they still are safely within libmpg123's memory (other
static tables). Just wrong values are used for computation, no actual crash
unless you use something like GCC's AddressSanitizer, nor any information
disclosure.
-- Avoid left-shifts of negative integers in layer I decoding.
1.25.1: Hot Fuzz
-------
- libmpg123:
-- Avoid memset(NULL, 0, 0) to calm down the paranoid.
-- Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten
offset from the frame flag bytes (unnoticed in practice for a long
time). Fuzzers are in the house again. This one got CVE-2017-10683.
-- Avoid a mostly harmless conditional jump depending on uninitialised
fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet.
-- Fix undefined shifts on signed long mask in layer3.c (worked in practice,
never right in theory). Code might be a bit faster now, even.
Thanks to Agostino Sarubbo for reporting.
1.25.0: MP3 now patent-free worldwide!
-------
- Silence test for artsc-config if it is not there.
- Make sure -static-libgcc from LDFLAGS gets through libtool,
fixing 32 bit Windows builds (depend on libgcc DLL otherwise).
- Fix build with non-GNU make by using plain rm -f instead of silly $(RM)
in libout123/modules makefile fragment.
- Make build work on iOS, including coreaudio backend.
- libmpg123:
-- Finally provide position-independent code for x86 with assembly
optimisations.The textrels are gone thanks to Won Kyu Park and Taihei Momma.
-- Clarify some license language in files descending from the original MMX
optimisation.
-- Fix return value overflow check for MPG123_BUFFERFILL.
-- Introduced mpg123_getformat2() to enable the FORMAT command
for the generic control not stealing MPG123_NEW_FORMAT from the main
playback loop. The sequence LOADPAUSED-FORMAT-PAUSE (play) is supposed
to work now.
-- Enable aarch64 optimisations on *BSD by default, too. You can always
override that stupid OS whitelist using --with-optimization, anyway.
-- Use of the i486 decoder is now discouraged more prominently, in configure
output.
- out123: Fix stupid crash with verbose mode and tone generation (print
the string if the pointer is non-null, not if it is null).
- libout123: More consistent error messages for dynamic and legacy
(built-in) modules. Namely, you get a hint how if you choose a different
module than the built-in ones for a static libout123.
------
- Avoid repeating genre in metadata printout for specifications like
(144)Thrash Metal.
- In remote control mode, only enforce --quiet if no verbosity was required.
- Prevent --loop and --shuffle or --random from messing with the remote
control LOADLIST command (printout of the list would loop without reason).
- Fix the mpg123 command (esp. our provided binaries on Windows) to now find
modules again relative to the executable directory, not the current working
directory. This was a regression in 1.23 and might be security-relevant if
you called mpg123 in working directories with untrusted content.
Note that mpg123 1.23 looked for modules relative to the current working
directory only if the installation prefix for modules did not exist.
So, usage on an intact installation (with /usr/lib/mpg123 or the like) was
safe. Nevertheless this new version fixes the search to be relative to the
binary path as it was with 1.22 and before.
- At least consistent behaviour of playlist code in the face of looping.
Looping is about individual tracks, always. They are looped also in random
mode. Jumping (prev/next keys) is between tracks and resets the loop counter.
The display of currently playing track in the playlist is fixed for random
and looped play now (bug 198).
- Looping is now mentioned for a to-be-repeated track with --verbose.
- Move some compiler nagging from --enable-debug to --enable-nagging, fix up
some new build failures by adding some pesky feature test macros.
- Try not to pollute the terminal buffer with old progress bars in inverse
video. Only the currently live one shall be seen. That one is pretty. The
others are not.
- Using plain dlopen()/LoadLibrary() for opening modules instead of libltdl.
This also means that --with-module-suffix is gone in configure.
- Windows builds only work when Unicode support is there (older than Windows
2000/XP will definitely not work anymore).
- The out123 tool now features tone generation, with a mix of differing
wave patterns. Makes sense to be able to test the audio output by itself,
and it's fun. See --wave-freq and related parameters.
- libmpg123 version 43:
-- Add flags MPG123_NO_PEEK_END and MPG123_FORCE_SEEKABLE, as suggested
by Bent Bisballe Nyeng.
-- Build fix for MSVC (consistent definition of ssize_t, spotted by manx,
bug 243).
-- Build fix for --with-cpu=ppc_nofpu (thanks to Michael Kostylev, bug 244).
-- Add asm optimized MSVC++ Win32|x64 and UWP|x64 builds
-- Remove old, broken MSVC++ builds
- libout123 version 2:
-- Added OUT123_BINDIR.
-- New search order for output plugin directory: MPG123_MODDIR, or (relative
to executable directory OUT123_BINDIR) ../lib/mpg123, plugins
libout123/modules/.libs, libout123/modules, ../libout123/modules/.libs,
../libout123/modules, and at last the installation prefix $libdir/mpg213/.
This shall ensure that a build inside a source tree does not try to use old
modules from the system prefix. The normal libtool wrapper deals with the
shared libout123 or libmpg123 only, not modules.
Note that if you set MPG123_MODDIR to a non-existing directory, no modules
will be found (earlier versions fell back to other choices).
-- The OUT123_NAME parameter is now copied by out123_param_from(), as is
the newly added OUT123_BINDIR.
-- Coreaudio: Use AudioComponents API on OSX >= 10.6 (thanks to Michael Weiser).
-- Coreaudio: Fix behaviour of out123_drop(), not killing the output anymore
without re-opening the device (bug 236, thanks to Taihei for the fix).
Problems found with existing distfiles:
/pub/pkgsrc/distfiles/amp-0.7.6.tgz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-music-32000-1.0.8.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-music-48000-1.0.8.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-en-us-callie-32000-1.0.22.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-en-us-callie-48000-1.0.22.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-32000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-48000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-16000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-32000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-48000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-8000-1.0.12.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-32000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-fr-ca-june-48000-1.0.18.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-32000-1.0.13.tar.gz
/pub/pkgsrc/distfiles/freeswitch/freeswitch-sounds-ru-RU-elena-48000-1.0.13.tar.gz
/pub/pkgsrc/distfiles/kid3-3.3.0.tar.gz
/pub/pkgsrc/distfiles/libdca-0.0.5.tar.bz2
/pub/pkgsrc/distfiles/mp3to.gz
/pub/pkgsrc/distfiles/squeezeboxserver-7.5.1-noCPAN.tgz
No changes made to these file.
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
- Fix stupid regression introduced with a bugfix in 1.14.1 to make
free format streams work again. It took 3 years for someone to notice.
I added a regression test for that now!
- Fix buffering for funny sample formats (namely, 24 bit), that do not
fit nicely into 32768 bytes. Effect was a nasty endless loop where
mpg123 needs to be externally killed.
Changes 1.22.1
- Fix mpg123-id3dump when writing images with funny (manipulated) MIME type.
Stupid mistake in length computation of the fallback file extension caused
junk from memory being appended to the filename if the pointer size
is less than 64 bit. For 64 bit pointers (or longer) it was correct by
accident.
- Fix pedantic build by cleaning up out123 source, also now really showing
the encoding list in --longhelp instead of possibly, again, writing junk
from memory in there.
- Not linking libmpg123 against libltdl anymore (bug 215).
- Update MSVC++ ports a bit to make them work again.
(upstream)
Update mpg123* from 1.19.0 to 1.21.0
(pkgsrc)
Add comment to patch-ad
Tks wiz@ and obache@ for review.x
1.21.0
---
- Use LL as shortcut for LOADLIST remote command, L is taken already (bug 210).
- Less namespace pollution (MPG123_EXPORT in header instead of EXPORT, bug 212).
1.20.1
---
- Make feed reader more efficient when skipping junk by early
discarding of data from buffers to avoid re-parsing.
1.20.0
---
- Added NEON optimized decoder for AArch64 (ARM 64bit environment)
- enabled for --with-cpu=neon64 (NEON only) or --with-cpu=aarch64
(runtime switch between neon and generic_fpu, like arm_fpu)
configuration
- compatible with aarch64-linux-gnu toolchains (from Ubuntu, debian) and Xcode 5
- Added new binary out123 only with the audio output part of mpg123.
This is a precursor to separating out said code into a simple audio
output library. It also allows plugging in some processing in a pipe
before feeding to output.
- Prevent opendir(NULL) for unknown module directory when listing modules.
- some build fixes, among those fixing mpg123-id3dump on Windows
- Support float and 32/24 bit integer output also with fixed-point decoders (conversion from 16 bit precision).
- A-Law output encoding is actually implemented now (Michael introduced the encoding back in the old days without ever implementing theconversion table, apparently).
- Added --with-cpu=arm_fpu as decoder choice for runtime switch between plain fpu code and NEON.
- Fix ARM builds to work properly on debian systems without special CFLAGS (NEON decoder, specifically).
- Make scripts/benchmark-cpu.pl check the return value instead of delivering crazy timings for crashed mpg123.
- Trigger track initialization in mpg123_info() to avoid use of uninitialized variables (watch out for MPG123_NEED_MORE return value!).
- Fix integer code to 32 bit numbers where it would waste 64 bit on modern systems.
- Add non-executable stack marking also to ARM assembly.
Changelog:
Version 1.12.5:
This release fixes a buffer overflow issue in the mpg123 frontend application when printing ID3 data in non-UTF-8 environments. It has been introduced in version 1.12.4 and Jakub Bogusz was so kind to bump my head into this. Please upgrade. Thanks.
Version 1.12.4:
This is a little bugfix release that improves printout of metadata (ID3) in UTF-8 terminals, fixing one of those distro bug reports that I am getting aware of late... Get it from the usual places.
Version 1.12.3:
The newest release fixes bug 3022850, a long-standing bug that managed to break http streaming with ICY metadata in a non-obvious manner. It's a little change with big impact... for those who listen to web radio, that is.
Version 1.12.2:
The fresh maintenance release mainly fixes bug 2996045, invalid memory access prompted by addresses in the upper half of the address space. I introduced that one with a bad alignment algorithm, sorry.
Along with this go several other fixes/improvements:
* Various build and portability fixes (including making some exotic configure switches work (again)).
* Add dump_seekindex example
* Sync mpg123_clr (.NET wrapper) to 1.12 feature set, patch provided by Malcolm Boczek -- and actually include it in release tarball!
* Rework mpg123.h logic for large file stuff a bit, clients can control it by defining MPG123_NO_LARGENAME or MPG123_LARGESUFFIX.
* Include dumb wrappers to provide names suffixed with _64 on 64 bit machines and _32 on 32 bit machines, respectively, to help clients that insist on defining _FILE_OFFSET_BITS where it is not needed (or with a non-large value).
* Tuning of the internal buffer code for feeder mode to minimize its performance impact (works in 4K blocks now).
* Workaround for compiler bugs in Open64/PathScale/SunStudio (bug 3004396, suggestion by Doug Gilmore).
Note that Sun Studio is still a tricky fellow, at least when it comes to our preprocessed assembly (generic build works). Also, x86-Open64 recently produced another segfault in layer3.c on my box... GNU and intel compilers are what one can use as something stable.
* Make mpg123_getformat() return more error codes (like MPG123_NEED_MORE).
* Fix handle I/O for clients with small file offset (32 bit when libmpg123 has 64 bit).
* Fix 3DNow(Ext) standalone builds.