summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2019-08-13 20:42:06 +0200
committerMarius Bakke <mbakke@fastmail.com>2019-08-13 20:42:06 +0200
commit462ad9f56b9665b8d22960acee73ad91f1052c9c (patch)
tree814be463d6d0517e7db9b9e6f15dbc7516955674 /gnu/packages/patches
parent7f5f61ae99321a7a6e08b0100cd428e11ce6a837 (diff)
parent1b1b006afd31c5526f34d157baef492c7dde2e9c (diff)
downloadguix-462ad9f56b9665b8d22960acee73ad91f1052c9c.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/emacs-dired-toggle-sudo-emacs-26.patch49
-rw-r--r--gnu/packages/patches/flac-CVE-2017-6888.patch29
-rw-r--r--gnu/packages/patches/isc-dhcp-4.4.1-fixes-for-newer-bind.patch100
-rw-r--r--gnu/packages/patches/libmad-frame-length.patch199
-rw-r--r--gnu/packages/patches/libmad-length-check.patch819
-rw-r--r--gnu/packages/patches/libmad-md_size.patch60
-rw-r--r--gnu/packages/patches/libvirt-remove-ATTRIBUTE_UNUSED.patch34
-rw-r--r--gnu/packages/patches/mame-rapidjson-fix.patch37
-rw-r--r--gnu/packages/patches/nss-freebl-stubs.patch20
-rw-r--r--gnu/packages/patches/pcre2-fix-jit_match-crash.patch25
-rw-r--r--gnu/packages/patches/scribus-poppler.patch72
-rw-r--r--gnu/packages/patches/strace-ipc-tests.patch30
12 files changed, 1140 insertions, 334 deletions
diff --git a/gnu/packages/patches/emacs-dired-toggle-sudo-emacs-26.patch b/gnu/packages/patches/emacs-dired-toggle-sudo-emacs-26.patch
new file mode 100644
index 0000000000..d979b113d0
--- /dev/null
+++ b/gnu/packages/patches/emacs-dired-toggle-sudo-emacs-26.patch
@@ -0,0 +1,49 @@
+From 3c0f4b27a079b90dc632f5061a81ce28cef24801 Mon Sep 17 00:00:00 2001
+From: eryx67 <eryx67@gmail.com>
+Date: Thu, 29 Nov 2018 10:30:20 +0500
+Subject: [PATCH] fix for latest emacs
+
+---
+ dired-toggle-sudo.el | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/dired-toggle-sudo.el b/dired-toggle-sudo.el
+index 386921b..fe5898e 100644
+--- a/dired-toggle-sudo.el
++++ b/dired-toggle-sudo.el
+@@ -37,17 +37,20 @@
+ unless SUDO-USER is provided."
+   (let* (;; Handle the case of local files. `tramp-dissect-file-name' does
+ 	 ;; not raise an error anymore.
+-	 (path (if (tramp-tramp-file-p path) path (concat "/:" path)))
++	 ;;(path (if (tramp-tramp-file-p path) path (concat "/-::" path)))
+ 	 (file-vec (or (ignore-errors (tramp-dissect-file-name
+ 				       path))
+ 		       (tramp-dissect-file-name
+-			(concat "/:" path) 1)))
++			(concat "/-::" path) 1)))
+ 	 (method  (tramp-file-name-method file-vec))
+ 	 (user (tramp-file-name-user file-vec))
+ 	 (host  (tramp-file-name-host file-vec))
++         (domain  (tramp-file-name-domain file-vec))
++         (port  (tramp-file-name-port file-vec))
+ 	 (localname (expand-file-name
+ 		     (tramp-file-name-localname file-vec))))
+-    (when (string= system-name host)
++    (when (or (string= (system-name) host)
++              (string= "-" host))
+       (setq host nil))
+     (cond
+      ;; remote directory -> sudo
+@@ -67,7 +70,7 @@ unless SUDO-USER is provided."
+       (setq method "sudo" user sudo-user)))
+     (replace-regexp-in-string
+      "^/:/" "/"
+-     (tramp-make-tramp-file-name method user host localname))))
++     (tramp-make-tramp-file-name method domain user host port localname))))
+ 
+ (defun dired-toggle-sudo-find (fname)
+   "Create a new buffer for file name FNAME."
+-- 
+2.22.0
+
diff --git a/gnu/packages/patches/flac-CVE-2017-6888.patch b/gnu/packages/patches/flac-CVE-2017-6888.patch
deleted file mode 100644
index d2583201b4..0000000000
--- a/gnu/packages/patches/flac-CVE-2017-6888.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-https://git.xiph.org/?p=flac.git;a=patch;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67
-
-From 4f47b63e9c971e6391590caf00a0f2a5ed612e67 Mon Sep 17 00:00:00 2001
-From: Erik de Castro Lopo <erikd@mega-nerd.com>
-Date: Sat, 8 Apr 2017 18:34:49 +1000
-Subject: [PATCH] stream_decoder.c: Fix a memory leak
-
-Leak reported by Secunia Research.
----
- src/libFLAC/stream_decoder.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c
-index 14d5fe7f..a5527511 100644
---- a/src/libFLAC/stream_decoder.c
-+++ b/src/libFLAC/stream_decoder.c
-@@ -1753,6 +1753,9 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre
- 					}
- 					memset (obj->comments[i].entry, 0, obj->comments[i].length) ;
- 					if (!FLAC__bitreader_read_byte_block_aligned_no_crc(decoder->private_->input, obj->comments[i].entry, obj->comments[i].length)) {
-+						/* Current i-th entry is bad, so we delete it. */
-+						free (obj->comments[i].entry) ;
-+						obj->comments[i].entry = NULL ;
- 						obj->num_comments = i;
- 						goto skip;
- 					}
--- 
-2.11.0
-
diff --git a/gnu/packages/patches/isc-dhcp-4.4.1-fixes-for-newer-bind.patch b/gnu/packages/patches/isc-dhcp-4.4.1-fixes-for-newer-bind.patch
new file mode 100644
index 0000000000..53e681ea31
--- /dev/null
+++ b/gnu/packages/patches/isc-dhcp-4.4.1-fixes-for-newer-bind.patch
@@ -0,0 +1,100 @@
+These fixes are needed to adapt isc-dhcp-4.4.1 to build
+successfully after its bundled copy of bind has been updated.
+
+It is derived from the following upstream commits:
+
+commit 8194daabfd590f17825f0c61e9534bee5c99cc86
+Author: Thomas Markwalder <tmark@isc.org>
+Date:   Fri Sep 14 13:41:14 2018 -0400
+
+  [master] Added includes of new BIND9 compatibility headers, updated util/bind.sh
+  
+      Merges in rt48072.
+
+commit cc35f84943df44dac2499f3e16e8aaba7d54191d
+Author: Thomas Markwalder <tmark@isc.org>
+Date:   Tue Mar 19 08:36:23 2019 -0400
+
+  [master] Avoid Bind9 python dependency
+  
+      merges [#3,!1] Avoid Bind9 python dependency
+
+--- a/bind/Makefile.in
++++ b/bind/Makefile.in
+@@ -23,7 +23,7 @@ exec_prefix = @exec_prefix@
+ 
+ bindconfig = --without-openssl --without-libxml2 --without-libjson \
+ 	--without-gssapi --disable-threads --without-lmdb \
+-	--includedir=@includedir@ --libdir=@libdir@ \
++	--includedir=@includedir@ --libdir=@libdir@  --without-python\
+ 	@BINDLT@ @BINDIOMUX@ @BINDCONFIG@ --enable-full-report
+ 
+ @BIND_ATF_FALSE@cleandirs = ./lib ./include
+diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
+index 75a87ff6..538b927f 100644
+--- a/includes/omapip/isclib.h
++++ b/includes/omapip/isclib.h
+@@ -48,6 +48,9 @@
+ #include <string.h>
+ #include <netdb.h>
+ 
++#include <isc/boolean.h>
++#include <isc/int.h>
++
+ #include <isc/buffer.h>
+ #include <isc/lex.h>
+ #include <isc/lib.h>
+diff --git a/includes/omapip/result.h b/includes/omapip/result.h
+index 91243e1b..860298f6 100644
+--- a/includes/omapip/result.h
++++ b/includes/omapip/result.h
+@@ -26,6 +26,7 @@
+ #ifndef DHCP_RESULT_H
+ #define DHCP_RESULT_H 1
+ 
++#include <isc/boolean.h>
+ #include <isc/lang.h>
+ #include <isc/resultclass.h>
+ #include <isc/types.h>
+diff --git a/server/dhcpv6.c b/server/dhcpv6.c
+index a7110f98..cde4f617 100644
+--- a/server/dhcpv6.c
++++ b/server/dhcpv6.c
+@@ -1034,7 +1034,8 @@ void check_pool6_threshold(struct reply_state *reply,
+ 				  shared_name,
+ 				  inet_ntop(AF_INET6, &lease->addr,
+ 					    tmp_addr, sizeof(tmp_addr)),
+-				  used, count);
++				  (long long unsigned)(used),
++				  (long long unsigned)(count));
+ 		}
+ 		return;
+ 	}
+@@ -1066,7 +1067,8 @@ void check_pool6_threshold(struct reply_state *reply,
+ 		  "address: %s; high threshold %d%% %llu/%llu.",
+ 		  shared_name,
+ 		  inet_ntop(AF_INET6, &lease->addr, tmp_addr, sizeof(tmp_addr)),
+-		  poolhigh, used, count);
++		  poolhigh, (long long unsigned)(used),
++		  (long long unsigned)(count));
+ 
+ 	/* handle the low threshold now, if we don't
+ 	 * have one we default to 0. */
+@@ -1436,12 +1438,15 @@ pick_v6_address(struct reply_state *reply)
+ 		log_debug("Unable to pick client address: "
+ 			  "no addresses available  - shared network %s: "
+ 			  " 2^64-1 < total, %llu active,  %llu abandoned",
+-			  shared_name, active - abandoned, abandoned);
++			  shared_name, (long long unsigned)(active - abandoned),
++			  (long long unsigned)(abandoned));
+ 	} else {
+ 		log_debug("Unable to pick client address: "
+ 			  "no addresses available  - shared network %s: "
+ 			  "%llu total, %llu active,  %llu abandoned",
+-			  shared_name, total, active - abandoned, abandoned);
++			  shared_name, (long long unsigned)(total),
++			  (long long unsigned)(active - abandoned),
++		          (long long unsigned)(abandoned));
+ 	}
+ 
+ 	return ISC_R_NORESOURCES;
diff --git a/gnu/packages/patches/libmad-frame-length.patch b/gnu/packages/patches/libmad-frame-length.patch
deleted file mode 100644
index 3434eba577..0000000000
--- a/gnu/packages/patches/libmad-frame-length.patch
+++ /dev/null
@@ -1,199 +0,0 @@
-Copied from Debian.
-
-; You can calculate where the next frame will start depending on things
-; like the bitrate. See mad_header_decode().  It seems that when decoding
-; the frame you can go past that boundary.  This attempts to catch those cases,
-; but might not catch all of them.
-; For more info see http://bugs.debian.org/508133
-Index: libmad-0.15.1b/layer12.c
-===================================================================
---- libmad-0.15.1b.orig/layer12.c	2008-12-23 21:38:07.000000000 +0100
-+++ libmad-0.15.1b/layer12.c	2008-12-23 21:38:12.000000000 +0100
-@@ -134,6 +134,12 @@
-   for (sb = 0; sb < bound; ++sb) {
-     for (ch = 0; ch < nch; ++ch) {
-       nb = mad_bit_read(&stream->ptr, 4);
-+	if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+	{
-+		stream->error = MAD_ERROR_LOSTSYNC;
-+		stream->sync = 0;
-+		return -1;
-+	}
- 
-       if (nb == 15) {
- 	stream->error = MAD_ERROR_BADBITALLOC;
-@@ -146,6 +152,12 @@
- 
-   for (sb = bound; sb < 32; ++sb) {
-     nb = mad_bit_read(&stream->ptr, 4);
-+	if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+	{
-+		stream->error = MAD_ERROR_LOSTSYNC;
-+		stream->sync = 0;
-+		return -1;
-+	}
- 
-     if (nb == 15) {
-       stream->error = MAD_ERROR_BADBITALLOC;
-@@ -162,6 +174,12 @@
-     for (ch = 0; ch < nch; ++ch) {
-       if (allocation[ch][sb]) {
- 	scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
-+	if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+	{
-+		stream->error = MAD_ERROR_LOSTSYNC;
-+		stream->sync = 0;
-+		return -1;
-+	}
- 
- # if defined(OPT_STRICT)
- 	/*
-@@ -187,6 +205,12 @@
- 	frame->sbsample[ch][s][sb] = nb ?
- 	  mad_f_mul(I_sample(&stream->ptr, nb),
- 		    sf_table[scalefactor[ch][sb]]) : 0;
-+	if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+	{
-+		stream->error = MAD_ERROR_LOSTSYNC;
-+		stream->sync = 0;
-+		return -1;
-+	}
-       }
-     }
- 
-@@ -195,6 +219,12 @@
- 	mad_fixed_t sample;
- 
- 	sample = I_sample(&stream->ptr, nb);
-+	if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+	{
-+		stream->error = MAD_ERROR_LOSTSYNC;
-+		stream->sync = 0;
-+		return -1;
-+	}
- 
- 	for (ch = 0; ch < nch; ++ch) {
- 	  frame->sbsample[ch][s][sb] =
-@@ -403,7 +433,15 @@
-     nbal = bitalloc_table[offsets[sb]].nbal;
- 
-     for (ch = 0; ch < nch; ++ch)
-+    {
-       allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
-+	if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+	{
-+		stream->error = MAD_ERROR_LOSTSYNC;
-+		stream->sync = 0;
-+		return -1;
-+	}
-+    }
-   }
- 
-   for (sb = bound; sb < sblimit; ++sb) {
-@@ -411,6 +449,13 @@
- 
-     allocation[0][sb] =
-     allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
-+
-+	if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+	{
-+		stream->error = MAD_ERROR_LOSTSYNC;
-+		stream->sync = 0;
-+		return -1;
-+	}
-   }
- 
-   /* decode scalefactor selection info */
-@@ -419,6 +464,12 @@
-     for (ch = 0; ch < nch; ++ch) {
-       if (allocation[ch][sb])
- 	scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
-+	if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+	{
-+		stream->error = MAD_ERROR_LOSTSYNC;
-+		stream->sync = 0;
-+		return -1;
-+	}
-     }
-   }
- 
-@@ -442,6 +493,12 @@
-     for (ch = 0; ch < nch; ++ch) {
-       if (allocation[ch][sb]) {
- 	scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
-+	if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+	{
-+		stream->error = MAD_ERROR_LOSTSYNC;
-+		stream->sync = 0;
-+		return -1;
-+	}
- 
- 	switch (scfsi[ch][sb]) {
- 	case 2:
-@@ -452,11 +509,23 @@
- 
- 	case 0:
- 	  scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
-+		if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+		{
-+			stream->error = MAD_ERROR_LOSTSYNC;
-+			stream->sync = 0;
-+			return -1;
-+		}
- 	  /* fall through */
- 
- 	case 1:
- 	case 3:
- 	  scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
-+		if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+		{
-+			stream->error = MAD_ERROR_LOSTSYNC;
-+			stream->sync = 0;
-+			return -1;
-+		}
- 	}
- 
- 	if (scfsi[ch][sb] & 1)
-@@ -488,6 +557,12 @@
- 	  index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
- 
- 	  II_samples(&stream->ptr, &qc_table[index], samples);
-+		if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+		{
-+			stream->error = MAD_ERROR_LOSTSYNC;
-+			stream->sync = 0;
-+			return -1;
-+		}
- 
- 	  for (s = 0; s < 3; ++s) {
- 	    frame->sbsample[ch][3 * gr + s][sb] =
-@@ -506,6 +581,12 @@
- 	index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
- 
- 	II_samples(&stream->ptr, &qc_table[index], samples);
-+	if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
-+	{
-+		stream->error = MAD_ERROR_LOSTSYNC;
-+		stream->sync = 0;
-+		return -1;
-+	}
- 
- 	for (ch = 0; ch < nch; ++ch) {
- 	  for (s = 0; s < 3; ++s) {
-Index: libmad-0.15.1b/layer3.c
-===================================================================
---- libmad-0.15.1b.orig/layer3.c	2008-12-23 21:38:07.000000000 +0100
-+++ libmad-0.15.1b/layer3.c	2008-12-23 21:38:12.000000000 +0100
-@@ -2608,6 +2608,12 @@
-     next_md_begin = 0;
- 
-   md_len = si.main_data_begin + frame_space - next_md_begin;
-+  if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN)
-+  {
-+	stream->error = MAD_ERROR_LOSTSYNC;
-+	stream->sync = 0;
-+	return -1;
-+  }
- 
-   frame_used = 0;
- 
diff --git a/gnu/packages/patches/libmad-length-check.patch b/gnu/packages/patches/libmad-length-check.patch
new file mode 100644
index 0000000000..18ca68fd7e
--- /dev/null
+++ b/gnu/packages/patches/libmad-length-check.patch
@@ -0,0 +1,819 @@
+Copied from Debian.
+
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Sun, 28 Jan 2018 19:26:36 +0100
+Subject: Check the size before reading with mad_bit_read
+
+There are various cases where it attemps to read past the end of the buffer
+using mad_bit_read(). Most functions didn't even know the size of the buffer
+they were reading from.
+
+Index: libmad-0.15.1b/bit.c
+===================================================================
+--- libmad-0.15.1b.orig/bit.c
++++ libmad-0.15.1b/bit.c
+@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
+ {
+   register unsigned long value;
+ 
++  if (len == 0)
++    return 0;
++
+   if (bitptr->left == CHAR_BIT)
+     bitptr->cache = *bitptr->byte;
+ 
+Index: libmad-0.15.1b/frame.c
+===================================================================
+--- libmad-0.15.1b.orig/frame.c
++++ libmad-0.15.1b/frame.c
+@@ -120,11 +120,18 @@ static
+ int decode_header(struct mad_header *header, struct mad_stream *stream)
+ {
+   unsigned int index;
++  struct mad_bitptr bufend_ptr;
+ 
+   header->flags        = 0;
+   header->private_bits = 0;
+ 
++  mad_bit_init(&bufend_ptr, stream->bufend);
++
+   /* header() */
++  if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
++    stream->error = MAD_ERROR_BUFLEN;
++    return -1;
++  }
+ 
+   /* syncword */
+   mad_bit_skip(&stream->ptr, 11);
+@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
+   /* error_check() */
+ 
+   /* crc_check */
+-  if (header->flags & MAD_FLAG_PROTECTION)
++  if (header->flags & MAD_FLAG_PROTECTION) {
++    if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
++      stream->error = MAD_ERROR_BUFLEN;
++      return -1;
++    }
+     header->crc_target = mad_bit_read(&stream->ptr, 16);
++  }
+ 
+   return 0;
+ }
+@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header
+       stream->error = MAD_ERROR_BUFLEN;
+       goto fail;
+     }
+-    else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++    else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+       /* mark point where frame sync word was expected */
+       stream->this_frame = ptr;
+       stream->next_frame = ptr + 1;
+@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header
+     ptr = mad_bit_nextbyte(&stream->ptr);
+   }
+ 
++  stream->error = MAD_ERROR_NONE;
++
+   /* begin processing */
+   stream->this_frame = ptr;
+   stream->next_frame = ptr + 1;  /* possibly bogus sync word */
+@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header
+     /* check that a valid frame header follows this frame */
+ 
+     ptr = stream->next_frame;
+-    if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++    if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+       ptr = stream->next_frame = stream->this_frame + 1;
+       goto sync;
+     }
+Index: libmad-0.15.1b/layer12.c
+===================================================================
+--- libmad-0.15.1b.orig/layer12.c
++++ libmad-0.15.1b/layer12.c
+@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
+  * DESCRIPTION:	decode one requantized Layer I sample from a bitstream
+  */
+ static
+-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
++mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
+ {
+   mad_fixed_t sample;
++  struct mad_bitptr frameend_ptr;
+ 
++  mad_bit_init(&frameend_ptr, stream->next_frame);
++
++  if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++    stream->error = MAD_ERROR_LOSTSYNC;
++    stream->sync = 0;
++    return 0;
++  }
+   sample = mad_bit_read(ptr, nb);
+ 
+   /* invert most significant bit, extend sign, then scale to fixed format */
+@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
+   struct mad_header *header = &frame->header;
+   unsigned int nch, bound, ch, s, sb, nb;
+   unsigned char allocation[2][32], scalefactor[2][32];
++  struct mad_bitptr bufend_ptr, frameend_ptr;
++
++  mad_bit_init(&bufend_ptr, stream->bufend);
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   nch = MAD_NCHANNELS(header);
+ 
+@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
+   /* check CRC word */
+ 
+   if (header->flags & MAD_FLAG_PROTECTION) {
++    if (mad_bit_length(&stream->ptr, &bufend_ptr)
++		< 4 * (bound * nch + (32 - bound))) {
++      stream->error = MAD_ERROR_BADCRC;
++      return -1;
++    }
+     header->crc_check =
+       mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
+ 		  header->crc_check);
+@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
+ 
+   for (sb = 0; sb < bound; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++	stream->error = MAD_ERROR_LOSTSYNC;
++	stream->sync = 0;
++	return -1;
++      }
+       nb = mad_bit_read(&stream->ptr, 4);
+ 
+       if (nb == 15) {
+@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
+   }
+ 
+   for (sb = bound; sb < 32; ++sb) {
++    if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return -1;
++    }
+     nb = mad_bit_read(&stream->ptr, 4);
+ 
+     if (nb == 15) {
+@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
+   for (sb = 0; sb < 32; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
+       if (allocation[ch][sb]) {
++        if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++	  stream->error = MAD_ERROR_LOSTSYNC;
++	  stream->sync = 0;
++	  return -1;
++	}
+ 	scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
+ 
+ # if defined(OPT_STRICT)
+@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
+       for (ch = 0; ch < nch; ++ch) {
+ 	nb = allocation[ch][sb];
+ 	frame->sbsample[ch][s][sb] = nb ?
+-	  mad_f_mul(I_sample(&stream->ptr, nb),
++	  mad_f_mul(I_sample(&stream->ptr, nb, stream),
+ 		    sf_table[scalefactor[ch][sb]]) : 0;
++	if (stream->error != 0)
++	  return -1;
+       }
+     }
+ 
+@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
+       if ((nb = allocation[0][sb])) {
+ 	mad_fixed_t sample;
+ 
+-	sample = I_sample(&stream->ptr, nb);
++	if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
++	  stream->error = MAD_ERROR_LOSTSYNC;
++	  stream->sync = 0;
++          return -1;
++	}
++	sample = I_sample(&stream->ptr, nb, stream);
++        if (stream->error != 0)
++	  return -1;
+ 
+ 	for (ch = 0; ch < nch; ++ch) {
+ 	  frame->sbsample[ch][s][sb] =
+@@ -280,13 +321,21 @@ struct quantclass {
+ static
+ void II_samples(struct mad_bitptr *ptr,
+ 		struct quantclass const *quantclass,
+-		mad_fixed_t output[3])
++		mad_fixed_t output[3], struct mad_stream *stream)
+ {
+   unsigned int nb, s, sample[3];
++  struct mad_bitptr frameend_ptr;
++
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   if ((nb = quantclass->group)) {
+     unsigned int c, nlevels;
+ 
++    if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return;
++    }
+     /* degrouping */
+     c = mad_bit_read(ptr, quantclass->bits);
+     nlevels = quantclass->nlevels;
+@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
+   else {
+     nb = quantclass->bits;
+ 
+-    for (s = 0; s < 3; ++s)
++    for (s = 0; s < 3; ++s) {
++      if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++	stream->error = MAD_ERROR_LOSTSYNC;
++	stream->sync = 0;
++	return;
++      }
+       sample[s] = mad_bit_read(ptr, nb);
++    }
+   }
+ 
+   for (s = 0; s < 3; ++s) {
+@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
+   unsigned char const *offsets;
+   unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
+   mad_fixed_t samples[3];
++  struct mad_bitptr frameend_ptr;
++
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   nch = MAD_NCHANNELS(header);
+ 
+@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
+   for (sb = 0; sb < bound; ++sb) {
+     nbal = bitalloc_table[offsets[sb]].nbal;
+ 
+-    for (ch = 0; ch < nch; ++ch)
++    for (ch = 0; ch < nch; ++ch) {
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
++	stream->error = MAD_ERROR_LOSTSYNC;
++	stream->sync = 0;
++	return -1;
++      }
+       allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
++    }
+   }
+ 
+   for (sb = bound; sb < sblimit; ++sb) {
+     nbal = bitalloc_table[offsets[sb]].nbal;
+ 
++    if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return -1;
++    }
+     allocation[0][sb] =
+     allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
+   }
+@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre
+ 
+   for (sb = 0; sb < sblimit; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
+-      if (allocation[ch][sb])
++      if (allocation[ch][sb]) {
++	if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
++	  stream->error = MAD_ERROR_LOSTSYNC;
++	  stream->sync = 0;
++	  return -1;
++	}
+ 	scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
++      }
+     }
+   }
+ 
+@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre
+   for (sb = 0; sb < sblimit; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
+       if (allocation[ch][sb]) {
++	if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++	  stream->error = MAD_ERROR_LOSTSYNC;
++	  stream->sync = 0;
++	  return -1;
++	}
+ 	scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
+ 
+ 	switch (scfsi[ch][sb]) {
+@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre
+ 	  break;
+ 
+ 	case 0:
++	  if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++	    stream->error = MAD_ERROR_LOSTSYNC;
++	    stream->sync = 0;
++	    return -1;
++	  }
+ 	  scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
+ 	  /* fall through */
+ 
+ 	case 1:
+ 	case 3:
++	  if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++	    stream->error = MAD_ERROR_LOSTSYNC;
++	    stream->sync = 0;
++	    return -1;
++	  }
+ 	  scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
+ 	}
+ 
+@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre
+ 	if ((index = allocation[ch][sb])) {
+ 	  index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+ 
+-	  II_samples(&stream->ptr, &qc_table[index], samples);
++	  II_samples(&stream->ptr, &qc_table[index], samples, stream);
++	  if (stream->error != 0)
++            return -1;
+ 
+ 	  for (s = 0; s < 3; ++s) {
+ 	    frame->sbsample[ch][3 * gr + s][sb] =
+@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre
+       if ((index = allocation[0][sb])) {
+ 	index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+ 
+-	II_samples(&stream->ptr, &qc_table[index], samples);
++	II_samples(&stream->ptr, &qc_table[index], samples, stream);
++	if (stream->error != 0)
++          return -1;
+ 
+ 	for (ch = 0; ch < nch; ++ch) {
+ 	  for (s = 0; s < 3; ++s) {
+Index: libmad-0.15.1b/layer3.c
+===================================================================
+--- libmad-0.15.1b.orig/layer3.c
++++ libmad-0.15.1b/layer3.c
+@@ -598,7 +598,8 @@ enum mad_error III_sideinfo(struct mad_b
+ static
+ unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
+ 				  struct channel *channel,
+-				  struct channel *gr1ch, int mode_extension)
++				  struct channel *gr1ch, int mode_extension,
++				  unsigned int bits_left, unsigned int *part2_length)
+ {
+   struct mad_bitptr start;
+   unsigned int scalefac_compress, index, slen[4], part, n, i;
+@@ -644,8 +645,12 @@ unsigned int III_scalefactors_lsf(struct
+ 
+     n = 0;
+     for (part = 0; part < 4; ++part) {
+-      for (i = 0; i < nsfb[part]; ++i)
++      for (i = 0; i < nsfb[part]; ++i) {
++	if (bits_left < slen[part])
++	  return MAD_ERROR_BADSCFSI;
+ 	channel->scalefac[n++] = mad_bit_read(ptr, slen[part]);
++	bits_left -= slen[part];
++      }
+     }
+ 
+     while (n < 39)
+@@ -690,7 +695,10 @@ unsigned int III_scalefactors_lsf(struct
+       max = (1 << slen[part]) - 1;
+ 
+       for (i = 0; i < nsfb[part]; ++i) {
++	if (bits_left < slen[part])
++	  return MAD_ERROR_BADSCFSI;
+ 	is_pos = mad_bit_read(ptr, slen[part]);
++	bits_left -= slen[part];
+ 
+ 	channel->scalefac[n] = is_pos;
+ 	gr1ch->scalefac[n++] = (is_pos == max);
+@@ -703,7 +711,8 @@ unsigned int III_scalefactors_lsf(struct
+     }
+   }
+ 
+-  return mad_bit_length(&start, ptr);
++  *part2_length = mad_bit_length(&start, ptr);
++  return MAD_ERROR_NONE;
+ }
+ 
+ /*
+@@ -712,7 +721,8 @@ unsigned int III_scalefactors_lsf(struct
+  */
+ static
+ unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
+-			      struct channel const *gr0ch, unsigned int scfsi)
++			      struct channel const *gr0ch, unsigned int scfsi,
++			      unsigned int bits_left, unsigned int *part2_length)
+ {
+   struct mad_bitptr start;
+   unsigned int slen1, slen2, sfbi;
+@@ -728,12 +738,20 @@ unsigned int III_scalefactors(struct mad
+     sfbi = 0;
+ 
+     nsfb = (channel->flags & mixed_block_flag) ? 8 + 3 * 3 : 6 * 3;
+-    while (nsfb--)
++    while (nsfb--) {
++      if (bits_left < slen1)
++	return MAD_ERROR_BADSCFSI;
+       channel->scalefac[sfbi++] = mad_bit_read(ptr, slen1);
++      bits_left -= slen1;
++    }
+ 
+     nsfb = 6 * 3;
+-    while (nsfb--)
++    while (nsfb--) {
++      if (bits_left < slen2)
++	return MAD_ERROR_BADSCFSI;
+       channel->scalefac[sfbi++] = mad_bit_read(ptr, slen2);
++      bits_left -= slen2;
++    }
+ 
+     nsfb = 1 * 3;
+     while (nsfb--)
+@@ -745,8 +763,12 @@ unsigned int III_scalefactors(struct mad
+ 	channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+     }
+     else {
+-      for (sfbi = 0; sfbi < 6; ++sfbi)
++      for (sfbi = 0; sfbi < 6; ++sfbi) {
++	if (bits_left < slen1)
++	  return MAD_ERROR_BADSCFSI;
+ 	channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
++	bits_left -= slen1;
++      }
+     }
+ 
+     if (scfsi & 0x4) {
+@@ -754,8 +776,12 @@ unsigned int III_scalefactors(struct mad
+ 	channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+     }
+     else {
+-      for (sfbi = 6; sfbi < 11; ++sfbi)
++      for (sfbi = 6; sfbi < 11; ++sfbi) {
++	if (bits_left < slen1)
++	  return MAD_ERROR_BADSCFSI;
+ 	channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
++	bits_left -= slen1;
++      }
+     }
+ 
+     if (scfsi & 0x2) {
+@@ -763,8 +789,12 @@ unsigned int III_scalefactors(struct mad
+ 	channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+     }
+     else {
+-      for (sfbi = 11; sfbi < 16; ++sfbi)
++      for (sfbi = 11; sfbi < 16; ++sfbi) {
++	if (bits_left < slen2)
++	  return MAD_ERROR_BADSCFSI;
+ 	channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
++	bits_left -= slen2;
++      }
+     }
+ 
+     if (scfsi & 0x1) {
+@@ -772,14 +802,19 @@ unsigned int III_scalefactors(struct mad
+ 	channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+     }
+     else {
+-      for (sfbi = 16; sfbi < 21; ++sfbi)
++      for (sfbi = 16; sfbi < 21; ++sfbi) {
++	if (bits_left < slen2)
++	  return MAD_ERROR_BADSCFSI;
+ 	channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
++	bits_left -= slen2;
++      }
+     }
+ 
+     channel->scalefac[21] = 0;
+   }
+ 
+-  return mad_bit_length(&start, ptr);
++  *part2_length = mad_bit_length(&start, ptr);
++  return MAD_ERROR_NONE;
+ }
+ 
+ /*
+@@ -933,19 +968,17 @@ static
+ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
+ 			      struct channel *channel,
+ 			      unsigned char const *sfbwidth,
+-			      unsigned int part2_length)
++			      signed int part3_length)
+ {
+   signed int exponents[39], exp;
+   signed int const *expptr;
+   struct mad_bitptr peek;
+-  signed int bits_left, cachesz;
++  signed int bits_left, cachesz, fakebits;
+   register mad_fixed_t *xrptr;
+   mad_fixed_t const *sfbound;
+   register unsigned long bitcache;
+ 
+-  bits_left = (signed) channel->part2_3_length - (signed) part2_length;
+-  if (bits_left < 0)
+-    return MAD_ERROR_BADPART3LEN;
++  bits_left = part3_length;
+ 
+   III_exponents(channel, sfbwidth, exponents);
+ 
+@@ -956,8 +989,12 @@ enum mad_error III_huffdecode(struct mad
+   cachesz  = mad_bit_bitsleft(&peek);
+   cachesz += ((32 - 1 - 24) + (24 - cachesz)) & ~7;
+ 
++  if (bits_left < cachesz) {
++    cachesz = bits_left;
++  }
+   bitcache   = mad_bit_read(&peek, cachesz);
+   bits_left -= cachesz;
++  fakebits = 0;
+ 
+   xrptr = &xr[0];
+ 
+@@ -986,7 +1023,7 @@ enum mad_error III_huffdecode(struct mad
+ 
+     big_values = channel->big_values;
+ 
+-    while (big_values-- && cachesz + bits_left > 0) {
++    while (big_values-- && cachesz + bits_left - fakebits > 0) {
+       union huffpair const *pair;
+       unsigned int clumpsz, value;
+       register mad_fixed_t requantized;
+@@ -1023,10 +1060,19 @@ enum mad_error III_huffdecode(struct mad
+ 	unsigned int bits;
+ 
+ 	bits       = ((32 - 1 - 21) + (21 - cachesz)) & ~7;
++	if (bits_left < bits) {
++	  bits = bits_left;
++	}
+ 	bitcache   = (bitcache << bits) | mad_bit_read(&peek, bits);
+ 	cachesz   += bits;
+ 	bits_left -= bits;
+       }
++      if (cachesz < 21) {
++	unsigned int bits = 21 - cachesz;
++	bitcache <<= bits;
++	cachesz += bits;
++	fakebits += bits;
++      }
+ 
+       /* hcod (0..19) */
+ 
+@@ -1041,6 +1087,8 @@ enum mad_error III_huffdecode(struct mad
+       }
+ 
+       cachesz -= pair->value.hlen;
++      if (cachesz < fakebits)
++	return MAD_ERROR_BADHUFFDATA;
+ 
+       if (linbits) {
+ 	/* x (0..14) */
+@@ -1054,10 +1102,15 @@ enum mad_error III_huffdecode(struct mad
+ 
+ 	case 15:
+ 	  if (cachesz < linbits + 2) {
+-	    bitcache   = (bitcache << 16) | mad_bit_read(&peek, 16);
+-	    cachesz   += 16;
+-	    bits_left -= 16;
++	    unsigned int bits = 16;
++	    if (bits_left < 16)
++	      bits = bits_left;
++	    bitcache   = (bitcache << bits) | mad_bit_read(&peek, bits);
++	    cachesz   += bits;
++	    bits_left -= bits;
+ 	  }
++	  if (cachesz - fakebits < linbits)
++	    return MAD_ERROR_BADHUFFDATA;
+ 
+ 	  value += MASK(bitcache, cachesz, linbits);
+ 	  cachesz -= linbits;
+@@ -1074,6 +1127,8 @@ enum mad_error III_huffdecode(struct mad
+ 	  }
+ 
+ 	x_final:
++	  if (cachesz - fakebits < 1)
++	    return MAD_ERROR_BADHUFFDATA;
+ 	  xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
+ 	    -requantized : requantized;
+ 	}
+@@ -1089,10 +1144,15 @@ enum mad_error III_huffdecode(struct mad
+ 
+ 	case 15:
+ 	  if (cachesz < linbits + 1) {
+-	    bitcache   = (bitcache << 16) | mad_bit_read(&peek, 16);
+-	    cachesz   += 16;
+-	    bits_left -= 16;
++	    unsigned int bits = 16;
++	    if (bits_left < 16)
++	      bits = bits_left;
++	    bitcache   = (bitcache << bits) | mad_bit_read(&peek, bits);
++	    cachesz   += bits;
++	    bits_left -= bits;
+ 	  }
++	  if (cachesz - fakebits < linbits)
++	    return MAD_ERROR_BADHUFFDATA;
+ 
+ 	  value += MASK(bitcache, cachesz, linbits);
+ 	  cachesz -= linbits;
+@@ -1109,6 +1169,8 @@ enum mad_error III_huffdecode(struct mad
+ 	  }
+ 
+ 	y_final:
++	  if (cachesz - fakebits < 1)
++	    return MAD_ERROR_BADHUFFDATA;
+ 	  xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
+ 	    -requantized : requantized;
+ 	}
+@@ -1128,6 +1190,8 @@ enum mad_error III_huffdecode(struct mad
+ 	    requantized = reqcache[value] = III_requantize(value, exp);
+ 	  }
+ 
++	  if (cachesz - fakebits < 1)
++	    return MAD_ERROR_BADHUFFDATA;
+ 	  xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
+ 	    -requantized : requantized;
+ 	}
+@@ -1146,6 +1210,8 @@ enum mad_error III_huffdecode(struct mad
+ 	    requantized = reqcache[value] = III_requantize(value, exp);
+ 	  }
+ 
++	  if (cachesz - fakebits < 1)
++	    return MAD_ERROR_BADHUFFDATA;
+ 	  xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
+ 	    -requantized : requantized;
+ 	}
+@@ -1155,9 +1221,6 @@ enum mad_error III_huffdecode(struct mad
+     }
+   }
+ 
+-  if (cachesz + bits_left < 0)
+-    return MAD_ERROR_BADHUFFDATA;  /* big_values overrun */
+-
+   /* count1 */
+   {
+     union huffquad const *table;
+@@ -1167,15 +1230,24 @@ enum mad_error III_huffdecode(struct mad
+ 
+     requantized = III_requantize(1, exp);
+ 
+-    while (cachesz + bits_left > 0 && xrptr <= &xr[572]) {
++    while (cachesz + bits_left - fakebits > 0 && xrptr <= &xr[572]) {
+       union huffquad const *quad;
+ 
+       /* hcod (1..6) */
+ 
+       if (cachesz < 10) {
+-	bitcache   = (bitcache << 16) | mad_bit_read(&peek, 16);
+-	cachesz   += 16;
+-	bits_left -= 16;
++	unsigned int bits = 16;
++	if (bits_left < 16)
++	  bits = bits_left;
++	bitcache   = (bitcache << bits) | mad_bit_read(&peek, bits);
++	cachesz   += bits;
++	bits_left -= bits;
++      }
++      if (cachesz < 10) {
++	unsigned int bits = 10 - cachesz;
++	bitcache <<= bits;
++	cachesz += bits;
++	fakebits += bits;
+       }
+ 
+       quad = &table[MASK(bitcache, cachesz, 4)];
+@@ -1188,6 +1260,11 @@ enum mad_error III_huffdecode(struct mad
+ 		      MASK(bitcache, cachesz, quad->ptr.bits)];
+       }
+ 
++      if (cachesz - fakebits < quad->value.hlen + quad->value.v
++        + quad->value.w + quad->value.x + quad->value.y)
++	/* We don't have enough bits to read one more entry, consider them
++	 * stuffing bits. */
++	break;
+       cachesz -= quad->value.hlen;
+ 
+       if (xrptr == sfbound) {
+@@ -1236,22 +1313,8 @@ enum mad_error III_huffdecode(struct mad
+ 
+       xrptr += 2;
+     }
+-
+-    if (cachesz + bits_left < 0) {
+-# if 0 && defined(DEBUG)
+-      fprintf(stderr, "huffman count1 overrun (%d bits)\n",
+-	      -(cachesz + bits_left));
+-# endif
+-
+-      /* technically the bitstream is misformatted, but apparently
+-	 some encoders are just a bit sloppy with stuffing bits */
+-
+-      xrptr -= 4;
+-    }
+   }
+ 
+-  assert(-bits_left <= MAD_BUFFER_GUARD * CHAR_BIT);
+-
+ # if 0 && defined(DEBUG)
+   if (bits_left < 0)
+     fprintf(stderr, "read %d bits too many\n", -bits_left);
+@@ -2348,10 +2411,11 @@ void III_freqinver(mad_fixed_t sample[18
+  */
+ static
+ enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame,
+-			  struct sideinfo *si, unsigned int nch)
++			  struct sideinfo *si, unsigned int nch, unsigned int md_len)
+ {
+   struct mad_header *header = &frame->header;
+   unsigned int sfreqi, ngr, gr;
++  int bits_left = md_len * CHAR_BIT;
+ 
+   {
+     unsigned int sfreq;
+@@ -2383,6 +2447,7 @@ enum mad_error III_decode(struct mad_bit
+     for (ch = 0; ch < nch; ++ch) {
+       struct channel *channel = &granule->ch[ch];
+       unsigned int part2_length;
++      unsigned int part3_length;
+ 
+       sfbwidth[ch] = sfbwidth_table[sfreqi].l;
+       if (channel->block_type == 2) {
+@@ -2391,18 +2456,30 @@ enum mad_error III_decode(struct mad_bit
+       }
+ 
+       if (header->flags & MAD_FLAG_LSF_EXT) {
+-	part2_length = III_scalefactors_lsf(ptr, channel,
++	error = III_scalefactors_lsf(ptr, channel,
+ 					    ch == 0 ? 0 : &si->gr[1].ch[1],
+-					    header->mode_extension);
++					    header->mode_extension, bits_left, &part2_length);
+       }
+       else {
+-	part2_length = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
+-					gr == 0 ? 0 : si->scfsi[ch]);
++	error = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
++					gr == 0 ? 0 : si->scfsi[ch], bits_left, &part2_length);
+       }
++      if (error)
++        return error;
++
++      bits_left -= part2_length;
+ 
+-      error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part2_length);
++      if (part2_length > channel->part2_3_length)
++        return MAD_ERROR_BADPART3LEN;
++
++      part3_length = channel->part2_3_length - part2_length;
++      if (part3_length > bits_left)
++        return MAD_ERROR_BADPART3LEN;
++
++      error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part3_length);
+       if (error)
+ 	return error;
++      bits_left -= part3_length;
+     }
+ 
+     /* joint stereo processing */
+@@ -2519,11 +2596,13 @@ int mad_layer_III(struct mad_stream *str
+   unsigned int nch, priv_bitlen, next_md_begin = 0;
+   unsigned int si_len, data_bitlen, md_len;
+   unsigned int frame_space, frame_used, frame_free;
+-  struct mad_bitptr ptr;
++  struct mad_bitptr ptr, bufend_ptr;
+   struct sideinfo si;
+   enum mad_error error;
+   int result = 0;
+ 
++  mad_bit_init(&bufend_ptr, stream->bufend);
++
+   /* allocate Layer III dynamic structures */
+ 
+   if (stream->main_data == 0) {
+@@ -2587,14 +2666,15 @@ int mad_layer_III(struct mad_stream *str
+     unsigned long header;
+ 
+     mad_bit_init(&peek, stream->next_frame);
++    if (mad_bit_length(&peek, &bufend_ptr) >= 57) {
++      header = mad_bit_read(&peek, 32);
++      if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
++        if (!(header & 0x00010000L))  /* protection_bit */
++	  mad_bit_skip(&peek, 16);  /* crc_check */
+ 
+-    header = mad_bit_read(&peek, 32);
+-    if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
+-      if (!(header & 0x00010000L))  /* protection_bit */
+-	mad_bit_skip(&peek, 16);  /* crc_check */
+-
+-      next_md_begin =
+-	mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
++        next_md_begin =
++	  mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
++      }
+     }
+ 
+     mad_bit_finish(&peek);
+@@ -2653,7 +2733,7 @@ int mad_layer_III(struct mad_stream *str
+   /* decode main_data */
+ 
+   if (result == 0) {
+-    error = III_decode(&ptr, frame, &si, nch);
++    error = III_decode(&ptr, frame, &si, nch, md_len);
+     if (error) {
+       stream->error = error;
+       result = -1;
diff --git a/gnu/packages/patches/libmad-md_size.patch b/gnu/packages/patches/libmad-md_size.patch
new file mode 100644
index 0000000000..0eb6844a2a
--- /dev/null
+++ b/gnu/packages/patches/libmad-md_size.patch
@@ -0,0 +1,60 @@
+Copied from Debian.
+
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Sun, 28 Jan 2018 15:44:08 +0100
+Subject: Check the size of the main data
+
+The main data to decode a frame can come from the current frame and part of the
+previous frame, the so called bit reservoir. si.main_data_begin is the part of
+the previous frame we need for this frame. frame_space is the amount of main
+data that can be in this frame, and next_md_begin is the part of this frame that
+is going to be used for the next frame.
+
+The maximum amount of data from a previous frame that the format allows is 511
+bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2
+at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881.
+So those defines are not large enough:
+ # define MAD_BUFFER_GUARD      8
+ # define MAD_BUFFER_MDLEN      (511 + 2048 + MAD_BUFFER_GUARD)
+
+There is also support for a "free" bitrate which allows you to create any frame
+size, which can be larger than the buffer.
+
+Changing the defines is not an option since it's part of the ABI, so we check
+that the main data fits in the bufer.
+
+The previous frame data is stored in *stream->main_data and contains
+stream->md_len bytes. If stream->md_len is larger than the data we
+need from the previous frame (si.main_data_begin) it still wouldn't fit
+in the buffer, so just keep the data that we need.
+
+Index: libmad-0.15.1b/layer3.c
+===================================================================
+--- libmad-0.15.1b.orig/layer3.c
++++ libmad-0.15.1b/layer3.c
+@@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream *str
+     next_md_begin = 0;
+ 
+   md_len = si.main_data_begin + frame_space - next_md_begin;
++  if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) {
++    stream->error = MAD_ERROR_LOSTSYNC;
++    stream->sync = 0;
++    return -1;
++  }
+ 
+   frame_used = 0;
+ 
+@@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream *str
+       }
+     }
+     else {
+-      mad_bit_init(&ptr,
+-		   *stream->main_data + stream->md_len - si.main_data_begin);
++      memmove(stream->main_data,
++	*stream->main_data + stream->md_len - si.main_data_begin,
++	si.main_data_begin);
++      stream->md_len = si.main_data_begin;
++      mad_bit_init(&ptr, *stream->main_data);
+ 
+       if (md_len > si.main_data_begin) {
+ 	assert(stream->md_len + md_len -
diff --git a/gnu/packages/patches/libvirt-remove-ATTRIBUTE_UNUSED.patch b/gnu/packages/patches/libvirt-remove-ATTRIBUTE_UNUSED.patch
deleted file mode 100644
index 5bfefa70bb..0000000000
--- a/gnu/packages/patches/libvirt-remove-ATTRIBUTE_UNUSED.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Tobias Geerinckx-Rice <me@tobias.gr>
-Date: Thu, 25 Jul 2019 21:48:25 +0200
-Subject: [PATCH]: libvirt: remove ATTRIBUTE_UNUSED
-
-This should fix the error reported here[0].  Patch taken verbatim from
-upstream[1].
-
-[0]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=36634#28
-[1]: https://github.com/libvirt/libvirt/commit/759bf903a6c24a8efa25c7cf4b099d952eda9bd3
-
-From 759bf903a6c24a8efa25c7cf4b099d952eda9bd3 Mon Sep 17 00:00:00 2001
-From: Pavel Hrdina <phrdina@redhat.com>
-Date: Mon, 22 Jul 2019 14:46:34 +0200
-Subject: [PATCH] vircgroupv2: remove ATTRIBUTE_UNUSED for used attribute
-
-Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
-Acked-by: Peter Krempa <pkrempa@redhat.com>
----
- src/util/vircgroupv2.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
-index af3192c99c..e36c36685b 100644
---- a/src/util/vircgroupv2.c
-+++ b/src/util/vircgroupv2.c
-@@ -399,7 +399,7 @@ virCgroupV2EnableController(virCgroupPtr group,
- 
- 
- static int
--virCgroupV2MakeGroup(virCgroupPtr parent ATTRIBUTE_UNUSED,
-+virCgroupV2MakeGroup(virCgroupPtr parent,
-                      virCgroupPtr group,
-                      bool create,
-                      unsigned int flags)
diff --git a/gnu/packages/patches/mame-rapidjson-fix.patch b/gnu/packages/patches/mame-rapidjson-fix.patch
new file mode 100644
index 0000000000..70cf8458ea
--- /dev/null
+++ b/gnu/packages/patches/mame-rapidjson-fix.patch
@@ -0,0 +1,37 @@
+From 0b5b13cf1e28550b49c387dec93f9801f029e313 Mon Sep 17 00:00:00 2001
+From: Julian Sikorski <belegdol+github@gmail.com>
+Date: Mon, 5 Aug 2019 21:16:54 +0200
+Subject: [PATCH] Fix building using system rapidjson
+
+---
+ scripts/target/mame/arcade.lua | 1 +
+ src/mame/video/midtunit.cpp    | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/target/mame/arcade.lua b/scripts/target/mame/arcade.lua
+index 964daa3572f..ef30ae3c2c2 100644
+--- a/scripts/target/mame/arcade.lua
++++ b/scripts/target/mame/arcade.lua
+@@ -930,6 +930,7 @@ function createMAMEProjects(_target, _subtarget, _name)
+ 		ext_includedir("flac"),
+ 		ext_includedir("glm"),
+ 		ext_includedir("jpeg"),
++		ext_includedir("rapidjson"),
+ 	}
+ 
+ end
+diff --git a/src/mame/video/midtunit.cpp b/src/mame/video/midtunit.cpp
+index b4cb98abacf..b307f3f722b 100644
+--- a/src/mame/video/midtunit.cpp
++++ b/src/mame/video/midtunit.cpp
+@@ -20,8 +20,8 @@
+ #include "emuopts.h" // Used by PNG logging
+ #include "png.h" // Used by PNG logging
+ 
+-#include "rapidjson/include/rapidjson/prettywriter.h" // Used by JSON logging
+-#include "rapidjson/include/rapidjson/stringbuffer.h" // Used by JSON logging
++#include <rapidjson/prettywriter.h> // Used by JSON logging
++#include <rapidjson/stringbuffer.h> // Used by JSON logging
+ 
+ DEFINE_DEVICE_TYPE(MIDTUNIT_VIDEO, midtunit_video_device, "tunitvid", "Midway T-Unit Video")
+ DEFINE_DEVICE_TYPE(MIDWUNIT_VIDEO, midwunit_video_device, "wunitvid", "Midway W-Unit Video")
diff --git a/gnu/packages/patches/nss-freebl-stubs.patch b/gnu/packages/patches/nss-freebl-stubs.patch
new file mode 100644
index 0000000000..3f7b47b029
--- /dev/null
+++ b/gnu/packages/patches/nss-freebl-stubs.patch
@@ -0,0 +1,20 @@
+This patch is required for Makefile-based builds of NSS 3.45 on armhf-linux.
+
+Taken from upstream bug tracker:
+https://bugzilla.mozilla.org/show_bug.cgi?id=1571316
+
+diff --git a/nss/lib/freebl/ecl/curve25519_32.c b/nss/lib/freebl/ecl/curve25519_32.c
+--- a/nss/lib/freebl/ecl/curve25519_32.c
++++ b/nss/lib/freebl/ecl/curve25519_32.c
+@@ -29,6 +29,10 @@
+  *  1. Convert custom integer types to stdint.h types
+  */
+ 
++#ifdef FREEBL_NO_DEPEND
++#include "../stubs.h"
++#endif
++
+ #include "ecl-priv.h"
+ 
+ /* fe means field element. Here the field is \Z/(2^255-19). An element t,
+
diff --git a/gnu/packages/patches/pcre2-fix-jit_match-crash.patch b/gnu/packages/patches/pcre2-fix-jit_match-crash.patch
new file mode 100644
index 0000000000..7543319ee9
--- /dev/null
+++ b/gnu/packages/patches/pcre2-fix-jit_match-crash.patch
@@ -0,0 +1,25 @@
+From: Tobias Geerinckx-Rice <me@tobias.gr>
+Date: Thu, 01 Aug 2019 21:12:52 +0200
+Subject: [PATCH] gnu: pcre2: Fix jit_match crash.
+
+Fixes <https://bugs.exim.org/show_bug.cgi?id=2421>, reported as a ‘secrity
+problem’.
+
+Copied verbatim from upstream[0].
+
+[0]: https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_jit_compile.c?view=patch&r1=1089&r2=1092&pathrev=1092
+
+--- trunk/src/pcre2_jit_compile.c	2019/05/10 13:15:20	1089
++++ trunk/src/pcre2_jit_compile.c	2019/05/13 16:38:18	1092
+@@ -8571,7 +8571,10 @@
+ PCRE2_SPTR bptr;
+ uint32_t c;
+ 
+-GETCHARINC(c, cc);
++/* Patch by PH */
++/* GETCHARINC(c, cc); */
++
++c = *cc++;
+ #if PCRE2_CODE_UNIT_WIDTH == 32
+ if (c >= 0x110000)
+   return NULL;
diff --git a/gnu/packages/patches/scribus-poppler.patch b/gnu/packages/patches/scribus-poppler.patch
deleted file mode 100644
index 9b969e4cb6..0000000000
--- a/gnu/packages/patches/scribus-poppler.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Fix build with recent Poppler.
-
-From d867ec3c386baaed1b8e076dd70b278863411480 Mon Sep 17 00:00:00 2001
-From: Jean Ghali <jghali@libertysurf.fr>
-Date: Mon, 30 Apr 2018 09:19:33 +0000
-Subject: [PATCH] =?UTF-8?q?#15289:=20FTBFS=201.5.4=20with=20error:=20inval?=
- =?UTF-8?q?id=20conversion=20from=20=E2=80=98const=20GooString*=E2=80=99?=
- =?UTF-8?q?=20to=20=E2=80=98GooString*=E2=80=99?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-git-svn-id: svn://scribus.net/trunk/Scribus@22498 11d20701-8431-0410-a711-e3c959e3b870
----
- scribus/plugins/import/pdf/importpdf.cpp | 2 +-
- scribus/plugins/import/pdf/importpdf.h   | 2 +-
- scribus/plugins/import/pdf/slaoutput.cpp | 2 +-
- scribus/plugins/import/pdf/slaoutput.h   | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/scribus/plugins/import/pdf/importpdf.cpp b/scribus/plugins/import/pdf/importpdf.cpp
-index c1802861aa..d4c5a9ba49 100644
---- a/scribus/plugins/import/pdf/importpdf.cpp
-+++ b/scribus/plugins/import/pdf/importpdf.cpp
-@@ -1081,7 +1081,7 @@ QRectF PdfPlug::getCBox(int box, int pgNum)
- 	return cRect;

- }

- 

--QString PdfPlug::UnicodeParsedString(GooString *s1)

-+QString PdfPlug::UnicodeParsedString(const GooString *s1)

- {

- 	if ( !s1 || s1->getLength() == 0 )

- 		return QString();

-diff --git a/scribus/plugins/import/pdf/importpdf.h b/scribus/plugins/import/pdf/importpdf.h
-index c8c5efcd0d..5249562692 100644
---- a/scribus/plugins/import/pdf/importpdf.h
-+++ b/scribus/plugins/import/pdf/importpdf.h
-@@ -81,7 +81,7 @@ class PdfPlug : public QObject
- private:
- 	bool convert(const QString& fn);
- 	QRectF getCBox(int box, int pgNum);
--	QString UnicodeParsedString(GooString *s1);
-+	QString UnicodeParsedString(const GooString *s1);
- 	
- 	QList<PageItem*> Elements;
- 	double baseX, baseY;
-diff --git a/scribus/plugins/import/pdf/slaoutput.cpp b/scribus/plugins/import/pdf/slaoutput.cpp
-index be1815dc29..17b6357246 100644
---- a/scribus/plugins/import/pdf/slaoutput.cpp
-+++ b/scribus/plugins/import/pdf/slaoutput.cpp
-@@ -4252,7 +4252,7 @@ void SlaOutputDev::pushGroup(QString maskName, GBool forSoftMask, GBool alpha, b
- 	m_groupStack.push(gElements);

- }

- 

--QString SlaOutputDev::UnicodeParsedString(GooString *s1)

-+QString SlaOutputDev::UnicodeParsedString(const GooString *s1)

- {

- 	if ( !s1 || s1->getLength() == 0 )

- 		return QString();

-diff --git a/scribus/plugins/import/pdf/slaoutput.h b/scribus/plugins/import/pdf/slaoutput.h
-index 20e8b2d311..6698c030e0 100644
---- a/scribus/plugins/import/pdf/slaoutput.h
-+++ b/scribus/plugins/import/pdf/slaoutput.h
-@@ -266,7 +266,7 @@ class SlaOutputDev : public OutputDev
- 	int getBlendMode(GfxState *state);
- 	void applyMask(PageItem *ite);
- 	void pushGroup(QString maskName = "", GBool forSoftMask = gFalse, GBool alpha = gFalse, bool inverted = false);
--	QString UnicodeParsedString(GooString *s1);
-+	QString UnicodeParsedString(const GooString *s1);
- 	bool checkClip();
- 	bool pathIsClosed;
- 	QString CurrColorFill;
diff --git a/gnu/packages/patches/strace-ipc-tests.patch b/gnu/packages/patches/strace-ipc-tests.patch
new file mode 100644
index 0000000000..49341765ca
--- /dev/null
+++ b/gnu/packages/patches/strace-ipc-tests.patch
@@ -0,0 +1,30 @@
+Fix a test failure on some systems.
+
+Taken from upstream:
+https://github.com/strace/strace/commit/4377e3a1535a0ec3a42da8a1366ad6943f4efa0e
+
+diff --git a/tests/gen_tests.in b/tests/gen_tests.in
+index 4a506b94c..4fdf4722c 100644
+--- a/tests/gen_tests.in
++++ b/tests/gen_tests.in
+@@ -168,16 +168,16 @@ ipc_msg-Xabbrev	+ipc.sh -Xabbrev -a26
+ ipc_msg-Xraw	+ipc.sh -Xraw -a16
+ ipc_msg-Xverbose	+ipc.sh -Xverbose -a34
+ ipc_msgbuf-Xabbrev	+ipc_msgbuf.test -Xabbrev
+-ipc_msgbuf-Xraw	+ipc_msgbuf.test -Xraw -a22
++ipc_msgbuf-Xraw	+ipc_msgbuf.test -Xraw -a20
+ ipc_msgbuf-Xverbose	+ipc_msgbuf.test -Xverbose
+ ipc_sem	+ipc.sh -a29
+ ipc_sem-Xabbrev	+ipc.sh -Xabbrev -a29
+ ipc_sem-Xraw	+ipc.sh -Xraw -a19
+ ipc_sem-Xverbose	+ipc.sh -Xverbose -a36
+-ipc_shm	+ipc.sh -a29
+-ipc_shm-Xabbrev	+ipc.sh -Xabbrev -a29
++ipc_shm	+ipc.sh -a26
++ipc_shm-Xabbrev	+ipc.sh -Xabbrev -a26
+ ipc_shm-Xraw	+ipc.sh -Xraw -a19
+-ipc_shm-Xverbose	+ipc.sh -Xverbose -a36
++ipc_shm-Xverbose	+ipc.sh -Xverbose -a34
+ kcmp	-a22
+ kcmp-y	-a22 -y -e trace=kcmp
+ kern_features -a16