(mozilla-bmo1446062.patch)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=639
This commit is contained in:
parent
5257d425d0
commit
032c70a665
@ -7,6 +7,7 @@ Fri Mar 16 06:40:11 UTC 2018 - wr@rosenauer.org
|
||||
Vorbis audio processing out of bounds write
|
||||
* CVE-2018-5147 (bmo#1446365)
|
||||
Out of bounds memory write in libtremor
|
||||
(mozilla-bmo1446062.patch)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 14 19:27:07 UTC 2018 - cgrobertson@suse.com
|
||||
|
@ -151,6 +151,7 @@ Patch6: mozilla-reduce-files-per-UnifiedBindings.patch
|
||||
Patch7: mozilla-aarch64-startup-crash.patch
|
||||
Patch8: mozilla-bmo256180.patch
|
||||
Patch9: mozilla-bmo1005535.patch
|
||||
Patch10: mozilla-bmo1446062.patch
|
||||
# Firefox/browser
|
||||
Patch101: firefox-kde.patch
|
||||
Patch102: firefox-branded-icons.patch
|
||||
@ -262,6 +263,7 @@ cd $RPM_BUILD_DIR/mozilla
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
# Firefox
|
||||
%patch101 -p1
|
||||
%patch102 -p1
|
||||
|
116
mozilla-bmo1446062.patch
Normal file
116
mozilla-bmo1446062.patch
Normal file
@ -0,0 +1,116 @@
|
||||
|
||||
# HG changeset patch
|
||||
# User Thomas Daede <daede003@umn.edu>
|
||||
# Date 1521175629 25200
|
||||
# Node ID 5cd5586a2f48424a9031a3fa4c782954a9df9a52
|
||||
# Parent 494e5d5278ba6f5fdda9a2bb9ac7ca772653ee4a
|
||||
Bug 1446062: libtremor Vorbis fix. r=jmspeex a=dveditz
|
||||
|
||||
diff --git a/media/libtremor/lib/tremor_codebook.c b/media/libtremor/lib/tremor_codebook.c
|
||||
--- a/media/libtremor/lib/tremor_codebook.c
|
||||
+++ b/media/libtremor/lib/tremor_codebook.c
|
||||
@@ -253,26 +253,26 @@ long vorbis_book_decodevs_add(codebook *
|
||||
|
||||
if(shift>=0){
|
||||
for (i = 0; i < step; i++) {
|
||||
entry[i]=decode_packed_entry_number(book,b);
|
||||
if(entry[i]==-1)return(-1);
|
||||
t[i] = book->valuelist+entry[i]*book->dim;
|
||||
}
|
||||
for(i=0,o=0;i<book->dim;i++,o+=step)
|
||||
- for (j=0;j<step;j++)
|
||||
+ for (j=0;o+j<n && j<step;j++)
|
||||
a[o+j]+=t[j][i]>>shift;
|
||||
}else{
|
||||
for (i = 0; i < step; i++) {
|
||||
entry[i]=decode_packed_entry_number(book,b);
|
||||
if(entry[i]==-1)return(-1);
|
||||
t[i] = book->valuelist+entry[i]*book->dim;
|
||||
}
|
||||
for(i=0,o=0;i<book->dim;i++,o+=step)
|
||||
- for (j=0;j<step;j++)
|
||||
+ for (j=0;o+j<n && j<step;j++)
|
||||
a[o+j]+=t[j][i]<<-shift;
|
||||
}
|
||||
}
|
||||
return(0);
|
||||
}
|
||||
|
||||
/* decode vector / dim granularity gaurding is done in the upper layer */
|
||||
long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
|
||||
@@ -282,25 +282,25 @@ long vorbis_book_decodev_add(codebook *b
|
||||
ogg_int32_t *t;
|
||||
int shift=point-book->binarypoint;
|
||||
|
||||
if(shift>=0){
|
||||
for(i=0;i<n;){
|
||||
entry = decode_packed_entry_number(book,b);
|
||||
if(entry==-1)return(-1);
|
||||
t = book->valuelist+entry*book->dim;
|
||||
- for (j=0;j<book->dim;)
|
||||
+ for (j=0;i<n && j<book->dim;)
|
||||
a[i++]+=t[j++]>>shift;
|
||||
}
|
||||
}else{
|
||||
for(i=0;i<n;){
|
||||
entry = decode_packed_entry_number(book,b);
|
||||
if(entry==-1)return(-1);
|
||||
t = book->valuelist+entry*book->dim;
|
||||
- for (j=0;j<book->dim;)
|
||||
+ for (j=0;i<n && j<book->dim;)
|
||||
a[i++]+=t[j++]<<-shift;
|
||||
}
|
||||
}
|
||||
}
|
||||
return(0);
|
||||
}
|
||||
|
||||
/* unlike the others, we guard against n not being an integer number
|
||||
@@ -347,41 +347,41 @@ long vorbis_book_decodev_set(codebook *b
|
||||
/* decode vector / dim granularity gaurding is done in the upper layer */
|
||||
long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,\
|
||||
long offset,int ch,
|
||||
oggpack_buffer *b,int n,int point){
|
||||
if(book->used_entries>0){
|
||||
long i,j,entry;
|
||||
int chptr=0;
|
||||
int shift=point-book->binarypoint;
|
||||
-
|
||||
+ int m=offset+n;
|
||||
if(shift>=0){
|
||||
|
||||
- for(i=offset;i<offset+n;){
|
||||
+ for(i=offset;i<m;){
|
||||
entry = decode_packed_entry_number(book,b);
|
||||
if(entry==-1)return(-1);
|
||||
{
|
||||
const ogg_int32_t *t = book->valuelist+entry*book->dim;
|
||||
- for (j=0;j<book->dim;j++){
|
||||
+ for (j=0;i<m && j<book->dim;j++){
|
||||
a[chptr++][i]+=t[j]>>shift;
|
||||
if(chptr==ch){
|
||||
chptr=0;
|
||||
i++;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}else{
|
||||
|
||||
- for(i=offset;i<offset+n;){
|
||||
+ for(i=offset;i<m;){
|
||||
entry = decode_packed_entry_number(book,b);
|
||||
if(entry==-1)return(-1);
|
||||
{
|
||||
const ogg_int32_t *t = book->valuelist+entry*book->dim;
|
||||
- for (j=0;j<book->dim;j++){
|
||||
+ for (j=0;i<m && j<book->dim;j++){
|
||||
a[chptr++][i]+=t[j]<<-shift;
|
||||
if(chptr==ch){
|
||||
chptr=0;
|
||||
i++;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user