From 032c70a6654cb3d6f9874ea6d305f7f0dcaceb20bbe17142981c68bdd3654744 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Sat, 17 Mar 2018 08:09:22 +0000 Subject: [PATCH] (mozilla-bmo1446062.patch) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=639 --- MozillaFirefox.changes | 1 + MozillaFirefox.spec | 2 + mozilla-bmo1446062.patch | 116 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 119 insertions(+) create mode 100644 mozilla-bmo1446062.patch diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index fd09121..73f98f3 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -7,6 +7,7 @@ Fri Mar 16 06:40:11 UTC 2018 - wr@rosenauer.org Vorbis audio processing out of bounds write * CVE-2018-5147 (bmo#1446365) Out of bounds memory write in libtremor + (mozilla-bmo1446062.patch) ------------------------------------------------------------------- Wed Mar 14 19:27:07 UTC 2018 - cgrobertson@suse.com diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec index 9591830..f2bbd8c 100644 --- a/MozillaFirefox.spec +++ b/MozillaFirefox.spec @@ -151,6 +151,7 @@ Patch6: mozilla-reduce-files-per-UnifiedBindings.patch Patch7: mozilla-aarch64-startup-crash.patch Patch8: mozilla-bmo256180.patch Patch9: mozilla-bmo1005535.patch +Patch10: mozilla-bmo1446062.patch # Firefox/browser Patch101: firefox-kde.patch Patch102: firefox-branded-icons.patch @@ -262,6 +263,7 @@ cd $RPM_BUILD_DIR/mozilla %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 # Firefox %patch101 -p1 %patch102 -p1 diff --git a/mozilla-bmo1446062.patch b/mozilla-bmo1446062.patch new file mode 100644 index 0000000..3efe280 --- /dev/null +++ b/mozilla-bmo1446062.patch @@ -0,0 +1,116 @@ + +# HG changeset patch +# User Thomas Daede +# Date 1521175629 25200 +# Node ID 5cd5586a2f48424a9031a3fa4c782954a9df9a52 +# Parent 494e5d5278ba6f5fdda9a2bb9ac7ca772653ee4a +Bug 1446062: libtremor Vorbis fix. r=jmspeex a=dveditz + +diff --git a/media/libtremor/lib/tremor_codebook.c b/media/libtremor/lib/tremor_codebook.c +--- a/media/libtremor/lib/tremor_codebook.c ++++ b/media/libtremor/lib/tremor_codebook.c +@@ -253,26 +253,26 @@ long vorbis_book_decodevs_add(codebook * + + if(shift>=0){ + for (i = 0; i < step; i++) { + entry[i]=decode_packed_entry_number(book,b); + if(entry[i]==-1)return(-1); + t[i] = book->valuelist+entry[i]*book->dim; + } + for(i=0,o=0;idim;i++,o+=step) +- for (j=0;j>shift; + }else{ + for (i = 0; i < step; i++) { + entry[i]=decode_packed_entry_number(book,b); + if(entry[i]==-1)return(-1); + t[i] = book->valuelist+entry[i]*book->dim; + } + for(i=0,o=0;idim;i++,o+=step) +- for (j=0;jbinarypoint; + + if(shift>=0){ + for(i=0;ivaluelist+entry*book->dim; +- for (j=0;jdim;) ++ for (j=0;idim;) + a[i++]+=t[j++]>>shift; + } + }else{ + for(i=0;ivaluelist+entry*book->dim; +- for (j=0;jdim;) ++ for (j=0;idim;) + a[i++]+=t[j++]<<-shift; + } + } + } + return(0); + } + + /* unlike the others, we guard against n not being an integer number +@@ -347,41 +347,41 @@ long vorbis_book_decodev_set(codebook *b + /* decode vector / dim granularity gaurding is done in the upper layer */ + long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,\ + long offset,int ch, + oggpack_buffer *b,int n,int point){ + if(book->used_entries>0){ + long i,j,entry; + int chptr=0; + int shift=point-book->binarypoint; +- ++ int m=offset+n; + if(shift>=0){ + +- for(i=offset;ivaluelist+entry*book->dim; +- for (j=0;jdim;j++){ ++ for (j=0;idim;j++){ + a[chptr++][i]+=t[j]>>shift; + if(chptr==ch){ + chptr=0; + i++; + } + } + } + } + }else{ + +- for(i=offset;ivaluelist+entry*book->dim; +- for (j=0;jdim;j++){ ++ for (j=0;idim;j++){ + a[chptr++][i]+=t[j]<<-shift; + if(chptr==ch){ + chptr=0; + i++; + } + } + } + } +