Accepting request 588007 from home:tiwai:branches:multimedia:libs

- Fix VUL-0: libvorbis: Out of bounds memory write while processing Vorbis audio data (CVE-2018-5146, bsc#1085687): libvorbis-CVE-2018-5146.patch OBS-URL: https://build.opensuse.org/request/show/588007 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvorbis?expand=0&rev=55
2018-03-16 19:21:09 +00:00 · 2018-03-16 19:21:09 +00:00 · 475b820979
commit 475b820979
parent 1afa2ee08d
3 changed files with 100 additions and 1 deletions
--- a/libvorbis-CVE-2018-5146.patch
+++ b/libvorbis-CVE-2018-5146.patch
@ -0,0 +1,90 @@
+Fix out of bounds memory write while processing Vorbis audio data
+
+Taken from firefox fix patch (CVE-2018-5146, bsc#1085687)
+
+# HG changeset patch
+# User Monty Montgomery <monty@xiph.org>
+# Date 1521151925 14400
+# Node ID 494e5d5278ba6f5fdda9a2bb9ac7ca772653ee4a
+# Parent  f2eb8ad26a29ec9715a1994b982cbe35a3ba3a12
+Bug 1446062 - Vorbis fix. r=jmspeex, a=lizzard
+
+---
+ lib/codebook.c |   48 ++++++++++--------------------------------------
+ 1 file changed, 10 insertions(+), 38 deletions(-)
+
+--- a/lib/codebook.c
+++ b/lib/codebook.c
+@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *
+       t[i] = book->valuelist+entry[i]*book->dim;
+     }
+     for(i=0,o=0;i<book->dim;i++,o+=step)
+-      for (j=0;j<step;j++)
+      for (j=0;o+j<n && j<step;j++)
+         a[o+j]+=t[j][i];
+   }
+   return(0);
+@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *b
+     int i,j,entry;
+     float *t;
+ 
+-    if(book->dim>8){
+-      for(i=0;i<n;){
+-        entry = decode_packed_entry_number(book,b);
+-        if(entry==-1)return(-1);
+-        t     = book->valuelist+entry*book->dim;
+-        for (j=0;j<book->dim;)
+-          a[i++]+=t[j++];
+-      }
+-    }else{
+-      for(i=0;i<n;){
+-        entry = decode_packed_entry_number(book,b);
+-        if(entry==-1)return(-1);
+-        t     = book->valuelist+entry*book->dim;
+-        j=0;
+-        switch((int)book->dim){
+-        case 8:
+-          a[i++]+=t[j++];
+-        case 7:
+-          a[i++]+=t[j++];
+-        case 6:
+-          a[i++]+=t[j++];
+-        case 5:
+-          a[i++]+=t[j++];
+-        case 4:
+-          a[i++]+=t[j++];
+-        case 3:
+-          a[i++]+=t[j++];
+-        case 2:
+-          a[i++]+=t[j++];
+-        case 1:
+-          a[i++]+=t[j++];
+-        case 0:
+-          break;
+-        }
+-      }
+    for(i=0;i<n;){
+      entry = decode_packed_entry_number(book,b);
+      if(entry==-1)return(-1);
+      t     = book->valuelist+entry*book->dim;
+      for(j=0;i<n && j<book->dim;)
+        a[i++]+=t[j++];
+     }
+   }
+   return(0);
+@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *
+   long i,j,entry;
+   int chptr=0;
+   if(book->used_entries>0){
+-    for(i=offset/ch;i<(offset+n)/ch;){
+    int m=(offset+n)/ch;
+    for(i=offset/ch;i<m;){
+       entry = decode_packed_entry_number(book,b);
+       if(entry==-1)return(-1);
+       {
+         const float *t = book->valuelist+entry*book->dim;
+-        for (j=0;j<book->dim;j++){
+        for (j=0;i<m && j<book->dim;j++){
+           a[chptr++][i]+=t[j];
+           if(chptr==ch){
+             chptr=0;
--- a/libvorbis.changes
+++ b/libvorbis.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Mar 16 20:02:45 CET 2018 - tiwai@suse.de
+
+- Fix VUL-0: libvorbis: Out of bounds memory write while processing
+  Vorbis audio data (CVE-2018-5146, bsc#1085687):
+  libvorbis-CVE-2018-5146.patch
+
 -------------------------------------------------------------------
 Tue Dec 19 14:32:18 CET 2017 - tiwai@suse.de

--- a/libvorbis.spec
+++ b/libvorbis.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libvorbis
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -34,6 +34,7 @@ Patch11:        vorbis-fix-linking.patch
 Patch12:        vorbis-ocloexec.patch
 Patch21:        0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
 Patch22:        0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
+Patch31:        libvorbis-CVE-2018-5146.patch
 BuildRequires:  fdupes
 BuildRequires:  libogg-devel
 BuildRequires:  libtool
@ -137,6 +138,7 @@ fi
 %patch12
 %patch21 -p1
 %patch22 -p1
+%patch31 -p1

 %build
 # Fix optimization level