Accepting request 588007 from home:tiwai:branches:multimedia:libs
- Fix VUL-0: libvorbis: Out of bounds memory write while processing Vorbis audio data (CVE-2018-5146, bsc#1085687): libvorbis-CVE-2018-5146.patch OBS-URL: https://build.opensuse.org/request/show/588007 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvorbis?expand=0&rev=55
This commit is contained in:
parent
1afa2ee08d
commit
475b820979
90
libvorbis-CVE-2018-5146.patch
Normal file
90
libvorbis-CVE-2018-5146.patch
Normal file
@ -0,0 +1,90 @@
|
||||
Fix out of bounds memory write while processing Vorbis audio data
|
||||
|
||||
Taken from firefox fix patch (CVE-2018-5146, bsc#1085687)
|
||||
|
||||
# HG changeset patch
|
||||
# User Monty Montgomery <monty@xiph.org>
|
||||
# Date 1521151925 14400
|
||||
# Node ID 494e5d5278ba6f5fdda9a2bb9ac7ca772653ee4a
|
||||
# Parent f2eb8ad26a29ec9715a1994b982cbe35a3ba3a12
|
||||
Bug 1446062 - Vorbis fix. r=jmspeex, a=lizzard
|
||||
|
||||
---
|
||||
lib/codebook.c | 48 ++++++++++--------------------------------------
|
||||
1 file changed, 10 insertions(+), 38 deletions(-)
|
||||
|
||||
--- a/lib/codebook.c
|
||||
+++ b/lib/codebook.c
|
||||
@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *
|
||||
t[i] = book->valuelist+entry[i]*book->dim;
|
||||
}
|
||||
for(i=0,o=0;i<book->dim;i++,o+=step)
|
||||
- for (j=0;j<step;j++)
|
||||
+ for (j=0;o+j<n && j<step;j++)
|
||||
a[o+j]+=t[j][i];
|
||||
}
|
||||
return(0);
|
||||
@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *b
|
||||
int i,j,entry;
|
||||
float *t;
|
||||
|
||||
- if(book->dim>8){
|
||||
- for(i=0;i<n;){
|
||||
- entry = decode_packed_entry_number(book,b);
|
||||
- if(entry==-1)return(-1);
|
||||
- t = book->valuelist+entry*book->dim;
|
||||
- for (j=0;j<book->dim;)
|
||||
- a[i++]+=t[j++];
|
||||
- }
|
||||
- }else{
|
||||
- for(i=0;i<n;){
|
||||
- entry = decode_packed_entry_number(book,b);
|
||||
- if(entry==-1)return(-1);
|
||||
- t = book->valuelist+entry*book->dim;
|
||||
- j=0;
|
||||
- switch((int)book->dim){
|
||||
- case 8:
|
||||
- a[i++]+=t[j++];
|
||||
- case 7:
|
||||
- a[i++]+=t[j++];
|
||||
- case 6:
|
||||
- a[i++]+=t[j++];
|
||||
- case 5:
|
||||
- a[i++]+=t[j++];
|
||||
- case 4:
|
||||
- a[i++]+=t[j++];
|
||||
- case 3:
|
||||
- a[i++]+=t[j++];
|
||||
- case 2:
|
||||
- a[i++]+=t[j++];
|
||||
- case 1:
|
||||
- a[i++]+=t[j++];
|
||||
- case 0:
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
+ for(i=0;i<n;){
|
||||
+ entry = decode_packed_entry_number(book,b);
|
||||
+ if(entry==-1)return(-1);
|
||||
+ t = book->valuelist+entry*book->dim;
|
||||
+ for(j=0;i<n && j<book->dim;)
|
||||
+ a[i++]+=t[j++];
|
||||
}
|
||||
}
|
||||
return(0);
|
||||
@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *
|
||||
long i,j,entry;
|
||||
int chptr=0;
|
||||
if(book->used_entries>0){
|
||||
- for(i=offset/ch;i<(offset+n)/ch;){
|
||||
+ int m=(offset+n)/ch;
|
||||
+ for(i=offset/ch;i<m;){
|
||||
entry = decode_packed_entry_number(book,b);
|
||||
if(entry==-1)return(-1);
|
||||
{
|
||||
const float *t = book->valuelist+entry*book->dim;
|
||||
- for (j=0;j<book->dim;j++){
|
||||
+ for (j=0;i<m && j<book->dim;j++){
|
||||
a[chptr++][i]+=t[j];
|
||||
if(chptr==ch){
|
||||
chptr=0;
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 16 20:02:45 CET 2018 - tiwai@suse.de
|
||||
|
||||
- Fix VUL-0: libvorbis: Out of bounds memory write while processing
|
||||
Vorbis audio data (CVE-2018-5146, bsc#1085687):
|
||||
libvorbis-CVE-2018-5146.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 19 14:32:18 CET 2017 - tiwai@suse.de
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package libvorbis
|
||||
#
|
||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -34,6 +34,7 @@ Patch11: vorbis-fix-linking.patch
|
||||
Patch12: vorbis-ocloexec.patch
|
||||
Patch21: 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
|
||||
Patch22: 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
|
||||
Patch31: libvorbis-CVE-2018-5146.patch
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: libogg-devel
|
||||
BuildRequires: libtool
|
||||
@ -137,6 +138,7 @@ fi
|
||||
%patch12
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch31 -p1
|
||||
|
||||
%build
|
||||
# Fix optimization level
|
||||
|
Loading…
Reference in New Issue
Block a user