From 9de32d4bab2b6a3a35335090688a9fb581314478932f675588d72db66c6431b5 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.com>
Date: Wed, 26 May 2010 13:35:28 +0000
Subject: [PATCH] fix CVE-2009-3379

OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvorbis?expand=0&rev=11
---
 libvorbis-r16326-CVE-2009-3379.diff | 15 +++++++++++++++
 libvorbis-r16597-CVE-2009-3379.diff | 14 ++++++++++++++
 libvorbis.changes                   |  6 ++++++
 libvorbis.spec                      |  4 ++++
 4 files changed, 39 insertions(+)
 create mode 100644 libvorbis-r16326-CVE-2009-3379.diff
 create mode 100644 libvorbis-r16597-CVE-2009-3379.diff

diff --git a/libvorbis-r16326-CVE-2009-3379.diff b/libvorbis-r16326-CVE-2009-3379.diff
new file mode 100644
index 0000000..553a281
--- /dev/null
+++ b/libvorbis-r16326-CVE-2009-3379.diff
@@ -0,0 +1,15 @@
+---
+ lib/backends.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/backends.h
++++ b/lib/backends.h
+@@ -111,7 +111,7 @@
+   int    partitions;       /* possible codebooks for a partition */
+   int    groupbook;        /* huffbook for partitioning */
+   int    secondstages[64]; /* expanded out to pointers in lookup */
+-  int    booklist[256];    /* list of second stage books */
++  int    booklist[512];    /* list of second stage books */
+ 
+   const float classmetric1[64];
+   const float classmetric2[64];
diff --git a/libvorbis-r16597-CVE-2009-3379.diff b/libvorbis-r16597-CVE-2009-3379.diff
new file mode 100644
index 0000000..9812403
--- /dev/null
+++ b/libvorbis-r16597-CVE-2009-3379.diff
@@ -0,0 +1,14 @@
+---
+ lib/codebook.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/codebook.c
++++ b/lib/codebook.c
+@@ -198,6 +198,7 @@
+       for(i=0;i<s->entries;){
+         long num=oggpack_read(opb,_ilog(s->entries-i));
+         if(num==-1)goto _eofout;
++        if(length>32)goto _errout;
+         for(j=0;j<num && i<s->entries;j++,i++)
+           s->lengthlist[i]=length;
+         length++;
diff --git a/libvorbis.changes b/libvorbis.changes
index f89bac5..4c135cc 100644
--- a/libvorbis.changes
+++ b/libvorbis.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed May 26 15:03:32 CEST 2010 - tiwai@suse.de
+
+- VUL-0: libvorbis: memory corruption while parsing ogg files
+  (bnc#608192, CVE-2009-3379)
+
 -------------------------------------------------------------------
 Wed Dec 16 10:17:40 CET 2009 - jengelh@medozas.de
 
diff --git a/libvorbis.spec b/libvorbis.spec
index ca2c5cc..0d6667f 100644
--- a/libvorbis.spec
+++ b/libvorbis.spec
@@ -40,6 +40,8 @@ Patch3:         libvorbis-automake-fix.diff
 # Patch5:         libvorbis-%{version}-aotuv-b5.7.diff
 Patch9:         libvorbis-doc-fixes.diff
 Patch10:        libvorbis-pkgconfig.patch
+Patch11:        libvorbis-r16326-CVE-2009-3379.diff
+Patch12:        libvorbis-r16597-CVE-2009-3379.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -106,6 +108,8 @@ Authors:
 # %patch5 -p1
 %patch9
 %patch10
+%patch11 -p1
+%patch12 -p1
 if [ "%_lib" == "lib64" ]; then
 %patch1
 fi