From ae2f49d8c7395c36d58e001e505acb6f17fda086a7c9d141482edc7cdef1b358 Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Thu, 26 Jul 2007 23:58:11 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/libvorbis?expand=0&rev=4

---
 libvorbis-maptype-check.diff | 41 ++++++++++++++++++++++++++++++++++++
 libvorbis.changes            |  6 ++++++
 libvorbis.spec               | 22 +++++++++++++------
 3 files changed, 62 insertions(+), 7 deletions(-)
 create mode 100644 libvorbis-maptype-check.diff

diff --git a/libvorbis-maptype-check.diff b/libvorbis-maptype-check.diff
new file mode 100644
index 0000000..dac55e9
--- /dev/null
+++ b/libvorbis-maptype-check.diff
@@ -0,0 +1,41 @@
+Index: lib/info.c
+===================================================================
+--- lib/info.c	(revision 13159)
++++ lib/info.c	(revision 13160)
+@@ -139,7 +139,7 @@
+   memset(vc,0,sizeof(*vc));
+ }
+ 
+-/* blocksize 0 is guaranteed to be short, 1 is guarantted to be long.
++/* blocksize 0 is guaranteed to be short, 1 is guaranteed to be long.
+    They may be equal, but short will never ge greater than long */
+ int vorbis_info_blocksize(vorbis_info *vi,int zo){
+   codec_setup_info *ci = vi->codec_setup;
+@@ -162,14 +162,23 @@
+       if(ci->mode_param[i])_ogg_free(ci->mode_param[i]);
+ 
+     for(i=0;i<ci->maps;i++) /* unpack does the range checking */
+-      _mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]);
++      if(ci->map_param[i]) /* this may be cleaning up an aborted
++			      unpack, in which case the below type
++			      cannot be trusted */
++	_mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]);
+ 
+     for(i=0;i<ci->floors;i++) /* unpack does the range checking */
+-      _floor_P[ci->floor_type[i]]->free_info(ci->floor_param[i]);
++      if(ci->floor_param[i]) /* this may be cleaning up an aborted
++				unpack, in which case the below type
++				cannot be trusted */
++	_floor_P[ci->floor_type[i]]->free_info(ci->floor_param[i]);
+     
+     for(i=0;i<ci->residues;i++) /* unpack does the range checking */
+-      _residue_P[ci->residue_type[i]]->free_info(ci->residue_param[i]);
+-
++      if(ci->residue_param[i]) /* this may be cleaning up an aborted
++				  unpack, in which case the below type
++				  cannot be trusted */
++	_residue_P[ci->residue_type[i]]->free_info(ci->residue_param[i]);
++    
+     for(i=0;i<ci->books;i++){
+       if(ci->book_param[i]){
+ 	/* knows if the book was not alloced */
diff --git a/libvorbis.changes b/libvorbis.changes
index 3ee7884..bf66c15 100644
--- a/libvorbis.changes
+++ b/libvorbis.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Jul  9 10:48:33 CEST 2007 - tiwai@suse.de
+
+- fix array boundary conditional flaw in mapping (#287124,
+  CVE-2007-3106)
+
 -------------------------------------------------------------------
 Mon Apr 23 18:06:06 CEST 2007 - tiwai@suse.de
 
diff --git a/libvorbis.spec b/libvorbis.spec
index d1901e8..cff8803 100644
--- a/libvorbis.spec
+++ b/libvorbis.spec
@@ -14,9 +14,9 @@ Name:           libvorbis
 BuildRequires:  libogg-devel pkgconfig
 Summary:        The Vorbis General Audio Compression Codec
 Version:        1.1.2
-Release:        45
+Release:        64
 Group:          System/Libraries
-License:        BSD License and BSD-like
+License:        BSD 3-Clause
 URL:            http://www.vorbis.com/
 Source:         %{name}-%{version}.tar.bz2
 Patch1:         libvorbis-lib64.dif
@@ -24,12 +24,16 @@ Patch2:         libvorbis-m4.dif
 Patch5:         libvorbis-%{version}-aotuv-b5.diff
 Patch6:         libvorbis-%{version}-warning-fixes.diff
 Patch7:         libvorbis-cflags.diff
+Patch8:         libvorbis-maptype-check.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
-Ogg Vorbis is a fully open, nonproprietary, patent-and-royalty-free,
-and general-purpose compressed audio format for audio and music at
-fixed and variable bit rates from 16 to 128 kbps/channel.
+Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and
+general-purpose compressed audio format for audio and music at fixed
+and variable bit rates from 16 to 128 kbps/channel.
+
+The native bitstream format of Vorbis is libogg (Ogg). Alternatively,
+libmatroska (matroska) can also be used.
 
 
 
@@ -39,14 +43,14 @@ Authors:
     Xiphophorus Company <team@xiph.org>
 
 %package devel
-Summary:        Include Files and Libraries mandatory for Development.
+Summary:        Include Files and Libraries mandatory for Ogg Vorbis Development
 Group:          Development/Libraries/C and C++
 Requires:       glibc-devel, libogg-devel
 Requires:       %{name} = %{version}
 
 %description devel
 This package contains all necessary include files and libraries needed
-to develop applications that require these.
+to compile and develop applications that use libvorbis.
 
 
 
@@ -61,6 +65,7 @@ Authors:
 %patch5
 %patch6
 %patch7
+%patch8
 if [ "%_lib" == "lib64" ]; then
 %patch1
 fi
@@ -103,6 +108,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Mon Jul 09 2007 - tiwai@suse.de
+- fix array boundary conditional flaw in mapping (#287124,
+  CVE-2007-3106)
 * Mon Apr 23 2007 - tiwai@suse.de
 - use aoTuV beta5 patch:
   * The action of noise normalization has been improved.