diff --git a/libvorbis.changes b/libvorbis.changes index 941e52a..9425609 100644 --- a/libvorbis.changes +++ b/libvorbis.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Thu May 3 15:56:28 CEST 2018 - tiwai@suse.de + +- Fix out-of-bounds access inside bark_noise_hybridmp function + (CVE-2017-14160, bsc#1059812): + downstream fix: vorbis-CVE-2017-14160.patch +- Fix stack-basedbuffer over-read in bark_noise_hybridm + (CVE-2018-10393, bsc#1091072): + downstream fix: vorbis-CVE-2018-10393.patch + ------------------------------------------------------------------- Sat Mar 17 14:54:44 CET 2018 - tiwai@suse.de diff --git a/libvorbis.spec b/libvorbis.spec index 30ae83a..57fcde8 100644 --- a/libvorbis.spec +++ b/libvorbis.spec @@ -28,6 +28,8 @@ Source1: baselibs.conf Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif Patch12: vorbis-ocloexec.patch +Patch101: vorbis-CVE-2017-14160.patch +Patch102: vorbis-CVE-2018-10393.patch BuildRequires: libogg-devel BuildRequires: libtool BuildRequires: pkgconfig @@ -116,6 +118,8 @@ if [ "%{_lib}" == "lib64" ]; then %patch1 fi %patch12 +%patch101 -p1 +%patch102 -p1 %build # Fix optimization level diff --git a/vorbis-CVE-2017-14160.patch b/vorbis-CVE-2017-14160.patch new file mode 100644 index 0000000..eb08c04 --- /dev/null +++ b/vorbis-CVE-2017-14160.patch @@ -0,0 +1,53 @@ +From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001 +Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org> +From: =?UTF-8?q?Guido=20G=C3=BCnther?= +Date: Wed, 15 Nov 2017 13:12:00 +0100 +Subject: [PATCH] CVE-2017-14160: make sure we don't overflow + +--- + lib/psy.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/lib/psy.c ++++ b/lib/psy.c +@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,co + XY[i] = tXY; + } + +- for (i = 0, x = 0.f;; i++, x += 1.f) { ++ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { + + lo = b[i] >> 16; + if( lo>=0 ) break; +@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,co + noise[i] = R - offset; + } + +- for ( ;; i++, x += 1.f) { ++ for ( ; i < n; i++, x += 1.f) { + + lo = b[i] >> 16; + hi = b[i] & 0xffff; + if(hi>=n)break; +- + tN = N[hi] - N[lo]; + tX = X[hi] - X[lo]; + tXX = XX[hi] - XX[lo]; +@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,co + + if (fixed <= 0) return; + +- for (i = 0, x = 0.f;; i++, x += 1.f) { ++ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { + hi = i + fixed / 2; + lo = hi - fixed; + if(lo>=0)break; +@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,co + + if (R - offset < noise[i]) noise[i] = R - offset; + } +- for ( ;; i++, x += 1.f) { ++ for ( ; i < n; i++, x += 1.f) { + + hi = i + fixed / 2; + lo = hi - fixed; diff --git a/vorbis-CVE-2018-10393.patch b/vorbis-CVE-2018-10393.patch new file mode 100644 index 0000000..9bc99a5 --- /dev/null +++ b/vorbis-CVE-2018-10393.patch @@ -0,0 +1,39 @@ +--- + lib/psy.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/lib/psy.c ++++ b/lib/psy.c +@@ -604,6 +604,7 @@ static void bark_noise_hybridmp(int n,co + lo = b[i] >> 16; + if( lo>=0 ) break; + hi = b[i] & 0xffff; ++ if( hi>=n || -lo >=n ) break; + + tN = N[hi] + N[-lo]; + tX = X[hi] - X[-lo]; +@@ -625,7 +626,7 @@ static void bark_noise_hybridmp(int n,co + + lo = b[i] >> 16; + hi = b[i] & 0xffff; +- if(hi>=n)break; ++ if( hi>=n || lo >=n ) break; + tN = N[hi] - N[lo]; + tX = X[hi] - X[lo]; + tXX = XX[hi] - XX[lo]; +@@ -654,6 +655,7 @@ static void bark_noise_hybridmp(int n,co + hi = i + fixed / 2; + lo = hi - fixed; + if(lo>=0)break; ++ if( hi>=n || -lo >=n ) break; + + tN = N[hi] + N[-lo]; + tX = X[hi] - X[-lo]; +@@ -674,6 +676,7 @@ static void bark_noise_hybridmp(int n,co + hi = i + fixed / 2; + lo = hi - fixed; + if(hi>=n)break; ++ if( hi>=n || lo >=n ) break; + + tN = N[hi] - N[lo]; + tX = X[hi] - X[lo];