Accepting request 148342 from multimedia:libs

Fix a minor security issue. This fix is in version 1.0.2, however since we are in freeze, I cherrypicked this fix from upstream git.

From commit https://git.xiph.org/?p=opus.git;a=commit;h=9345aaa5ca1c2fb7d62981b2a538e0ce20612c38

Fixes an out-of-bounds read issue with the padding handling code

This was reported by Juri Aedla and is limited to reading memory up
to about 60 kB beyond the compressed buffer. This can only be triggered
by a compressed packet more than about 16 MB long, so it's not a problem
for RTP. In theory, it *could* crash an Ogg decoder if the memory just after
the incoming packet is out-of-range.
 (forwarded request 148337 from Zaitor)

OBS-URL: https://build.opensuse.org/request/show/148342
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/opus?expand=0&rev=3
This commit is contained in:
Stephan Kulow 2013-01-14 08:44:10 +00:00 committed by Git OBS Bridge
commit c6d6713ad6
3 changed files with 37 additions and 1 deletions

View File

@ -0,0 +1,24 @@
X-Git-Url: https://git.xiph.org/?p=opus.git;a=blobdiff_plain;f=src%2Fopus_decoder.c;h=0be6730d133c417fd87620b774029986dcee6efb;hp=167e4e4891e66dce7a65a6ca761fb58fb190267a;hb=9345aaa5ca1c2fb7d62981b2a538e0ce20612c38;hpb=b05aa1dd763fe238c6e928385664e86bd66118e7
diff --git a/src/opus_decoder.c b/src/opus_decoder.c
index 167e4e4..0be6730 100644
--- a/src/opus_decoder.c
+++ b/src/opus_decoder.c
@@ -641,16 +641,14 @@ static int opus_packet_parse_impl(const unsigned char *data, opus_int32 len,
/* Padding flag is bit 6 */
if (ch&0x40)
{
- int padding=0;
int p;
do {
if (len<=0)
return OPUS_INVALID_PACKET;
p = *data++;
len--;
- padding += p==255 ? 254: p;
+ len -= p==255 ? 254: p;
} while (p==255);
- len -= padding;
}
if (len<0)
return OPUS_INVALID_PACKET;

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Sun Jan 13 20:13:46 UTC 2013 - zaitor@opensuse.org
- Add
opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch
Fixes an out-of-bounds read that could be triggered by a
 malicious Opus packet causing an integer wrap-around in the
 padding code.
-------------------------------------------------------------------
Wed Sep 19 18:56:42 UTC 2012 - zaitor@opensuse.org

View File

@ -1,7 +1,7 @@
#
# spec file for package opus
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2012 Pascal Bleser <pascal.bleser@opensuse.org>
#
# All modifications and additions to the file contributed by third parties
@ -26,6 +26,8 @@ License: BSD-3-Clause
Group: System/Libraries
Source: http://downloads.xiph.org/releases/opus/opus-%{version}.tar.gz
Source99: baselibs.conf
# PATCH-FIX-UPSTREAM opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch zaitor@opensuse.org -- Fixes an out-of-bounds read issue with the padding handling code
Patch0: opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch
Url: http://opus-codec.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: libtool
@ -68,6 +70,7 @@ technology from Skype's SILK codec and Xiph.Org's CELT codec.
%prep
%setup -q
%patch0 -p1
%build
%configure \