From 0459bda34d10cc17f5e5659473a03dc3e0796b50f3ed75cf622e0bde85ca6bb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Sun, 13 Jan 2013 20:43:28 +0000 Subject: [PATCH] Accepting request 148337 from home:Zaitor:branches:multimedia:libs:opus MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix a minor security issue. This fix is in version 1.0.2, however since we are in freeze, I cherrypicked this fix from upstream git. From commit https://git.xiph.org/?p=opus.git;a=commit;h=9345aaa5ca1c2fb7d62981b2a538e0ce20612c38 Fixes an out-of-bounds read issue with the padding handling code This was reported by Juri Aedla and is limited to reading memory up to about 60 kB beyond the compressed buffer. This can only be triggered by a compressed packet more than about 16 MB long, so it's not a problem for RTP. In theory, it *could* crash an Ogg decoder if the memory just after the incoming packet is out-of-range. OBS-URL: https://build.opensuse.org/request/show/148337 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/opus?expand=0&rev=5 --- ...read-issue-with-the-padding-handling.patch | 24 +++++++++++++++++++ opus.changes | 9 +++++++ opus.spec | 5 +++- 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch diff --git a/opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch b/opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch new file mode 100644 index 0000000..06e22e0 --- /dev/null +++ b/opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch @@ -0,0 +1,24 @@ +X-Git-Url: https://git.xiph.org/?p=opus.git;a=blobdiff_plain;f=src%2Fopus_decoder.c;h=0be6730d133c417fd87620b774029986dcee6efb;hp=167e4e4891e66dce7a65a6ca761fb58fb190267a;hb=9345aaa5ca1c2fb7d62981b2a538e0ce20612c38;hpb=b05aa1dd763fe238c6e928385664e86bd66118e7 + +diff --git a/src/opus_decoder.c b/src/opus_decoder.c +index 167e4e4..0be6730 100644 +--- a/src/opus_decoder.c ++++ b/src/opus_decoder.c +@@ -641,16 +641,14 @@ static int opus_packet_parse_impl(const unsigned char *data, opus_int32 len, + /* Padding flag is bit 6 */ + if (ch&0x40) + { +- int padding=0; + int p; + do { + if (len<=0) + return OPUS_INVALID_PACKET; + p = *data++; + len--; +- padding += p==255 ? 254: p; ++ len -= p==255 ? 254: p; + } while (p==255); +- len -= padding; + } + if (len<0) + return OPUS_INVALID_PACKET; diff --git a/opus.changes b/opus.changes index fde094a..8d3cc2e 100644 --- a/opus.changes +++ b/opus.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Sun Jan 13 20:13:46 UTC 2013 - zaitor@opensuse.org + +- Add + opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch + Fixes an out-of-bounds read that could be triggered by a +  malicious Opus packet causing an integer wrap-around in the +  padding code. + ------------------------------------------------------------------- Wed Sep 19 18:56:42 UTC 2012 - zaitor@opensuse.org diff --git a/opus.spec b/opus.spec index 6ed845c..aff210b 100644 --- a/opus.spec +++ b/opus.spec @@ -1,7 +1,7 @@ # # spec file for package opus # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2012 Pascal Bleser # # All modifications and additions to the file contributed by third parties @@ -26,6 +26,8 @@ License: BSD-3-Clause Group: System/Libraries Source: http://downloads.xiph.org/releases/opus/opus-%{version}.tar.gz Source99: baselibs.conf +# PATCH-FIX-UPSTREAM opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch zaitor@opensuse.org -- Fixes an out-of-bounds read issue with the padding handling code +Patch0: opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch Url: http://opus-codec.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libtool @@ -68,6 +70,7 @@ technology from Skype's SILK codec and Xiph.Org's CELT codec. %prep %setup -q +%patch0 -p1 %build %configure \