forked from pool/MozillaFirefox
(mozilla-bmo1446062.patch)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=639
This commit is contained in:
Wolfgang Rosenauer
Git OBS Bridge
parent
5257d425d0
commit
032c70a665
@ -7,6 +7,7 @@ Fri Mar 16 06:40:11 UTC 2018 - wr@rosenauer.org
|
|||||||
Vorbis audio processing out of bounds write
|
Vorbis audio processing out of bounds write
|
||||||
* CVE-2018-5147 (bmo#1446365)
|
* CVE-2018-5147 (bmo#1446365)
|
||||||
Out of bounds memory write in libtremor
|
Out of bounds memory write in libtremor
|
||||||
|
(mozilla-bmo1446062.patch)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Mar 14 19:27:07 UTC 2018 - cgrobertson@suse.com
|
Wed Mar 14 19:27:07 UTC 2018 - cgrobertson@suse.com
|
||||||
|
|||||||
@ -151,6 +151,7 @@ Patch6: mozilla-reduce-files-per-UnifiedBindings.patch
|
|||||||
Patch7: mozilla-aarch64-startup-crash.patch
|
Patch7: mozilla-aarch64-startup-crash.patch
|
||||||
Patch8: mozilla-bmo256180.patch
|
Patch8: mozilla-bmo256180.patch
|
||||||
Patch9: mozilla-bmo1005535.patch
|
Patch9: mozilla-bmo1005535.patch
|
||||||
|
Patch10: mozilla-bmo1446062.patch
|
||||||
# Firefox/browser
|
# Firefox/browser
|
||||||
Patch101: firefox-kde.patch
|
Patch101: firefox-kde.patch
|
||||||
Patch102: firefox-branded-icons.patch
|
Patch102: firefox-branded-icons.patch
|
||||||
@ -262,6 +263,7 @@ cd $RPM_BUILD_DIR/mozilla
|
|||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
# Firefox
|
# Firefox
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
%patch102 -p1
|
%patch102 -p1
|
||||||
|
|||||||
116
mozilla-bmo1446062.patch
Normal file
116
mozilla-bmo1446062.patch
Normal file
@ -0,0 +1,116 @@
|
|||||||
|
|
||||||
|
# HG changeset patch
|
||||||
|
# User Thomas Daede <daede003@umn.edu>
|
||||||
|
# Date 1521175629 25200
|
||||||
|
# Node ID 5cd5586a2f48424a9031a3fa4c782954a9df9a52
|
||||||
|
# Parent 494e5d5278ba6f5fdda9a2bb9ac7ca772653ee4a
|
||||||
|
Bug 1446062: libtremor Vorbis fix. r=jmspeex a=dveditz
|
||||||
|
|
||||||
|
diff --git a/media/libtremor/lib/tremor_codebook.c b/media/libtremor/lib/tremor_codebook.c
|
||||||
|
--- a/media/libtremor/lib/tremor_codebook.c
|
||||||
|
+++ b/media/libtremor/lib/tremor_codebook.c
|
||||||
|
@@ -253,26 +253,26 @@ long vorbis_book_decodevs_add(codebook *
|
||||||
|
|
||||||
|
if(shift>=0){
|
||||||
|
for (i = 0; i < step; i++) {
|
||||||
|
entry[i]=decode_packed_entry_number(book,b);
|
||||||
|
if(entry[i]==-1)return(-1);
|
||||||
|
t[i] = book->valuelist+entry[i]*book->dim;
|
||||||
|
}
|
||||||
|
for(i=0,o=0;i<book->dim;i++,o+=step)
|
||||||
|
- for (j=0;j<step;j++)
|
||||||
|
+ for (j=0;o+j<n && j<step;j++)
|
||||||
|
a[o+j]+=t[j][i]>>shift;
|
||||||
|
}else{
|
||||||
|
for (i = 0; i < step; i++) {
|
||||||
|
entry[i]=decode_packed_entry_number(book,b);
|
||||||
|
if(entry[i]==-1)return(-1);
|
||||||
|
t[i] = book->valuelist+entry[i]*book->dim;
|
||||||
|
}
|
||||||
|
for(i=0,o=0;i<book->dim;i++,o+=step)
|
||||||
|
- for (j=0;j<step;j++)
|
||||||
|
+ for (j=0;o+j<n && j<step;j++)
|
||||||
|
a[o+j]+=t[j][i]<<-shift;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* decode vector / dim granularity gaurding is done in the upper layer */
|
||||||
|
long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
|
||||||
|
@@ -282,25 +282,25 @@ long vorbis_book_decodev_add(codebook *b
|
||||||
|
ogg_int32_t *t;
|
||||||
|
int shift=point-book->binarypoint;
|
||||||
|
|
||||||
|
if(shift>=0){
|
||||||
|
for(i=0;i<n;){
|
||||||
|
entry = decode_packed_entry_number(book,b);
|
||||||
|
if(entry==-1)return(-1);
|
||||||
|
t = book->valuelist+entry*book->dim;
|
||||||
|
- for (j=0;j<book->dim;)
|
||||||
|
+ for (j=0;i<n && j<book->dim;)
|
||||||
|
a[i++]+=t[j++]>>shift;
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
for(i=0;i<n;){
|
||||||
|
entry = decode_packed_entry_number(book,b);
|
||||||
|
if(entry==-1)return(-1);
|
||||||
|
t = book->valuelist+entry*book->dim;
|
||||||
|
- for (j=0;j<book->dim;)
|
||||||
|
+ for (j=0;i<n && j<book->dim;)
|
||||||
|
a[i++]+=t[j++]<<-shift;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* unlike the others, we guard against n not being an integer number
|
||||||
|
@@ -347,41 +347,41 @@ long vorbis_book_decodev_set(codebook *b
|
||||||
|
/* decode vector / dim granularity gaurding is done in the upper layer */
|
||||||
|
long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,\
|
||||||
|
long offset,int ch,
|
||||||
|
oggpack_buffer *b,int n,int point){
|
||||||
|
if(book->used_entries>0){
|
||||||
|
long i,j,entry;
|
||||||
|
int chptr=0;
|
||||||
|
int shift=point-book->binarypoint;
|
||||||
|
-
|
||||||
|
+ int m=offset+n;
|
||||||
|
if(shift>=0){
|
||||||
|
|
||||||
|
- for(i=offset;i<offset+n;){
|
||||||
|
+ for(i=offset;i<m;){
|
||||||
|
entry = decode_packed_entry_number(book,b);
|
||||||
|
if(entry==-1)return(-1);
|
||||||
|
{
|
||||||
|
const ogg_int32_t *t = book->valuelist+entry*book->dim;
|
||||||
|
- for (j=0;j<book->dim;j++){
|
||||||
|
+ for (j=0;i<m && j<book->dim;j++){
|
||||||
|
a[chptr++][i]+=t[j]>>shift;
|
||||||
|
if(chptr==ch){
|
||||||
|
chptr=0;
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
|
||||||
|
- for(i=offset;i<offset+n;){
|
||||||
|
+ for(i=offset;i<m;){
|
||||||
|
entry = decode_packed_entry_number(book,b);
|
||||||
|
if(entry==-1)return(-1);
|
||||||
|
{
|
||||||
|
const ogg_int32_t *t = book->valuelist+entry*book->dim;
|
||||||
|
- for (j=0;j<book->dim;j++){
|
||||||
|
+ for (j=0;i<m && j<book->dim;j++){
|
||||||
|
a[chptr++][i]+=t[j]<<-shift;
|
||||||
|
if(chptr==ch){
|
||||||
|
chptr=0;
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user