1
0

(mozilla-bmo1446062.patch)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=639
This commit is contained in:
Wolfgang Rosenauer 2018-03-17 08:09:22 +00:00 committed by Git OBS Bridge
parent 5257d425d0
commit 032c70a665
3 changed files with 119 additions and 0 deletions

View File

@ -7,6 +7,7 @@ Fri Mar 16 06:40:11 UTC 2018 - wr@rosenauer.org
Vorbis audio processing out of bounds write
* CVE-2018-5147 (bmo#1446365)
Out of bounds memory write in libtremor
(mozilla-bmo1446062.patch)
-------------------------------------------------------------------
Wed Mar 14 19:27:07 UTC 2018 - cgrobertson@suse.com

View File

@ -151,6 +151,7 @@ Patch6: mozilla-reduce-files-per-UnifiedBindings.patch
Patch7: mozilla-aarch64-startup-crash.patch
Patch8: mozilla-bmo256180.patch
Patch9: mozilla-bmo1005535.patch
Patch10: mozilla-bmo1446062.patch
# Firefox/browser
Patch101: firefox-kde.patch
Patch102: firefox-branded-icons.patch
@ -262,6 +263,7 @@ cd $RPM_BUILD_DIR/mozilla
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
# Firefox
%patch101 -p1
%patch102 -p1

116
mozilla-bmo1446062.patch Normal file
View File

@ -0,0 +1,116 @@
# HG changeset patch
# User Thomas Daede <daede003@umn.edu>
# Date 1521175629 25200
# Node ID 5cd5586a2f48424a9031a3fa4c782954a9df9a52
# Parent 494e5d5278ba6f5fdda9a2bb9ac7ca772653ee4a
Bug 1446062: libtremor Vorbis fix. r=jmspeex a=dveditz
diff --git a/media/libtremor/lib/tremor_codebook.c b/media/libtremor/lib/tremor_codebook.c
--- a/media/libtremor/lib/tremor_codebook.c
+++ b/media/libtremor/lib/tremor_codebook.c
@@ -253,26 +253,26 @@ long vorbis_book_decodevs_add(codebook *
if(shift>=0){
for (i = 0; i < step; i++) {
entry[i]=decode_packed_entry_number(book,b);
if(entry[i]==-1)return(-1);
t[i] = book->valuelist+entry[i]*book->dim;
}
for(i=0,o=0;i<book->dim;i++,o+=step)
- for (j=0;j<step;j++)
+ for (j=0;o+j<n && j<step;j++)
a[o+j]+=t[j][i]>>shift;
}else{
for (i = 0; i < step; i++) {
entry[i]=decode_packed_entry_number(book,b);
if(entry[i]==-1)return(-1);
t[i] = book->valuelist+entry[i]*book->dim;
}
for(i=0,o=0;i<book->dim;i++,o+=step)
- for (j=0;j<step;j++)
+ for (j=0;o+j<n && j<step;j++)
a[o+j]+=t[j][i]<<-shift;
}
}
return(0);
}
/* decode vector / dim granularity gaurding is done in the upper layer */
long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
@@ -282,25 +282,25 @@ long vorbis_book_decodev_add(codebook *b
ogg_int32_t *t;
int shift=point-book->binarypoint;
if(shift>=0){
for(i=0;i<n;){
entry = decode_packed_entry_number(book,b);
if(entry==-1)return(-1);
t = book->valuelist+entry*book->dim;
- for (j=0;j<book->dim;)
+ for (j=0;i<n && j<book->dim;)
a[i++]+=t[j++]>>shift;
}
}else{
for(i=0;i<n;){
entry = decode_packed_entry_number(book,b);
if(entry==-1)return(-1);
t = book->valuelist+entry*book->dim;
- for (j=0;j<book->dim;)
+ for (j=0;i<n && j<book->dim;)
a[i++]+=t[j++]<<-shift;
}
}
}
return(0);
}
/* unlike the others, we guard against n not being an integer number
@@ -347,41 +347,41 @@ long vorbis_book_decodev_set(codebook *b
/* decode vector / dim granularity gaurding is done in the upper layer */
long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,\
long offset,int ch,
oggpack_buffer *b,int n,int point){
if(book->used_entries>0){
long i,j,entry;
int chptr=0;
int shift=point-book->binarypoint;
-
+ int m=offset+n;
if(shift>=0){
- for(i=offset;i<offset+n;){
+ for(i=offset;i<m;){
entry = decode_packed_entry_number(book,b);
if(entry==-1)return(-1);
{
const ogg_int32_t *t = book->valuelist+entry*book->dim;
- for (j=0;j<book->dim;j++){
+ for (j=0;i<m && j<book->dim;j++){
a[chptr++][i]+=t[j]>>shift;
if(chptr==ch){
chptr=0;
i++;
}
}
}
}
}else{
- for(i=offset;i<offset+n;){
+ for(i=offset;i<m;){
entry = decode_packed_entry_number(book,b);
if(entry==-1)return(-1);
{
const ogg_int32_t *t = book->valuelist+entry*book->dim;
- for (j=0;j<book->dim;j++){
+ for (j=0;i<m && j<book->dim;j++){
a[chptr++][i]+=t[j]<<-shift;
if(chptr==ch){
chptr=0;
i++;
}
}
}
}