SOURCES: libvorbis-security-fixes.patch (NEW) - fix CVE-2008-1419, CVE-2008...
megabajt
megabajt at pld-linux.org
Fri May 16 20:37:00 CEST 2008
Author: megabajt Date: Fri May 16 18:37:00 2008 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- fix CVE-2008-1419, CVE-2008-1420, CVE-2008-1423
---- Files affected:
SOURCES:
libvorbis-security-fixes.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/libvorbis-security-fixes.patch
diff -u /dev/null SOURCES/libvorbis-security-fixes.patch:1.1
--- /dev/null Fri May 16 20:37:00 2008
+++ SOURCES/libvorbis-security-fixes.patch Fri May 16 20:36:55 2008
@@ -0,0 +1,329 @@
+diff -urN libvorbis-1.2.0/examples/decoder_example.c libvorbis-1.2.0.new/examples/decoder_example.c
+--- libvorbis-1.2.0/examples/decoder_example.c 2007-07-24 02:09:47.000000000 +0200
++++ libvorbis-1.2.0.new/examples/decoder_example.c 2008-05-16 20:22:11.000000000 +0200
+@@ -194,108 +194,111 @@
+
+ /* OK, got and parsed all three headers. Initialize the Vorbis
+ packet->PCM decoder. */
+- vorbis_synthesis_init(&vd,&vi); /* central decode state */
+- vorbis_block_init(&vd,&vb); /* local state for most of the decode
+- so multiple block decodes can
+- proceed in parallel. We could init
+- multiple vorbis_block structures
+- for vd here */
+-
+- /* The rest is just a straight decode loop until end of stream */
+- while(!eos){
++ if(vorbis_synthesis_init(&vd,&vi)==0){ /* central decode state */
++ vorbis_block_init(&vd,&vb); /* local state for most of the decode
++ so multiple block decodes can
++ proceed in parallel. We could init
++ multiple vorbis_block structures
++ for vd here */
++
++ /* The rest is just a straight decode loop until end of stream */
+ while(!eos){
+- int result=ogg_sync_pageout(&oy,&og);
+- if(result==0)break; /* need more data */
+- if(result<0){ /* missing or corrupt data at this page position */
+- fprintf(stderr,"Corrupt or missing data in bitstream; "
+- "continuing...\n");
+- }else{
+- ogg_stream_pagein(&os,&og); /* can safely ignore errors at
+- this point */
+- while(1){
+- result=ogg_stream_packetout(&os,&op);
+-
+- if(result==0)break; /* need more data */
+- if(result<0){ /* missing or corrupt data at this page position */
+- /* no reason to complain; already complained above */
+- }else{
+- /* we have a packet. Decode it */
+- float **pcm;
+- int samples;
+-
+- if(vorbis_synthesis(&vb,&op)==0) /* test for success! */
+- vorbis_synthesis_blockin(&vd,&vb);
+- /*
+-
+- **pcm is a multichannel float vector. In stereo, for
+- example, pcm[0] is left, and pcm[1] is right. samples is
+- the size of each channel. Convert the float values
+- (-1.<=range<=1.) to whatever PCM format and write it out */
++ while(!eos){
++ int result=ogg_sync_pageout(&oy,&og);
++ if(result==0)break; /* need more data */
++ if(result<0){ /* missing or corrupt data at this page position */
++ fprintf(stderr,"Corrupt or missing data in bitstream; "
++ "continuing...\n");
++ }else{
++ ogg_stream_pagein(&os,&og); /* can safely ignore errors at
++ this point */
++ while(1){
++ result=ogg_stream_packetout(&os,&op);
+
+- while((samples=vorbis_synthesis_pcmout(&vd,&pcm))>0){
+- int j;
+- int clipflag=0;
+- int bout=(samples<convsize?samples:convsize);
++ if(result==0)break; /* need more data */
++ if(result<0){ /* missing or corrupt data at this page position */
++ /* no reason to complain; already complained above */
++ }else{
++ /* we have a packet. Decode it */
++ float **pcm;
++ int samples;
+
+- /* convert floats to 16 bit signed ints (host order) and
+- interleave */
+- for(i=0;i<vi.channels;i++){
+- ogg_int16_t *ptr=convbuffer+i;
+- float *mono=pcm[i];
+- for(j=0;j<bout;j++){
++ if(vorbis_synthesis(&vb,&op)==0) /* test for success! */
++ vorbis_synthesis_blockin(&vd,&vb);
++ /*
++
++ **pcm is a multichannel float vector. In stereo, for
++ example, pcm[0] is left, and pcm[1] is right. samples is
++ the size of each channel. Convert the float values
++ (-1.<=range<=1.) to whatever PCM format and write it out */
++
++ while((samples=vorbis_synthesis_pcmout(&vd,&pcm))>0){
++ int j;
++ int clipflag=0;
++ int bout=(samples<convsize?samples:convsize);
++
++ /* convert floats to 16 bit signed ints (host order) and
++ interleave */
++ for(i=0;i<vi.channels;i++){
++ ogg_int16_t *ptr=convbuffer+i;
++ float *mono=pcm[i];
++ for(j=0;j<bout;j++){
+ #if 1
+- int val=mono[j]*32767.f;
++ int val=mono[j]*32767.f;
+ #else /* optional dither */
+- int val=mono[j]*32767.f+drand48()-0.5f;
++ int val=mono[j]*32767.f+drand48()-0.5f;
+ #endif
+- /* might as well guard against clipping */
+- if(val>32767){
+- val=32767;
+- clipflag=1;
+- }
+- if(val<-32768){
+- val=-32768;
+- clipflag=1;
++ /* might as well guard against clipping */
++ if(val>32767){
++ val=32767;
++ clipflag=1;
++ }
++ if(val<-32768){
++ val=-32768;
++ clipflag=1;
++ }
++ *ptr=val;
++ ptr+=vi.channels;
+ }
+- *ptr=val;
+- ptr+=vi.channels;
+ }
+- }
+-
+- if(clipflag)
+- fprintf(stderr,"Clipping in frame %ld\n",(long)(vd.sequence));
+-
+-
+- fwrite(convbuffer,2*vi.channels,bout,stdout);
+-
+- vorbis_synthesis_read(&vd,bout); /* tell libvorbis how
+- many samples we
+- actually consumed */
+- }
++
++ if(clipflag)
++ fprintf(stderr,"Clipping in frame %ld\n",(long)(vd.sequence));
++
++
++ fwrite(convbuffer,2*vi.channels,bout,stdout);
++
++ vorbis_synthesis_read(&vd,bout); /* tell libvorbis how
++ many samples we
++ actually consumed */
++ }
++ }
+ }
++ if(ogg_page_eos(&og))eos=1;
+ }
+- if(ogg_page_eos(&og))eos=1;
++ }
++ if(!eos){
++ buffer=ogg_sync_buffer(&oy,4096);
++ bytes=fread(buffer,1,4096,stdin);
++ ogg_sync_wrote(&oy,bytes);
++ if(bytes==0)eos=1;
+ }
+ }
+- if(!eos){
+- buffer=ogg_sync_buffer(&oy,4096);
+- bytes=fread(buffer,1,4096,stdin);
+- ogg_sync_wrote(&oy,bytes);
+- if(bytes==0)eos=1;
+- }
++
++ /* ogg_page and ogg_packet structs always point to storage in
++ libvorbis. They're never freed or manipulated directly */
++
++ vorbis_block_clear(&vb);
++ vorbis_dsp_clear(&vd);
++ }else{
++ fprintf(stderr,"Error: Corrupt header during playback initialization.\n");
+ }
+-
++
+ /* clean up this logical bitstream; before exit we see if we're
+ followed by another [chained] */
+-
+- ogg_stream_clear(&os);
+-
+- /* ogg_page and ogg_packet structs always point to storage in
+- libvorbis. They're never freed or manipulated directly */
+
+- vorbis_block_clear(&vb);
+- vorbis_dsp_clear(&vd);
+- vorbis_comment_clear(&vc);
++ ogg_stream_clear(&os);
++ vorbis_comment_clear(&vc);
+ vorbis_info_clear(&vi); /* must be called last */
+ }
+
+diff -urN libvorbis-1.2.0/lib/block.c libvorbis-1.2.0.new/lib/block.c
+--- libvorbis-1.2.0/lib/block.c 2007-07-24 02:09:47.000000000 +0200
++++ libvorbis-1.2.0.new/lib/block.c 2008-05-16 20:22:11.000000000 +0200
+@@ -235,7 +235,8 @@
+ if(!ci->fullbooks){
+ ci->fullbooks=_ogg_calloc(ci->books,sizeof(*ci->fullbooks));
+ for(i=0;i<ci->books;i++){
+- vorbis_book_init_decode(ci->fullbooks+i,ci->book_param[i]);
++ if(vorbis_book_init_decode(ci->fullbooks+i,ci->book_param[i]))
++ return -1;
+ /* decode codebooks are now standalone after init */
+ vorbis_staticbook_destroy(ci->book_param[i]);
+ ci->book_param[i]=NULL;
+@@ -683,9 +684,11 @@
+ }
+
+ int vorbis_synthesis_init(vorbis_dsp_state *v,vorbis_info *vi){
+- if(_vds_shared_init(v,vi,0)) return 1;
++ if(_vds_shared_init(v,vi,0)){
++ vorbis_dsp_clear(v);
++ return 1;
++ }
+ vorbis_synthesis_restart(v);
+-
+ return 0;
+ }
+
+diff -urN libvorbis-1.2.0/lib/codebook.c libvorbis-1.2.0.new/lib/codebook.c
+--- libvorbis-1.2.0/lib/codebook.c 2007-07-24 02:09:47.000000000 +0200
++++ libvorbis-1.2.0.new/lib/codebook.c 2008-05-16 20:21:49.000000000 +0200
+@@ -159,6 +159,8 @@
+ s->entries=oggpack_read(opb,24);
+ if(s->entries==-1)goto _eofout;
+
++ if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout;
++
+ /* codeword ordering.... length ordered or unordered? */
+ switch((int)oggpack_read(opb,1)){
+ case 0:
+@@ -225,7 +227,7 @@
+ int quantvals=0;
+ switch(s->maptype){
+ case 1:
+- quantvals=_book_maptype1_quantvals(s);
++ quantvals=(s->dim==0?0:_book_maptype1_quantvals(s));
+ break;
+ case 2:
+ quantvals=s->entries*s->dim;
+diff -urN libvorbis-1.2.0/lib/info.c libvorbis-1.2.0.new/lib/info.c
+--- libvorbis-1.2.0/lib/info.c 2007-07-24 02:09:47.000000000 +0200
++++ libvorbis-1.2.0.new/lib/info.c 2008-05-16 20:19:29.000000000 +0200
+@@ -236,17 +236,21 @@
+ int i;
+ int vendorlen=oggpack_read(opb,32);
+ if(vendorlen<0)goto err_out;
++ if(vendorlen+8>opb->storage)goto err_out;
+ vc->vendor=_ogg_calloc(vendorlen+1,1);
+ _v_readstring(opb,vc->vendor,vendorlen);
+- vc->comments=oggpack_read(opb,32);
+- if(vc->comments<0)goto err_out;
++ i=oggpack_read(opb,32);
++ if(i<0)goto err_out;
++ if(4*i+oggpack_bytes(opb)>opb->storage)goto err_out;
++ vc->comments=i;
+ vc->user_comments=_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
+ vc->comment_lengths=_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
+
+ for(i=0;i<vc->comments;i++){
+ int len=oggpack_read(opb,32);
+ if(len<0)goto err_out;
+- vc->comment_lengths[i]=len;
++ if(len+oggpack_bytes(opb)>opb->storage)goto err_out;
++ vc->comment_lengths[i]=len;
+ vc->user_comments[i]=_ogg_calloc(len+1,1);
+ _v_readstring(opb,vc->user_comments[i],len);
+ }
+diff -urN libvorbis-1.2.0/lib/res0.c libvorbis-1.2.0.new/lib/res0.c
+--- libvorbis-1.2.0/lib/res0.c 2007-07-24 02:09:47.000000000 +0200
++++ libvorbis-1.2.0.new/lib/res0.c 2008-05-16 20:20:49.000000000 +0200
+@@ -223,6 +223,20 @@
+ for(j=0;j<acc;j++)
+ if(info->booklist[j]>=ci->books)goto errout;
+
++ /* verify the phrasebook is not specifying an impossible or
++ inconsistent partitioning scheme. */
++ {
++ int entries = ci->book_param[info->groupbook]->entries;
++ int dim = ci->book_param[info->groupbook]->dim;
++ int partvals = 1;
++ while(dim>0){
++ partvals *= info->partitions;
++ if(partvals > entries) goto errout;
++ dim--;
++ }
++ if(partvals != entries) goto errout;
++ }
++
+ return(info);
+ errout:
+ res0_free_info(info);
+@@ -263,7 +277,7 @@
+ }
+ }
+
+- look->partvals=rint(pow((float)look->parts,(float)dim));
++ look->partvals=look->phrasebook->entries;
+ look->stages=maxstage;
+ look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
+ for(j=0;j<look->partvals;j++){
+diff -urN libvorbis-1.2.0/lib/sharedbook.c libvorbis-1.2.0.new/lib/sharedbook.c
+--- libvorbis-1.2.0/lib/sharedbook.c 2007-07-24 02:09:47.000000000 +0200
++++ libvorbis-1.2.0.new/lib/sharedbook.c 2008-05-16 20:22:11.000000000 +0200
+@@ -124,7 +124,14 @@
+ }else
+ if(sparsecount==0)count++;
+ }
+-
++
++ /* sanity check the huffman tree; an underpopulated tree must be rejected. */
++ for(i=1;i<33;i++)
++ if(marker[i] & (0xffffffffUL>>(32-i))){
++ _ogg_free(r);
++ return(NULL);
++ }
++
+ /* bitreverse the words because our bitwise packer/unpacker is LSb
+ endian */
+ for(i=0,count=0;i<n;i++){
================================================================
More information about the pld-cvs-commit
mailing list