[oe-commits] Holger Hans Peter Freyther : libvorbis-1.2.3: Address CVE-2009-3379
git version control
git at git.openembedded.org
Tue Mar 16 08:17:12 UTC 2010
Module: openembedded.git
Branch: shr/unstable
Commit: 9d5cc61a1f2ed61433541abfcbbbe5e4cb3bf0d6
URL: http://gitweb.openembedded.net/?p=openembedded.git&a=commit;h=9d5cc61a1f2ed61433541abfcbbbe5e4cb3bf0d6
Author: Holger Hans Peter Freyther <zecke at selfish.org>
Date: Tue Mar 16 15:45:17 2010 +0800
libvorbis-1.2.3: Address CVE-2009-3379
Fix handling of malformed Vorbis streams that would crash libvorbis.
CVE-2008-1420 (improved), CVE-2009-3379.
Patches are coming from FreeBSD.
---
.../libvorbis/libvorbis-1.2.3/patch-lib_backends.h | 11 +++++
.../libvorbis/libvorbis-1.2.3/patch-lib_codebook.c | 11 +++++
.../libvorbis-1.2.3/patch-lib_modes_residue_44.h | 30 +++++++++++++++
.../libvorbis-1.2.3/patch-lib_modes_residue_44u.h | 30 +++++++++++++++
recipes/libvorbis/libvorbis-1.2.3/patch-lib_res0.c | 40 ++++++++++++++++++++
recipes/libvorbis/libvorbis_1.2.3.bb | 7 +++-
6 files changed, 128 insertions(+), 1 deletions(-)
diff --git a/recipes/libvorbis/libvorbis-1.2.3/patch-lib_backends.h b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_backends.h
new file mode 100644
index 0000000..44da9d3
--- /dev/null
+++ b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_backends.h
@@ -0,0 +1,11 @@
+$FreeBSD: ports/audio/libvorbis/files/patch-lib_backends.h,v 1.1 2009/11/24 21:32:39 naddy Exp $
+--- lib/backends.h.orig 2009-11-24 21:46:47.000000000 +0100
++++ lib/backends.h 2009-11-24 21:46:47.000000000 +0100
+@@ -109,6 +109,7 @@ typedef struct vorbis_info_residue0{
+ /* first stage (lossless partitioning) */
+ int grouping; /* group n vectors per partition */
+ int partitions; /* possible codebooks for a partition */
++ int partvals; /* partitions ^ groupbook dim */
+ int groupbook; /* huffbook for partitioning */
+ int secondstages[64]; /* expanded out to pointers in lookup */
+ int booklist[512]; /* list of second stage books */
diff --git a/recipes/libvorbis/libvorbis-1.2.3/patch-lib_codebook.c b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_codebook.c
new file mode 100644
index 0000000..ed76a9e
--- /dev/null
+++ b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_codebook.c
@@ -0,0 +1,11 @@
+$FreeBSD: ports/audio/libvorbis/files/patch-lib_codebook.c,v 1.3 2009/11/24 21:32:39 naddy Exp $
+--- lib/codebook.c.orig 2009-07-09 11:12:08.000000000 +0200
++++ lib/codebook.c 2009-11-24 21:46:47.000000000 +0100
+@@ -198,6 +198,7 @@ int vorbis_staticbook_unpack(oggpack_buf
+ for(i=0;i<s->entries;){
+ long num=oggpack_read(opb,_ilog(s->entries-i));
+ if(num==-1)goto _eofout;
++ if(length>32)goto _errout;
+ for(j=0;j<num && i<s->entries;j++,i++)
+ s->lengthlist[i]=length;
+ length++;
diff --git a/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44.h b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44.h
new file mode 100644
index 0000000..13bc016
--- /dev/null
+++ b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44.h
@@ -0,0 +1,30 @@
+$FreeBSD: ports/audio/libvorbis/files/patch-lib_modes_residue_44.h,v 1.1 2009/11/24 21:32:39 naddy Exp $
+--- lib/modes/residue_44.h.orig 2009-07-09 11:12:08.000000000 +0200
++++ lib/modes/residue_44.h 2009-11-24 21:46:47.000000000 +0100
+@@ -22,7 +22,7 @@
+ /***** residue backends *********************************************/
+
+ static const vorbis_info_residue0 _residue_44_low={
+- 0,-1, -1, 9,-1,
++ 0,-1, -1, 9,-1,-1,
+ /* 0 1 2 3 4 5 6 7 */
+ {0},
+ {-1},
+@@ -31,7 +31,7 @@ static const vorbis_info_residue0 _resid
+ };
+
+ static const vorbis_info_residue0 _residue_44_mid={
+- 0,-1, -1, 10,-1,
++ 0,-1, -1, 10,-1,-1,
+ /* 0 1 2 3 4 5 6 7 8 */
+ {0},
+ {-1},
+@@ -40,7 +40,7 @@ static const vorbis_info_residue0 _resid
+ };
+
+ static const vorbis_info_residue0 _residue_44_high={
+- 0,-1, -1, 10,-1,
++ 0,-1, -1, 10,-1,-1,
+ /* 0 1 2 3 4 5 6 7 8 */
+ {0},
+ {-1},
diff --git a/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44u.h b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44u.h
new file mode 100644
index 0000000..4c0cb74
--- /dev/null
+++ b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44u.h
@@ -0,0 +1,30 @@
+$FreeBSD: ports/audio/libvorbis/files/patch-lib_modes_residue_44u.h,v 1.1 2009/11/24 21:32:39 naddy Exp $
+--- lib/modes/residue_44u.h.orig 2009-07-08 07:40:12.000000000 +0200
++++ lib/modes/residue_44u.h 2009-11-24 21:46:47.000000000 +0100
+@@ -23,7 +23,7 @@
+
+
+ static const vorbis_info_residue0 _residue_44_low_un={
+- 0,-1, -1, 8,-1,
++ 0,-1, -1, 8,-1,-1,
+ {0},
+ {-1},
+ { .5, 1.5, 1.5, 2.5, 2.5, 4.5, 28.5},
+@@ -31,7 +31,7 @@ static const vorbis_info_residue0 _resid
+ };
+
+ static const vorbis_info_residue0 _residue_44_mid_un={
+- 0,-1, -1, 10,-1,
++ 0,-1, -1, 10,-1,-1,
+ /* 0 1 2 3 4 5 6 7 8 9 */
+ {0},
+ {-1},
+@@ -40,7 +40,7 @@ static const vorbis_info_residue0 _resid
+ };
+
+ static const vorbis_info_residue0 _residue_44_hi_un={
+- 0,-1, -1, 10,-1,
++ 0,-1, -1, 10,-1,-1,
+ /* 0 1 2 3 4 5 6 7 8 9 */
+ {0},
+ {-1},
diff --git a/recipes/libvorbis/libvorbis-1.2.3/patch-lib_res0.c b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_res0.c
new file mode 100644
index 0000000..910311b
--- /dev/null
+++ b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_res0.c
@@ -0,0 +1,40 @@
+$FreeBSD: ports/audio/libvorbis/files/patch-lib_res0.c,v 1.3 2009/11/24 21:32:39 naddy Exp $
+--- lib/res0.c.orig 2009-11-24 21:51:43.000000000 +0100
++++ lib/res0.c 2009-11-24 21:52:01.000000000 +0100
+@@ -238,6 +238,10 @@ vorbis_info_residue *res0_unpack(vorbis_
+
+ /* verify the phrasebook is not specifying an impossible or
+ inconsistent partitioning scheme. */
++ /* modify the phrasebook ranging check from r16327; an early beta
++ encoder had a bug where it used an oversized phrasebook by
++ accident. These files should continue to be playable, but don't
++ allow an exploit */
+ {
+ int entries = ci->book_param[info->groupbook]->entries;
+ int dim = ci->book_param[info->groupbook]->dim;
+@@ -247,6 +251,7 @@ vorbis_info_residue *res0_unpack(vorbis_
+ if(partvals > entries) goto errout;
+ dim--;
+ }
++ info->partvals = partvals;
+ }
+
+ return(info);
+@@ -667,7 +672,7 @@ static int _01inverse(vorbis_block *vb,v
+ for(j=0;j<ch;j++){
+ int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
+
+- if(temp==-1)goto eopbreak;
++ if(temp==-1 || temp>=info->partvals)goto eopbreak;
+ partword[j][l]=look->decodemap[temp];
+ if(partword[j][l]==NULL)goto errout;
+ }
+@@ -883,7 +888,7 @@ int res2_inverse(vorbis_block *vb,vorbis
+ if(s==0){
+ /* fetch the partition word */
+ int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
+- if(temp==-1)goto eopbreak;
++ if(temp==-1 || temp>info->partvals)goto eopbreak;
+ partword[l]=look->decodemap[temp];
+ if(partword[l]==NULL)goto errout;
+ }
diff --git a/recipes/libvorbis/libvorbis_1.2.3.bb b/recipes/libvorbis/libvorbis_1.2.3.bb
index 1173809..87d4d3c 100644
--- a/recipes/libvorbis/libvorbis_1.2.3.bb
+++ b/recipes/libvorbis/libvorbis_1.2.3.bb
@@ -1,10 +1,15 @@
require libvorbis.inc
-PR = "${INC_PR}.0"
+PR = "${INC_PR}.1"
SRC_URI = "http://downloads.xiph.org/releases/vorbis/libvorbis-${PV}.tar.gz \
file://configure_powerpc-no-fixed-cpu.patch;patch=1 \
+ file://patch-lib_backends.h;patch=1;pnum=0 \
+ file://patch-lib_codebook.c;patch=1;pnum=0 \
+ file://patch-lib_modes_residue_44.h;patch=1;pnum=0 \
+ file://patch-lib_modes_residue_44u.h;patch=1;pnum=0 \
+ file://patch-lib_res0.c;patch=1;pnum=0 \
"
# override should be handeld by pkgconfig now
More information about the Openembedded-commits
mailing list