SECURITY fixes from Xiph SVN:
* add code to prevent heap attacks by exploiting dim=bignum and partition_codewords = partion_values * correctly handle the nonsensical codebook.dim==0 case * dd checks/rejection for absurdly huge codebooks CVE-2008-1419, CVE-2008-1420, CVE-2008-1423
This commit is contained in:
parent
f45fba047e
commit
2cc7aa96d8
@ -1,8 +1,9 @@
|
||||
# $OpenBSD: Makefile,v 1.25 2007/07/30 15:29:35 naddy Exp $
|
||||
# $OpenBSD: Makefile,v 1.26 2008/05/17 19:58:25 naddy Exp $
|
||||
|
||||
COMMENT= audio compression codec library
|
||||
|
||||
DISTNAME= libvorbis-1.2.0
|
||||
PKGNAME= ${DISTNAME}p0
|
||||
CATEGORIES= audio
|
||||
HOMEPAGE= http://www.xiph.org/vorbis/
|
||||
SHARED_LIBS += vorbis 6.0 # .4.0
|
||||
|
21
audio/libvorbis/patches/patch-lib_codebook_c
Normal file
21
audio/libvorbis/patches/patch-lib_codebook_c
Normal file
@ -0,0 +1,21 @@
|
||||
$OpenBSD: patch-lib_codebook_c,v 1.1 2008/05/17 19:58:25 naddy Exp $
|
||||
--- lib/codebook.c.orig Sat May 17 21:25:08 2008
|
||||
+++ lib/codebook.c Sat May 17 21:26:54 2008
|
||||
@@ -159,6 +159,8 @@ int vorbis_staticbook_unpack(oggpack_buffer *opb,stati
|
||||
s->entries=oggpack_read(opb,24);
|
||||
if(s->entries==-1)goto _eofout;
|
||||
|
||||
+ if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout;
|
||||
+
|
||||
/* codeword ordering.... length ordered or unordered? */
|
||||
switch((int)oggpack_read(opb,1)){
|
||||
case 0:
|
||||
@@ -225,7 +227,7 @@ int vorbis_staticbook_unpack(oggpack_buffer *opb,stati
|
||||
int quantvals=0;
|
||||
switch(s->maptype){
|
||||
case 1:
|
||||
- quantvals=_book_maptype1_quantvals(s);
|
||||
+ quantvals=(s->dim==0?0:_book_maptype1_quantvals(s));
|
||||
break;
|
||||
case 2:
|
||||
quantvals=s->entries*s->dim;
|
33
audio/libvorbis/patches/patch-lib_res0_c
Normal file
33
audio/libvorbis/patches/patch-lib_res0_c
Normal file
@ -0,0 +1,33 @@
|
||||
$OpenBSD: patch-lib_res0_c,v 1.2 2008/05/17 19:58:25 naddy Exp $
|
||||
--- lib/res0.c.orig Sat May 17 21:22:14 2008
|
||||
+++ lib/res0.c Sat May 17 21:24:04 2008
|
||||
@@ -223,6 +223,20 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpa
|
||||
for(j=0;j<acc;j++)
|
||||
if(info->booklist[j]>=ci->books)goto errout;
|
||||
|
||||
+ /* verify the phrasebook is not specifying an impossible or
|
||||
+ inconsistent partitioning scheme. */
|
||||
+ {
|
||||
+ int entries = ci->book_param[info->groupbook]->entries;
|
||||
+ int dim = ci->book_param[info->groupbook]->dim;
|
||||
+ int partvals = 1;
|
||||
+ while(dim>0){
|
||||
+ partvals *= info->partitions;
|
||||
+ if(partvals > entries) goto errout;
|
||||
+ dim--;
|
||||
+ }
|
||||
+ if(partvals != entries) goto errout;
|
||||
+ }
|
||||
+
|
||||
return(info);
|
||||
errout:
|
||||
res0_free_info(info);
|
||||
@@ -263,7 +277,7 @@ vorbis_look_residue *res0_look(vorbis_dsp_state *vd,
|
||||
}
|
||||
}
|
||||
|
||||
- look->partvals=rint(pow((float)look->parts,(float)dim));
|
||||
+ look->partvals=look->phrasebook->entries;
|
||||
look->stages=maxstage;
|
||||
look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
|
||||
for(j=0;j<look->partvals;j++){
|
Loading…
Reference in New Issue
Block a user