SECURITY:

Fix handling of malformed Vorbis streams that would crash libvorbis. CVE-2008-1420 (improved), CVE-2009-3379. From xiph.org SVN.
2009-11-24 21:43:14 +00:00 · 2009-11-24 21:43:14 +00:00 · c840945347
commit c840945347
parent 10139435ff
6 changed files with 124 additions and 1 deletions
--- a/audio/libvorbis/Makefile
+++ b/audio/libvorbis/Makefile
@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.28 2009/07/13 15:48:55 naddy Exp $
+# $OpenBSD: Makefile,v 1.29 2009/11/24 21:43:14 naddy Exp $

 COMMENT=	audio compression codec library

 DISTNAME=	libvorbis-1.2.3
+PKGNAME=	${DISTNAME}p0
 CATEGORIES=    	audio
 HOMEPAGE=	http://www.xiph.org/vorbis/
 SHARED_LIBS +=  vorbis               7.0      # .4.3
--- a/audio/libvorbis/patches/patch-lib_backends_h
+++ b/audio/libvorbis/patches/patch-lib_backends_h
@ -0,0 +1,11 @@
+$OpenBSD: patch-lib_backends_h,v 1.1 2009/11/24 21:43:14 naddy Exp $
+--- lib/backends.h.orig	Tue Nov 24 22:00:01 2009
+++ lib/backends.h	Tue Nov 24 22:00:01 2009
+@@ -109,6 +109,7 @@ typedef struct vorbis_info_residue0{
+   /* first stage (lossless partitioning) */
+   int    grouping;         /* group n vectors per partition */
+   int    partitions;       /* possible codebooks for a partition */
+  int    partvals;         /* partitions ^ groupbook dim */
+   int    groupbook;        /* huffbook for partitioning */
+   int    secondstages[64]; /* expanded out to pointers in lookup */
+   int    booklist[512];    /* list of second stage books */
--- a/audio/libvorbis/patches/patch-lib_codebook_c
+++ b/audio/libvorbis/patches/patch-lib_codebook_c
@ -0,0 +1,11 @@
+$OpenBSD: patch-lib_codebook_c,v 1.3 2009/11/24 21:43:14 naddy Exp $
+--- lib/codebook.c.orig	Thu Jul  9 11:12:08 2009
+++ lib/codebook.c	Tue Nov 24 22:00:01 2009
+@@ -198,6 +198,7 @@ int vorbis_staticbook_unpack(oggpack_buffer *opb,stati
+       for(i=0;i<s->entries;){
+         long num=oggpack_read(opb,_ilog(s->entries-i));
+         if(num==-1)goto _eofout;
+        if(length>32)goto _errout;
+         for(j=0;j<num && i<s->entries;j++,i++)
+           s->lengthlist[i]=length;
+         length++;
--- a/audio/libvorbis/patches/patch-lib_modes_residue_44_h
+++ b/audio/libvorbis/patches/patch-lib_modes_residue_44_h
@ -0,0 +1,30 @@
+$OpenBSD: patch-lib_modes_residue_44_h,v 1.1 2009/11/24 21:43:14 naddy Exp $
+--- lib/modes/residue_44.h.orig	Thu Jul  9 11:12:08 2009
+++ lib/modes/residue_44.h	Tue Nov 24 22:00:01 2009
+@@ -22,7 +22,7 @@
+ /***** residue backends *********************************************/
+ 
+ static const vorbis_info_residue0 _residue_44_low={
+-  0,-1, -1, 9,-1,
+  0,-1, -1, 9,-1,-1,
+   /*  0     1     2     3     4     5     6     7  */
+   {0},
+   {-1},
+@@ -31,7 +31,7 @@ static const vorbis_info_residue0 _residue_44_low={
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_mid={
+-  0,-1, -1, 10,-1,
+  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8  */
+   {0},
+   {-1},
+@@ -40,7 +40,7 @@ static const vorbis_info_residue0 _residue_44_mid={
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_high={
+-  0,-1, -1, 10,-1,
+  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8  */
+   {0},
+   {-1},
--- a/audio/libvorbis/patches/patch-lib_modes_residue_44u_h
+++ b/audio/libvorbis/patches/patch-lib_modes_residue_44u_h
@ -0,0 +1,30 @@
+$OpenBSD: patch-lib_modes_residue_44u_h,v 1.1 2009/11/24 21:43:14 naddy Exp $
+--- lib/modes/residue_44u.h.orig	Wed Jul  8 07:40:12 2009
+++ lib/modes/residue_44u.h	Tue Nov 24 22:00:01 2009
+@@ -23,7 +23,7 @@
+ 
+ 
+ static const vorbis_info_residue0 _residue_44_low_un={
+-  0,-1, -1, 8,-1,
+  0,-1, -1, 8,-1,-1,
+   {0},
+   {-1},
+   {  .5,  1.5,  1.5,  2.5,  2.5,  4.5, 28.5},
+@@ -31,7 +31,7 @@ static const vorbis_info_residue0 _residue_44_low_un={
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_mid_un={
+-  0,-1, -1, 10,-1,
+  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8     9 */
+   {0},
+   {-1},
+@@ -40,7 +40,7 @@ static const vorbis_info_residue0 _residue_44_mid_un={
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_hi_un={
+-  0,-1, -1, 10,-1,
+  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8     9 */
+   {0},
+   {-1},
--- a/audio/libvorbis/patches/patch-lib_res0_c
+++ b/audio/libvorbis/patches/patch-lib_res0_c
@ -0,0 +1,40 @@
+$OpenBSD: patch-lib_res0_c,v 1.4 2009/11/24 21:43:14 naddy Exp $
+--- lib/res0.c.orig	Tue Nov 24 21:59:48 2009
+++ lib/res0.c	Tue Nov 24 22:00:01 2009
+@@ -238,6 +238,10 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpa
+ 
+   /* verify the phrasebook is not specifying an impossible or
+      inconsistent partitioning scheme. */
+  /* modify the phrasebook ranging check from r16327; an early beta
+     encoder had a bug where it used an oversized phrasebook by
+     accident.  These files should continue to be playable, but don't
+     allow an exploit */
+   {
+     int entries = ci->book_param[info->groupbook]->entries;
+     int dim = ci->book_param[info->groupbook]->dim;
+@@ -247,6 +251,7 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpa
+       if(partvals > entries) goto errout;
+       dim--;
+     }
+    info->partvals = partvals;
+   }
+ 
+   return(info);
+@@ -667,7 +672,7 @@ static int _01inverse(vorbis_block *vb,vorbis_look_res
+           for(j=0;j<ch;j++){
+             int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
+ 
+-            if(temp==-1)goto eopbreak;
+            if(temp==-1 || temp>=info->partvals)goto eopbreak;
+             partword[j][l]=look->decodemap[temp];
+             if(partword[j][l]==NULL)goto errout;
+           }
+@@ -883,7 +888,7 @@ int res2_inverse(vorbis_block *vb,vorbis_look_residue 
+         if(s==0){
+           /* fetch the partition word */
+           int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
+-          if(temp==-1)goto eopbreak;
+          if(temp==-1 || temp>info->partvals)goto eopbreak;
+           partword[l]=look->decodemap[temp];
+           if(partword[l]==NULL)goto errout;
+         }