2cc7aa96d8
* add code to prevent heap attacks by exploiting dim=bignum and partition_codewords = partion_values * correctly handle the nonsensical codebook.dim==0 case * dd checks/rejection for absurdly huge codebooks CVE-2008-1419, CVE-2008-1420, CVE-2008-1423
34 lines
1.1 KiB
Plaintext
34 lines
1.1 KiB
Plaintext
$OpenBSD: patch-lib_res0_c,v 1.2 2008/05/17 19:58:25 naddy Exp $
|
|
--- lib/res0.c.orig Sat May 17 21:22:14 2008
|
|
+++ lib/res0.c Sat May 17 21:24:04 2008
|
|
@@ -223,6 +223,20 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpa
|
|
for(j=0;j<acc;j++)
|
|
if(info->booklist[j]>=ci->books)goto errout;
|
|
|
|
+ /* verify the phrasebook is not specifying an impossible or
|
|
+ inconsistent partitioning scheme. */
|
|
+ {
|
|
+ int entries = ci->book_param[info->groupbook]->entries;
|
|
+ int dim = ci->book_param[info->groupbook]->dim;
|
|
+ int partvals = 1;
|
|
+ while(dim>0){
|
|
+ partvals *= info->partitions;
|
|
+ if(partvals > entries) goto errout;
|
|
+ dim--;
|
|
+ }
|
|
+ if(partvals != entries) goto errout;
|
|
+ }
|
|
+
|
|
return(info);
|
|
errout:
|
|
res0_free_info(info);
|
|
@@ -263,7 +277,7 @@ vorbis_look_residue *res0_look(vorbis_dsp_state *vd,
|
|
}
|
|
}
|
|
|
|
- look->partvals=rint(pow((float)look->parts,(float)dim));
|
|
+ look->partvals=look->phrasebook->entries;
|
|
look->stages=maxstage;
|
|
look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
|
|
for(j=0;j<look->partvals;j++){
|