Fix handling of malformed Vorbis streams that would crash libvorbis.

CVE-2008-1420 (improved), CVE-2009-3379

Obtained from:	xiph.org SVN
Security:	http://www.vuxml.org/freebsd/94edff42-d93d-11de-a434-0211d880e350.html

6 files changed, 123 insertions, 0 deletions

diff --git a/audio/libvorbis/Makefile b/audio/libvorbis/Makefile
index b6eb372b09af..45f9bbffe28e 100644
--- a/audio/libvorbis/Makefile
+++ b/audio/libvorbis/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	libvorbis
 PORTVERSION=	1.2.3
+PORTREVISION=	1
 PORTEPOCH=	3
 CATEGORIES=	audio
 MASTER_SITES=	http://downloads.xiph.org/releases/vorbis/ \
diff --git a/audio/libvorbis/files/patch-lib_backends.h b/audio/libvorbis/files/patch-lib_backends.h
new file mode 100644
index 000000000000..8042a38d2074
--- /dev/null
+++ b/audio/libvorbis/files/patch-lib_backends.h
@@ -0,0 +1,11 @@
+$FreeBSD$
+--- lib/backends.h.orig	2009-11-24 21:46:47.000000000 +0100
++++ lib/backends.h	2009-11-24 21:46:47.000000000 +0100
+@@ -109,6 +109,7 @@ typedef struct vorbis_info_residue0{
+   /* first stage (lossless partitioning) */
+   int    grouping;         /* group n vectors per partition */
+   int    partitions;       /* possible codebooks for a partition */
++  int    partvals;         /* partitions ^ groupbook dim */
+   int    groupbook;        /* huffbook for partitioning */
+   int    secondstages[64]; /* expanded out to pointers in lookup */
+   int    booklist[512];    /* list of second stage books */
diff --git a/audio/libvorbis/files/patch-lib_codebook.c b/audio/libvorbis/files/patch-lib_codebook.c
new file mode 100644
index 000000000000..b2d09a246f6d
--- /dev/null
+++ b/audio/libvorbis/files/patch-lib_codebook.c
@@ -0,0 +1,11 @@
+$FreeBSD$
+--- lib/codebook.c.orig	2009-07-09 11:12:08.000000000 +0200
++++ lib/codebook.c	2009-11-24 21:46:47.000000000 +0100
+@@ -198,6 +198,7 @@ int vorbis_staticbook_unpack(oggpack_buf
+       for(i=0;i<s->entries;){
+         long num=oggpack_read(opb,_ilog(s->entries-i));
+         if(num==-1)goto _eofout;
++        if(length>32)goto _errout;
+         for(j=0;j<num && i<s->entries;j++,i++)
+           s->lengthlist[i]=length;
+         length++;
diff --git a/audio/libvorbis/files/patch-lib_modes_residue_44.h b/audio/libvorbis/files/patch-lib_modes_residue_44.h
new file mode 100644
index 000000000000..d482bc9abe0c
--- /dev/null
+++ b/audio/libvorbis/files/patch-lib_modes_residue_44.h
@@ -0,0 +1,30 @@
+$FreeBSD$
+--- lib/modes/residue_44.h.orig	2009-07-09 11:12:08.000000000 +0200
++++ lib/modes/residue_44.h	2009-11-24 21:46:47.000000000 +0100
+@@ -22,7 +22,7 @@
+ /***** residue backends *********************************************/
+ 
+ static const vorbis_info_residue0 _residue_44_low={
+-  0,-1, -1, 9,-1,
++  0,-1, -1, 9,-1,-1,
+   /*  0     1     2     3     4     5     6     7  */
+   {0},
+   {-1},
+@@ -31,7 +31,7 @@ static const vorbis_info_residue0 _resid
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_mid={
+-  0,-1, -1, 10,-1,
++  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8  */
+   {0},
+   {-1},
+@@ -40,7 +40,7 @@ static const vorbis_info_residue0 _resid
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_high={
+-  0,-1, -1, 10,-1,
++  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8  */
+   {0},
+   {-1},
diff --git a/audio/libvorbis/files/patch-lib_modes_residue_44u.h b/audio/libvorbis/files/patch-lib_modes_residue_44u.h
new file mode 100644
index 000000000000..26b04fe26535
--- /dev/null
+++ b/audio/libvorbis/files/patch-lib_modes_residue_44u.h
@@ -0,0 +1,30 @@
+$FreeBSD$
+--- lib/modes/residue_44u.h.orig	2009-07-08 07:40:12.000000000 +0200
++++ lib/modes/residue_44u.h	2009-11-24 21:46:47.000000000 +0100
+@@ -23,7 +23,7 @@
+ 
+ 
+ static const vorbis_info_residue0 _residue_44_low_un={
+-  0,-1, -1, 8,-1,
++  0,-1, -1, 8,-1,-1,
+   {0},
+   {-1},
+   {  .5,  1.5,  1.5,  2.5,  2.5,  4.5, 28.5},
+@@ -31,7 +31,7 @@ static const vorbis_info_residue0 _resid
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_mid_un={
+-  0,-1, -1, 10,-1,
++  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8     9 */
+   {0},
+   {-1},
+@@ -40,7 +40,7 @@ static const vorbis_info_residue0 _resid
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_hi_un={
+-  0,-1, -1, 10,-1,
++  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8     9 */
+   {0},
+   {-1},
diff --git a/audio/libvorbis/files/patch-lib_res0.c b/audio/libvorbis/files/patch-lib_res0.c
new file mode 100644
index 000000000000..bcd6e136b7e0
--- /dev/null
+++ b/audio/libvorbis/files/patch-lib_res0.c
@@ -0,0 +1,40 @@
+$FreeBSD$
+--- lib/res0.c.orig	2009-11-24 21:51:43.000000000 +0100
++++ lib/res0.c	2009-11-24 21:52:01.000000000 +0100
+@@ -238,6 +238,10 @@ vorbis_info_residue *res0_unpack(vorbis_
+ 
+   /* verify the phrasebook is not specifying an impossible or
+      inconsistent partitioning scheme. */
++  /* modify the phrasebook ranging check from r16327; an early beta
++     encoder had a bug where it used an oversized phrasebook by
++     accident.  These files should continue to be playable, but don't
++     allow an exploit */
+   {
+     int entries = ci->book_param[info->groupbook]->entries;
+     int dim = ci->book_param[info->groupbook]->dim;
+@@ -247,6 +251,7 @@ vorbis_info_residue *res0_unpack(vorbis_
+       if(partvals > entries) goto errout;
+       dim--;
+     }
++    info->partvals = partvals;
+   }
+ 
+   return(info);
+@@ -667,7 +672,7 @@ static int _01inverse(vorbis_block *vb,v
+           for(j=0;j<ch;j++){
+             int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
+ 
+-            if(temp==-1)goto eopbreak;
++            if(temp==-1 || temp>=info->partvals)goto eopbreak;
+             partword[j][l]=look->decodemap[temp];
+             if(partword[j][l]==NULL)goto errout;
+           }
+@@ -883,7 +888,7 @@ int res2_inverse(vorbis_block *vb,vorbis
+         if(s==0){
+           /* fetch the partition word */
+           int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
+-          if(temp==-1)goto eopbreak;
++          if(temp==-1 || temp>info->partvals)goto eopbreak;
+           partword[l]=look->decodemap[temp];
+           if(partword[l]==NULL)goto errout;
+         }