diff options
| author | naddy <naddy@FreeBSD.org> | 2008-05-18 04:28:41 +0800 |
|---|---|---|
| committer | naddy <naddy@FreeBSD.org> | 2008-05-18 04:28:41 +0800 |
| commit | f88643f3cd71580405ee508a0bdacfe1cabc263a (patch) | |
| tree | 78b89df962fcd5cfe2fed29af854d8b3d275e5ea | |
| parent | d76dc2ab70cc3786f30902211585e38a7afcb4a2 (diff) | |
| download | freebsd-ports-gnome-f88643f3cd71580405ee508a0bdacfe1cabc263a.tar.gz freebsd-ports-gnome-f88643f3cd71580405ee508a0bdacfe1cabc263a.tar.zst freebsd-ports-gnome-f88643f3cd71580405ee508a0bdacfe1cabc263a.zip | |
* add code to prevent heap attacks by exploiting dim=bignum and
partition_codewords = partion_values
* correctly handle the nonsensical codebook.dim==0 case
* dd checks/rejection for absurdly huge codebooks
Obtained from: Xiph SVN
Security: http://www.vuxml.org/freebsd/f5a76faf-244c-11dd-b143-0211d880e350
| -rw-r--r-- | audio/libvorbis/Makefile | 2 | ||||
| -rw-r--r-- | audio/libvorbis/files/patch-lib_codebook.c | 23 | ||||
| -rw-r--r-- | audio/libvorbis/files/patch-lib_res0.c | 35 |
3 files changed, 59 insertions, 1 deletions
diff --git a/audio/libvorbis/Makefile b/audio/libvorbis/Makefile index 659016222e01..331212d92bb3 100644 --- a/audio/libvorbis/Makefile +++ b/audio/libvorbis/Makefile @@ -7,7 +7,7 @@ PORTNAME= libvorbis PORTVERSION= 1.2.0 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 3 CATEGORIES= audio MASTER_SITES= http://downloads.xiph.org/releases/vorbis/ \ diff --git a/audio/libvorbis/files/patch-lib_codebook.c b/audio/libvorbis/files/patch-lib_codebook.c new file mode 100644 index 000000000000..ac555bdcf7b7 --- /dev/null +++ b/audio/libvorbis/files/patch-lib_codebook.c @@ -0,0 +1,23 @@ + +$FreeBSD$ + +--- lib/codebook.c.orig ++++ lib/codebook.c +@@ -159,6 +159,8 @@ + s->entries=oggpack_read(opb,24); + if(s->entries==-1)goto _eofout; + ++ if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout; ++ + /* codeword ordering.... length ordered or unordered? */ + switch((int)oggpack_read(opb,1)){ + case 0: +@@ -225,7 +227,7 @@ + int quantvals=0; + switch(s->maptype){ + case 1: +- quantvals=_book_maptype1_quantvals(s); ++ quantvals=(s->dim==0?0:_book_maptype1_quantvals(s)); + break; + case 2: + quantvals=s->entries*s->dim; diff --git a/audio/libvorbis/files/patch-lib_res0.c b/audio/libvorbis/files/patch-lib_res0.c new file mode 100644 index 000000000000..67e619ab0bbc --- /dev/null +++ b/audio/libvorbis/files/patch-lib_res0.c @@ -0,0 +1,35 @@ + +$FreeBSD$ + +--- lib/res0.c.orig ++++ lib/res0.c +@@ -223,6 +223,20 @@ + for(j=0;j<acc;j++) + if(info->booklist[j]>=ci->books)goto errout; + ++ /* verify the phrasebook is not specifying an impossible or ++ inconsistent partitioning scheme. */ ++ { ++ int entries = ci->book_param[info->groupbook]->entries; ++ int dim = ci->book_param[info->groupbook]->dim; ++ int partvals = 1; ++ while(dim>0){ ++ partvals *= info->partitions; ++ if(partvals > entries) goto errout; ++ dim--; ++ } ++ if(partvals != entries) goto errout; ++ } ++ + return(info); + errout: + res0_free_info(info); +@@ -263,7 +277,7 @@ + } + } + +- look->partvals=rint(pow((float)look->parts,(float)dim)); ++ look->partvals=look->phrasebook->entries; + look->stages=maxstage; + look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap)); + for(j=0;j<look->partvals;j++){ |