[vlc-devel] commit: Contrib: fix libvorbis CVEs: 2008-1419, 2008-1420, 2008-1423. ( Pavlov Konstantin )

git version control git at videolan.org
Sat May 17 01:16:53 CEST 2008


vlc | branch: 0.8.6-bugfix | Pavlov Konstantin <thresh at videolan.org> | Sat May 17 03:15:22 2008 +0400| [bab5e4093c26f33f1b05cb283840eec081631a2e]

Contrib: fix libvorbis CVEs: 2008-1419, 2008-1420, 2008-1423.

Cherry-picked (with manual merge fix) from a6c8ae352629fb178d6af03c67f64501d7027df2.

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=bab5e4093c26f33f1b05cb283840eec081631a2e
---

 extras/contrib/src/Makefile                        |    3 ++
 .../Patches/libvorbis-r14598-CVE-2008-1420.patch   |   34 ++++++++++++++++++++
 .../Patches/libvorbis-r14602-CVE-2008-1419.patch   |   13 +++++++
 .../Patches/libvorbis-r14602-CVE-2008-1423.patch   |   13 +++++++
 4 files changed, 63 insertions(+), 0 deletions(-)

diff --git a/extras/contrib/src/Makefile b/extras/contrib/src/Makefile
index b04f959..2f6f9e4 100644
--- a/extras/contrib/src/Makefile
+++ b/extras/contrib/src/Makefile
@@ -637,6 +637,9 @@ libvorbis-$(VORBIS_VERSION).tar.gz:
 libvorbis: libvorbis-$(VORBIS_VERSION).tar.gz
 	$(EXTRACT_GZ)
 	patch -p 0 < Patches/libvorbis-1.1.patch
+	patch -d libvorbis -p0 < Patches/libvorbis-r14598-CVE-2008-1420.patch
+	patch -d libvorbis -p0 < Patches/libvorbis-r14602-CVE-2008-1419.patch
+	patch -d libvorbis -p0 < Patches/libvorbis-r14602-CVE-2008-1423.patch
 	(cd $@; autoconf)
 
 .vorbis: libvorbis .ogg
diff --git a/extras/contrib/src/Patches/libvorbis-r14598-CVE-2008-1420.patch b/extras/contrib/src/Patches/libvorbis-r14598-CVE-2008-1420.patch
new file mode 100644
index 0000000..819cbf0
--- /dev/null
+++ b/extras/contrib/src/Patches/libvorbis-r14598-CVE-2008-1420.patch
@@ -0,0 +1,34 @@
+Index: lib/res0.c
+===================================================================
+--- lib/res0.c	(revision 14597)
++++ lib/res0.c	(revision 14598)
+@@ -223,6 +223,20 @@
+   for(j=0;j<acc;j++)
+     if(info->booklist[j]>=ci->books)goto errout;
+ 
++  /* verify the phrasebook is not specifying an impossible or
++     inconsistent partitioning scheme. */
++  {
++    int entries = ci->book_param[info->groupbook]->entries;
++    int dim = ci->book_param[info->groupbook]->dim;
++    int partvals = 1;
++    while(dim>0){
++      partvals *= info->partitions;
++      if(partvals > entries) goto errout;
++      dim--;
++    }
++    if(partvals != entries) goto errout;
++  }
++
+   return(info);
+  errout:
+   res0_free_info(info);
+@@ -263,7 +277,7 @@
+     }
+   }
+ 
+-  look->partvals=rint(pow((float)look->parts,(float)dim));
++  look->partvals=look->phrasebook->entries;
+   look->stages=maxstage;
+   look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
+   for(j=0;j<look->partvals;j++){
diff --git a/extras/contrib/src/Patches/libvorbis-r14602-CVE-2008-1419.patch b/extras/contrib/src/Patches/libvorbis-r14602-CVE-2008-1419.patch
new file mode 100644
index 0000000..fd73f23
--- /dev/null
+++ b/extras/contrib/src/Patches/libvorbis-r14602-CVE-2008-1419.patch
@@ -0,0 +1,13 @@
+Index: lib/codebook.c
+===================================================================
+--- lib/codebook.c	(revision 14601)
++++ lib/codebook.c	(revision 14602)
+@@ -225,7 +225,7 @@
+       int quantvals=0;
+       switch(s->maptype){
+       case 1:
+-	quantvals=_book_maptype1_quantvals(s);
++	quantvals=(s->dim==0?0:_book_maptype1_quantvals(s));
+ 	break;
+       case 2:
+ 	quantvals=s->entries*s->dim;
diff --git a/extras/contrib/src/Patches/libvorbis-r14602-CVE-2008-1423.patch b/extras/contrib/src/Patches/libvorbis-r14602-CVE-2008-1423.patch
new file mode 100644
index 0000000..8c7c479
--- /dev/null
+++ b/extras/contrib/src/Patches/libvorbis-r14602-CVE-2008-1423.patch
@@ -0,0 +1,13 @@
+Index: lib/codebook.c
+===================================================================
+--- lib/codebook.c	(revision 14603)
++++ lib/codebook.c	(revision 14604)
+@@ -159,6 +159,8 @@
+   s->entries=oggpack_read(opb,24);
+   if(s->entries==-1)goto _eofout;
+ 
++  if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout;
++
+   /* codeword ordering.... length ordered or unordered? */
+   switch((int)oggpack_read(opb,1)){
+   case 0:




More information about the vlc-devel mailing list