diff options
Diffstat (limited to 'meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch')
| -rw-r--r-- | meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch new file mode 100644 index 0000000000..4036b966fe --- /dev/null +++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch @@ -0,0 +1,62 @@ +From 39704ce16835e5c019bb03f6a94dc1f0677406c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> +Date: Wed, 15 Nov 2017 18:22:59 +0100 +Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb + if not initialized + +If the number of channels is not within the allowed range +we call oggback_writeclear altough it's not initialized yet. + +This fixes + + =23371== Invalid free() / delete / delete[] / realloc() + ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) + ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) + ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) + ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd + ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) + ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) + ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + +as seen when using the testcase from CVE-2017-11333 with +008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was +there before. + +Upstream-Status: Backport +CVE: CVE-2017-14632 + +Reference to upstream patch: +https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=c1c2831fc7306d5fbd7bc800324efd12b28d327f + +Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> +--- + lib/info.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/info.c b/lib/info.c +index 81b7557..4d82568 100644 +--- a/lib/info.c ++++ b/lib/info.c +@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, + private_state *b=v->backend_state; + + if(!b||vi->channels<=0||vi->channels>256){ ++ b = NULL; + ret=OV_EFAULT; + goto err_out; + } +-- +2.16.2 + |