From 3a017f591457bf6e80231b563bf83ee583fdbca8 Mon Sep 17 00:00:00 2001 From: Thomas Daede Date: Thu, 15 Mar 2018 14:15:31 -0700 Subject: [PATCH] CVE-2018-5146: Prevent out-of-bounds write in codebook decoding. Codebooks that are not an exact divisor of the partition size are now truncated to fit within the partition. Upstream-Status: Backport CVE: CVE-2018-5146 Reference to upstream patch: https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f Signed-off-by: Tanu Kaskinen --- lib/codebook.c | 48 ++++++++++-------------------------------------- 1 file changed, 10 insertions(+), 38 deletions(-) diff --git a/lib/codebook.c b/lib/codebook.c index 8b766e8..7022fd2 100644 --- a/lib/codebook.c +++ b/lib/codebook.c @@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){ t[i] = book->valuelist+entry[i]*book->dim; } for(i=0,o=0;idim;i++,o+=step) - for (j=0;jdim>8){ - for(i=0;ivaluelist+entry*book->dim; - for (j=0;jdim;) - a[i++]+=t[j++]; - } - }else{ - for(i=0;ivaluelist+entry*book->dim; - j=0; - switch((int)book->dim){ - case 8: - a[i++]+=t[j++]; - case 7: - a[i++]+=t[j++]; - case 6: - a[i++]+=t[j++]; - case 5: - a[i++]+=t[j++]; - case 4: - a[i++]+=t[j++]; - case 3: - a[i++]+=t[j++]; - case 2: - a[i++]+=t[j++]; - case 1: - a[i++]+=t[j++]; - case 0: - break; - } - } + for(i=0;ivaluelist+entry*book->dim; + for(j=0;idim;) + a[i++]+=t[j++]; } } return(0); @@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch, long i,j,entry; int chptr=0; if(book->used_entries>0){ - for(i=offset/ch;i<(offset+n)/ch;){ + int m=(offset+n)/ch; + for(i=offset/ch;ivaluelist+entry*book->dim; - for (j=0;jdim;j++){ + for (j=0;idim;j++){ a[chptr++][i]+=t[j]; if(chptr==ch){ chptr=0; -- 2.16.2