diff options
author | Tanu Kaskinen <tanuk@iki.fi> | 2018-03-31 08:21:32 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-03-31 14:17:22 +0100 |
commit | 5c880fe974907195c563b5580cb43b3b2fb92203 (patch) | |
tree | 5cc9f72ba5d9c2c88ebe41cb33ce8ee969ef1da7 /meta/recipes-multimedia/libvorbis/libvorbis | |
parent | e584aca38396db5e3d461f57804519261eecedc2 (diff) | |
download | openembedded-core-contrib-5c880fe974907195c563b5580cb43b3b2fb92203.tar.gz |
libvorbis: CVE-2018-5146
Prevent out-of-bounds write in codebook decoding. The bug could allow
code execution from a specially crafted Ogg Vorbis file.
References:
https://www.debian.org/security/2018/dsa-4140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libvorbis/libvorbis')
-rw-r--r-- | meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch new file mode 100644 index 0000000000..6d4052a872 --- /dev/null +++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch @@ -0,0 +1,100 @@ +From 3a017f591457bf6e80231b563bf83ee583fdbca8 Mon Sep 17 00:00:00 2001 +From: Thomas Daede <daede003@umn.edu> +Date: Thu, 15 Mar 2018 14:15:31 -0700 +Subject: [PATCH] CVE-2018-5146: Prevent out-of-bounds write in codebook + decoding. + +Codebooks that are not an exact divisor of the partition size are now +truncated to fit within the partition. + +Upstream-Status: Backport +CVE: CVE-2018-5146 + +Reference to upstream patch: +https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f + +Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> +--- + lib/codebook.c | 48 ++++++++++-------------------------------------- + 1 file changed, 10 insertions(+), 38 deletions(-) + +diff --git a/lib/codebook.c b/lib/codebook.c +index 8b766e8..7022fd2 100644 +--- a/lib/codebook.c ++++ b/lib/codebook.c +@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){ + t[i] = book->valuelist+entry[i]*book->dim; + } + for(i=0,o=0;i<book->dim;i++,o+=step) +- for (j=0;j<step;j++) ++ for (j=0;o+j<n && j<step;j++) + a[o+j]+=t[j][i]; + } + return(0); +@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){ + int i,j,entry; + float *t; + +- if(book->dim>8){ +- for(i=0;i<n;){ +- entry = decode_packed_entry_number(book,b); +- if(entry==-1)return(-1); +- t = book->valuelist+entry*book->dim; +- for (j=0;j<book->dim;) +- a[i++]+=t[j++]; +- } +- }else{ +- for(i=0;i<n;){ +- entry = decode_packed_entry_number(book,b); +- if(entry==-1)return(-1); +- t = book->valuelist+entry*book->dim; +- j=0; +- switch((int)book->dim){ +- case 8: +- a[i++]+=t[j++]; +- case 7: +- a[i++]+=t[j++]; +- case 6: +- a[i++]+=t[j++]; +- case 5: +- a[i++]+=t[j++]; +- case 4: +- a[i++]+=t[j++]; +- case 3: +- a[i++]+=t[j++]; +- case 2: +- a[i++]+=t[j++]; +- case 1: +- a[i++]+=t[j++]; +- case 0: +- break; +- } +- } ++ for(i=0;i<n;){ ++ entry = decode_packed_entry_number(book,b); ++ if(entry==-1)return(-1); ++ t = book->valuelist+entry*book->dim; ++ for(j=0;i<n && j<book->dim;) ++ a[i++]+=t[j++]; + } + } + return(0); +@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch, + long i,j,entry; + int chptr=0; + if(book->used_entries>0){ +- for(i=offset/ch;i<(offset+n)/ch;){ ++ int m=(offset+n)/ch; ++ for(i=offset/ch;i<m;){ + entry = decode_packed_entry_number(book,b); + if(entry==-1)return(-1); + { + const float *t = book->valuelist+entry*book->dim; +- for (j=0;j<book->dim;j++){ ++ for (j=0;i<m && j<book->dim;j++){ + a[chptr++][i]+=t[j]; + if(chptr==ch){ + chptr=0; +-- +2.16.2 + |