[Pkg-chromium-commit] chromium-browser/chromium-browser.sid: 697 High Vorbis decoder buffer overflows. Credit to David Warren of CERT.

Giuseppe Iuculano iuculano at debian.org
Fri Jan 14 15:30:23 UTC 2011 

Branch name: chromium-browser/chromium-browser.sid
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.sid
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 697
Revision Id: iuculano at debian.org-20110114153023-ozwd2z4mcujwpjh4
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : High Vorbis decoder buffer overflows. Credit to David Warren of CERT. 


--------------------------------------------------------
  ** Added :
        - debian/patches/68115.patch

  ** Modified :
        - debian/changelog
        - debian/patches/series

-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog	2011-01-14 14:57:15 +0000
+++ b/debian/changelog	2011-01-14 15:30:23 +0000
@@ -6,8 +6,9 @@
     - High Stale pointer with CSS + cursors. Credit to Jan To?ovsk?.
     - High Stale pointer with SVG use element. Credited anonymously; plus
       indepdent discovery by miaubiz.
+    - High Vorbis decoder buffer overflows. Credit to David Warren of CERT. 
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 14 Jan 2011 15:55:35 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 14 Jan 2011 16:29:37 +0100
 
 chromium-browser (6.0.472.63~r59945-4) unstable; urgency=high
 

=== added file 'debian/patches/68115.patch'
--- a/debian/patches/68115.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/68115.patch	2011-01-14 15:30:23 +0000
@@ -0,0 +1,24 @@
+--- a/src/third_party/ffmpeg/patched-ffmpeg-mt/libavcodec/vorbis_dec.c
++++ b/src/third_party/ffmpeg/patched-ffmpeg-mt/libavcodec/vorbis_dec.c
+@@ -536,6 +536,12 @@ static int vorbis_parse_setup_hdr_floors
+             rangebits = get_bits(gb, 4);
+             floor_setup->data.t1.list[0].x = 0;
+             floor_setup->data.t1.list[1].x = (1 << rangebits);
++	    if (floor_setup->data.t1.list[1].x > vc->blocksize[1] / 2) {
++		av_log(vc->avccontext, AV_LOG_ERROR,
++		       "Floor value is too large for blocksize: %d (%d)\n",
++		       floor_setup->data.t1.list[1].x, vc->blocksize[1] / 2);
++		return -1;
++	    }
+ 
+             for (j = 0; j < floor_setup->data.t1.partitions; ++j) {
+                 for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]]; ++k, ++floor1_values) {
+@@ -653,7 +659,7 @@ static int vorbis_parse_setup_hdr_residu
+         res_setup->partition_size = get_bits(gb, 24) + 1;
+         /* Validations to prevent a buffer overflow later. */
+         if (res_setup->begin>res_setup->end ||
+-            res_setup->end > vc->avccontext->channels * vc->blocksize[1] / (res_setup->type == 2 ? 1 : 2) ||
++            res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||
+             (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
+             av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %u, %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2);
+             return -1;

=== modified file 'debian/patches/series'
--- a/debian/patches/series	2011-01-14 14:57:15 +0000
+++ b/debian/patches/series	2011-01-14 15:30:23 +0000
@@ -45,3 +45,4 @@
 66560.patch
 66748.patch
 67363.patch
+68115.patch

More information about the Pkg-chromium-commit mailing list