[libvorbisidec] 01/01: Import Debian changes 1.0.2+svn18153-0.2+deb7u1

[Petter Reinholdtsen]

This is an automated email from the git hooks/post-receive script.

pere pushed a commit to annotated tag debian/1.0.2+svn18153-0.2+deb7u1
in repository libvorbisidec.

commit 18b3916c190d4484b1fe0dbdd0c288b8825eaeda
Author: Thorsten Alteholz <debian at alteholz.de>
Date:   Wed Mar 21 20:53:05 2018 +0100

    Import Debian changes 1.0.2+svn18153-0.2+deb7u1
    
    libvorbisidec (1.0.2+svn18153-0.2+deb7u1) wheezy-security; urgency=low
    
      * Non-maintainer upload by the Wheezy LTS Team.
      * Prevent out-of-bounds write in codebook decoding (CVE-2018-5147)
---
 codebook.c       | 18 +++++++++---------
 debian/changelog |  7 +++++++
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/codebook.c b/codebook.c
index f8b7983..1e1ae8a 100644
--- a/codebook.c
+++ b/codebook.c
@@ -258,7 +258,7 @@ long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a,
 	t[i] = book->valuelist+entry[i]*book->dim;
       }
       for(i=0,o=0;i<book->dim;i++,o+=step)
-	for (j=0;j<step;j++)
+	for (j=0;o+j<n && j<step;j++)
 	  a[o+j]+=t[j][i]>>shift;
     }else{
       for (i = 0; i < step; i++) {
@@ -267,7 +267,7 @@ long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a,
 	t[i] = book->valuelist+entry[i]*book->dim;
       }
       for(i=0,o=0;i<book->dim;i++,o+=step)
-	for (j=0;j<step;j++)
+	for (j=0;o+j<n && j<step;j++)
 	  a[o+j]+=t[j][i]<<-shift;
     }
   }
@@ -287,7 +287,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
 	entry = decode_packed_entry_number(book,b);
 	if(entry==-1)return(-1);
 	t     = book->valuelist+entry*book->dim;
-	for (j=0;j<book->dim;)
+	for (j=0;i<n && j<book->dim;)
 	  a[i++]+=t[j++]>>shift;
       }
     }else{
@@ -295,7 +295,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
 	entry = decode_packed_entry_number(book,b);
 	if(entry==-1)return(-1);
 	t     = book->valuelist+entry*book->dim;
-	for (j=0;j<book->dim;)
+	for (j=0;i<n && j<book->dim;)
 	  a[i++]+=t[j++]<<-shift;
       }
     }
@@ -352,15 +352,15 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,\
     long i,j,entry;
     int chptr=0;
     int shift=point-book->binarypoint;
-    
+    int m=offset+n;
     if(shift>=0){
       
-      for(i=offset;i<offset+n;){
+      for(i=offset;i<m;){
 	entry = decode_packed_entry_number(book,b);
 	if(entry==-1)return(-1);
 	{
 	  const ogg_int32_t *t = book->valuelist+entry*book->dim;
-	  for (j=0;j<book->dim;j++){
+	  for (j=0;i<m && j<book->dim;j++){
 	    a[chptr++][i]+=t[j]>>shift;
 	    if(chptr==ch){
 	      chptr=0;
@@ -371,12 +371,12 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,\
       }
     }else{
       
-      for(i=offset;i<offset+n;){
+      for(i=offset;i<m;){
 	entry = decode_packed_entry_number(book,b);
 	if(entry==-1)return(-1);
 	{
 	  const ogg_int32_t *t = book->valuelist+entry*book->dim;
-	  for (j=0;j<book->dim;j++){
+	  for (j=0;i<m && j<book->dim;j++){
 	    a[chptr++][i]+=t[j]<<-shift;
 	    if(chptr==ch){
 	      chptr=0;
diff --git a/debian/changelog b/debian/changelog
index 4114869..43f07b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libvorbisidec (1.0.2+svn18153-0.2+deb7u1) wheezy-security; urgency=low
+
+  * Non-maintainer upload by the Wheezy LTS Team.
+  * Prevent out-of-bounds write in codebook decoding (CVE-2018-5147)
+
+ -- Thorsten Alteholz <debian at alteholz.de>  Wed, 21 Mar 2018 20:53:05 +0100
+
 libvorbisidec (1.0.2+svn18153-0.2) unstable; urgency=low
 
   * Non-maintainer upload.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xiph/libvorbisidec.git