[libvorbis] 01/01: Import Debian changes 1.3.5-4.2
Petter Reinholdtsen
pere at moszumanska.debian.org
Sat Mar 17 10:30:15 UTC 2018
This is an automated email from the git hooks/post-receive script.
pere pushed a commit to branch master
in repository libvorbis.
commit 5f3242e6a8500464bd48d5a319799c795bf87c08
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri Mar 16 22:26:37 2018 +0100
Import Debian changes 1.3.5-4.2
libvorbis (1.3.5-4.2) unstable; urgency=medium
* Non-maintainer upload.
* Prevent out-of-bounds write in codebook decoding (CVE-2018-5146)
(Closes: #893130)
---
debian/changelog | 8 ++
...46-Prevent-out-of-bounds-write-in-codeboo.patch | 93 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 102 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 1b972b4..47ee802 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libvorbis (1.3.5-4.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Prevent out-of-bounds write in codebook decoding (CVE-2018-5146)
+ (Closes: #893130)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Fri, 16 Mar 2018 22:26:37 +0100
+
libvorbis (1.3.5-4.1) unstable; urgency=medium
* Non-maintainer upload.
diff --git a/debian/patches/CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch b/debian/patches/CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch
new file mode 100644
index 0000000..6873eb7
--- /dev/null
+++ b/debian/patches/CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch
@@ -0,0 +1,93 @@
+From: Thomas Daede <daede003 at umn.edu>
+Date: Thu, 15 Mar 2018 14:15:31 -0700
+Subject: CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
+Origin: https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
+Bug-Debian: https://bugs.debian.org/893130
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5146
+
+Codebooks that are not an exact divisor of the partition size are now
+truncated to fit within the partition.
+---
+ lib/codebook.c | 48 ++++++++++--------------------------------------
+ 1 file changed, 10 insertions(+), 38 deletions(-)
+
+diff --git a/lib/codebook.c b/lib/codebook.c
+index 321a28f..78672e2 100644
+--- a/lib/codebook.c
++++ b/lib/codebook.c
+@@ -386,7 +386,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){
+ t[i] = book->valuelist+entry[i]*book->dim;
+ }
+ for(i=0,o=0;i<book->dim;i++,o+=step)
+- for (j=0;j<step;j++)
++ for (j=0;o+j<n && j<step;j++)
+ a[o+j]+=t[j][i];
+ }
+ return(0);
+@@ -398,41 +398,12 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){
+ int i,j,entry;
+ float *t;
+
+- if(book->dim>8){
+- for(i=0;i<n;){
+- entry = decode_packed_entry_number(book,b);
+- if(entry==-1)return(-1);
+- t = book->valuelist+entry*book->dim;
+- for (j=0;j<book->dim;)
+- a[i++]+=t[j++];
+- }
+- }else{
+- for(i=0;i<n;){
+- entry = decode_packed_entry_number(book,b);
+- if(entry==-1)return(-1);
+- t = book->valuelist+entry*book->dim;
+- j=0;
+- switch((int)book->dim){
+- case 8:
+- a[i++]+=t[j++];
+- case 7:
+- a[i++]+=t[j++];
+- case 6:
+- a[i++]+=t[j++];
+- case 5:
+- a[i++]+=t[j++];
+- case 4:
+- a[i++]+=t[j++];
+- case 3:
+- a[i++]+=t[j++];
+- case 2:
+- a[i++]+=t[j++];
+- case 1:
+- a[i++]+=t[j++];
+- case 0:
+- break;
+- }
+- }
++ for(i=0;i<n;){
++ entry = decode_packed_entry_number(book,b);
++ if(entry==-1)return(-1);
++ t = book->valuelist+entry*book->dim;
++ for(j=0;i<n && j<book->dim;)
++ a[i++]+=t[j++];
+ }
+ }
+ return(0);
+@@ -470,12 +441,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch,
+ long i,j,entry;
+ int chptr=0;
+ if(book->used_entries>0){
+- for(i=offset/ch;i<(offset+n)/ch;){
++ int m=(offset+n)/ch;
++ for(i=offset/ch;i<m;){
+ entry = decode_packed_entry_number(book,b);
+ if(entry==-1)return(-1);
+ {
+ const float *t = book->valuelist+entry*book->dim;
+- for (j=0;j<book->dim;j++){
++ for (j=0;i<m && j<book->dim;j++){
+ a[chptr++][i]+=t[j];
+ if(chptr==ch){
+ chptr=0;
+--
+2.16.2
+
diff --git a/debian/patches/series b/debian/patches/series
index 411ff15..2b9f0a7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
0002-Avoid-SIGFPE-when-bytespersample-is-zero.patch
CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
+CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xiph/libvorbis.git
More information about the pkg-xiph-commits
mailing list