diff options
| author | maya <maya@pkgsrc.org> | 2018-03-26 23:33:24 +0000 |
|---|---|---|
| committer | maya <maya@pkgsrc.org> | 2018-03-26 23:33:24 +0000 |
| commit | f6945103e34b9d880be119466b30708fb55c8383 (patch) | |
| tree | 39db3d14f0123c9ddfaf45cd26d3b4cd00ac2da6 /www/firefox52/patches | |
| parent | 737c3f3e7ad284524fc52f61408a5d9c0f476363 (diff) | |
| download | pkgsrc-f6945103e34b9d880be119466b30708fb55c8383.tar.gz | |
firefox52: update to 52.7.3
CVE-2018-5148: Use-after-free in compositor
A use-after-free vulnerability can occur in the compositor during certain
graphics operations when a raw pointer is used instead of a reference
counted one. This results in a potentially exploitable crash.
Diffstat (limited to 'www/firefox52/patches')
| -rw-r--r-- | www/firefox52/patches/patch-CVE-2018-5147 | 79 |
1 files changed, 0 insertions, 79 deletions
diff --git a/www/firefox52/patches/patch-CVE-2018-5147 b/www/firefox52/patches/patch-CVE-2018-5147 deleted file mode 100644 index c544107784c..00000000000 --- a/www/firefox52/patches/patch-CVE-2018-5147 +++ /dev/null @@ -1,79 +0,0 @@ -$NetBSD: patch-CVE-2018-5147,v 1.1 2018/03/17 00:23:15 maya Exp $ - -CVE-2018-5147: Prevent out-of-bounds write in codebook decoding. - -Codebooks that are not an exact divisor of the partition size are now -truncated to fit within the partition. - ---- media/libtremor/lib/tremor_codebook.c.orig 2017-04-11 02:13:12.000000000 +0000 -+++ media/libtremor/lib/tremor_codebook.c -@@ -258,7 +258,7 @@ long vorbis_book_decodevs_add(codebook * - t[i] = book->valuelist+entry[i]*book->dim; - } - for(i=0,o=0;i<book->dim;i++,o+=step) -- for (j=0;j<step;j++) -+ for (j=0;o+j<n && j<step;j++) - a[o+j]+=t[j][i]>>shift; - }else{ - for (i = 0; i < step; i++) { -@@ -267,7 +267,7 @@ long vorbis_book_decodevs_add(codebook * - t[i] = book->valuelist+entry[i]*book->dim; - } - for(i=0,o=0;i<book->dim;i++,o+=step) -- for (j=0;j<step;j++) -+ for (j=0;o+j<n && j<step;j++) - a[o+j]+=t[j][i]<<-shift; - } - } -@@ -287,7 +287,7 @@ long vorbis_book_decodev_add(codebook *b - entry = decode_packed_entry_number(book,b); - if(entry==-1)return(-1); - t = book->valuelist+entry*book->dim; -- for (j=0;j<book->dim;) -+ for (j=0;i<n && j<book->dim;) - a[i++]+=t[j++]>>shift; - } - }else{ -@@ -295,7 +295,7 @@ long vorbis_book_decodev_add(codebook *b - entry = decode_packed_entry_number(book,b); - if(entry==-1)return(-1); - t = book->valuelist+entry*book->dim; -- for (j=0;j<book->dim;) -+ for (j=0;i<n && j<book->dim;) - a[i++]+=t[j++]<<-shift; - } - } -@@ -352,15 +352,15 @@ long vorbis_book_decodevv_add(codebook * - long i,j,entry; - int chptr=0; - int shift=point-book->binarypoint; -- -+ int m=offset+n; - if(shift>=0){ - -- for(i=offset;i<offset+n;){ -+ for(i=offset;i<m;){ - entry = decode_packed_entry_number(book,b); - if(entry==-1)return(-1); - { - const ogg_int32_t *t = book->valuelist+entry*book->dim; -- for (j=0;j<book->dim;j++){ -+ for (j=0;i<m && j<book->dim;j++){ - a[chptr++][i]+=t[j]>>shift; - if(chptr==ch){ - chptr=0; -@@ -371,12 +371,12 @@ long vorbis_book_decodevv_add(codebook * - } - }else{ - -- for(i=offset;i<offset+n;){ -+ for(i=offset;i<m;){ - entry = decode_packed_entry_number(book,b); - if(entry==-1)return(-1); - { - const ogg_int32_t *t = book->valuelist+entry*book->dim; -- for (j=0;j<book->dim;j++){ -+ for (j=0;i<m && j<book->dim;j++){ - a[chptr++][i]+=t[j]<<-shift; - if(chptr==ch){ - chptr=0; |