From ef8ece7326a1db2ab594a18a69da507605d29c71 Mon Sep 17 00:00:00 2001
From: drochner <drochner@pkgsrc.org>
Date: Wed, 14 May 2008 16:36:18 +0000
Subject: pull some patches from upstream CVS to fix integer overflows / buffer
 overflows (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423), bump PKGREVISION

---
 audio/libvorbis/Makefile         |  3 ++-
 audio/libvorbis/distinfo         |  4 +++-
 audio/libvorbis/patches/patch-aa | 34 ++++++++++++++++++++++++++++++++++
 audio/libvorbis/patches/patch-ab | 22 ++++++++++++++++++++++
 4 files changed, 61 insertions(+), 2 deletions(-)
 create mode 100644 audio/libvorbis/patches/patch-aa
 create mode 100644 audio/libvorbis/patches/patch-ab

(limited to 'audio')

diff --git a/audio/libvorbis/Makefile b/audio/libvorbis/Makefile
index 44fe0536ba1..890e1713997 100644
--- a/audio/libvorbis/Makefile
+++ b/audio/libvorbis/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.46 2007/07/28 07:58:48 wiz Exp $
+# $NetBSD: Makefile,v 1.47 2008/05/14 16:36:18 drochner Exp $
 
 DISTNAME=	libvorbis-1.2.0
+PKGREVISION=	1
 CATEGORIES=	devel audio
 MASTER_SITES=	http://downloads.xiph.org/releases/vorbis/
 
diff --git a/audio/libvorbis/distinfo b/audio/libvorbis/distinfo
index 75650020361..e4388de3f91 100644
--- a/audio/libvorbis/distinfo
+++ b/audio/libvorbis/distinfo
@@ -1,5 +1,7 @@
-$NetBSD: distinfo,v 1.14 2007/07/28 07:58:48 wiz Exp $
+$NetBSD: distinfo,v 1.15 2008/05/14 16:36:18 drochner Exp $
 
 SHA1 (libvorbis-1.2.0.tar.gz) = 6ff5f9d9d71cc385ee180171cc21af5653b76a16
 RMD160 (libvorbis-1.2.0.tar.gz) = 54bf2b48943e283f003cd5dfb4bf9e519b6a817d
 Size (libvorbis-1.2.0.tar.gz) = 1494373 bytes
+SHA1 (patch-aa) = 8d6d491a75531eb0527da6218eeb123692ae747e
+SHA1 (patch-ab) = 07c6ef26df0adf1abce4b96a6aff512ed1d6597a
diff --git a/audio/libvorbis/patches/patch-aa b/audio/libvorbis/patches/patch-aa
new file mode 100644
index 00000000000..68a94ca9833
--- /dev/null
+++ b/audio/libvorbis/patches/patch-aa
@@ -0,0 +1,34 @@
+$NetBSD: patch-aa,v 1.3 2008/05/14 16:36:18 drochner Exp $
+
+--- ./lib/res0.c.orig	2007-07-24 02:09:47.000000000 +0200
++++ ./lib/res0.c
+@@ -223,6 +223,20 @@ vorbis_info_residue *res0_unpack(vorbis_
+   for(j=0;j<acc;j++)
+     if(info->booklist[j]>=ci->books)goto errout;
+ 
++  /* verify the phrasebook is not specifying an impossible or
++     inconsistent partitioning scheme. */
++  {
++    int entries = ci->book_param[info->groupbook]->entries;
++    int dim = ci->book_param[info->groupbook]->dim;
++    int partvals = 1;
++    while(dim>0){
++      partvals *= info->partitions;
++      if(partvals > entries) goto errout;
++      dim--;
++    }
++    if(partvals != entries) goto errout;
++  }
++
+   return(info);
+  errout:
+   res0_free_info(info);
+@@ -263,7 +277,7 @@ vorbis_look_residue *res0_look(vorbis_ds
+     }
+   }
+ 
+-  look->partvals=rint(pow((float)look->parts,(float)dim));
++  look->partvals=look->phrasebook->entries;
+   look->stages=maxstage;
+   look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
+   for(j=0;j<look->partvals;j++){
diff --git a/audio/libvorbis/patches/patch-ab b/audio/libvorbis/patches/patch-ab
new file mode 100644
index 00000000000..43a4f0c7eb4
--- /dev/null
+++ b/audio/libvorbis/patches/patch-ab
@@ -0,0 +1,22 @@
+$NetBSD: patch-ab,v 1.3 2008/05/14 16:36:18 drochner Exp $
+
+--- ./lib/codebook.c.orig	2008-05-14 18:17:20.000000000 +0200
++++ ./lib/codebook.c
+@@ -159,6 +159,8 @@ int vorbis_staticbook_unpack(oggpack_buf
+   s->entries=oggpack_read(opb,24);
+   if(s->entries==-1)goto _eofout;
+ 
++  if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout;
++
+   /* codeword ordering.... length ordered or unordered? */
+   switch((int)oggpack_read(opb,1)){
+   case 0:
+@@ -225,7 +227,7 @@ int vorbis_staticbook_unpack(oggpack_buf
+       int quantvals=0;
+       switch(s->maptype){
+       case 1:
+-	quantvals=_book_maptype1_quantvals(s);
++	quantvals=(s->dim==0?0:_book_maptype1_quantvals(s));
+ 	break;
+       case 2:
+ 	quantvals=s->entries*s->dim;
-- 
cgit v1.2.3