From ef8ece7326a1db2ab594a18a69da507605d29c71 Mon Sep 17 00:00:00 2001 From: drochner Date: Wed, 14 May 2008 16:36:18 +0000 Subject: pull some patches from upstream CVS to fix integer overflows / buffer overflows (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423), bump PKGREVISION --- audio/libvorbis/Makefile | 3 ++- audio/libvorbis/distinfo | 4 +++- audio/libvorbis/patches/patch-aa | 34 ++++++++++++++++++++++++++++++++++ audio/libvorbis/patches/patch-ab | 22 ++++++++++++++++++++++ 4 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 audio/libvorbis/patches/patch-aa create mode 100644 audio/libvorbis/patches/patch-ab (limited to 'audio') diff --git a/audio/libvorbis/Makefile b/audio/libvorbis/Makefile index 44fe0536ba1..890e1713997 100644 --- a/audio/libvorbis/Makefile +++ b/audio/libvorbis/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.46 2007/07/28 07:58:48 wiz Exp $ +# $NetBSD: Makefile,v 1.47 2008/05/14 16:36:18 drochner Exp $ DISTNAME= libvorbis-1.2.0 +PKGREVISION= 1 CATEGORIES= devel audio MASTER_SITES= http://downloads.xiph.org/releases/vorbis/ diff --git a/audio/libvorbis/distinfo b/audio/libvorbis/distinfo index 75650020361..e4388de3f91 100644 --- a/audio/libvorbis/distinfo +++ b/audio/libvorbis/distinfo @@ -1,5 +1,7 @@ -$NetBSD: distinfo,v 1.14 2007/07/28 07:58:48 wiz Exp $ +$NetBSD: distinfo,v 1.15 2008/05/14 16:36:18 drochner Exp $ SHA1 (libvorbis-1.2.0.tar.gz) = 6ff5f9d9d71cc385ee180171cc21af5653b76a16 RMD160 (libvorbis-1.2.0.tar.gz) = 54bf2b48943e283f003cd5dfb4bf9e519b6a817d Size (libvorbis-1.2.0.tar.gz) = 1494373 bytes +SHA1 (patch-aa) = 8d6d491a75531eb0527da6218eeb123692ae747e +SHA1 (patch-ab) = 07c6ef26df0adf1abce4b96a6aff512ed1d6597a diff --git a/audio/libvorbis/patches/patch-aa b/audio/libvorbis/patches/patch-aa new file mode 100644 index 00000000000..68a94ca9833 --- /dev/null +++ b/audio/libvorbis/patches/patch-aa @@ -0,0 +1,34 @@ +$NetBSD: patch-aa,v 1.3 2008/05/14 16:36:18 drochner Exp $ + +--- ./lib/res0.c.orig 2007-07-24 02:09:47.000000000 +0200 ++++ ./lib/res0.c +@@ -223,6 +223,20 @@ vorbis_info_residue *res0_unpack(vorbis_ + for(j=0;jbooklist[j]>=ci->books)goto errout; + ++ /* verify the phrasebook is not specifying an impossible or ++ inconsistent partitioning scheme. */ ++ { ++ int entries = ci->book_param[info->groupbook]->entries; ++ int dim = ci->book_param[info->groupbook]->dim; ++ int partvals = 1; ++ while(dim>0){ ++ partvals *= info->partitions; ++ if(partvals > entries) goto errout; ++ dim--; ++ } ++ if(partvals != entries) goto errout; ++ } ++ + return(info); + errout: + res0_free_info(info); +@@ -263,7 +277,7 @@ vorbis_look_residue *res0_look(vorbis_ds + } + } + +- look->partvals=rint(pow((float)look->parts,(float)dim)); ++ look->partvals=look->phrasebook->entries; + look->stages=maxstage; + look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap)); + for(j=0;jpartvals;j++){ diff --git a/audio/libvorbis/patches/patch-ab b/audio/libvorbis/patches/patch-ab new file mode 100644 index 00000000000..43a4f0c7eb4 --- /dev/null +++ b/audio/libvorbis/patches/patch-ab @@ -0,0 +1,22 @@ +$NetBSD: patch-ab,v 1.3 2008/05/14 16:36:18 drochner Exp $ + +--- ./lib/codebook.c.orig 2008-05-14 18:17:20.000000000 +0200 ++++ ./lib/codebook.c +@@ -159,6 +159,8 @@ int vorbis_staticbook_unpack(oggpack_buf + s->entries=oggpack_read(opb,24); + if(s->entries==-1)goto _eofout; + ++ if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout; ++ + /* codeword ordering.... length ordered or unordered? */ + switch((int)oggpack_read(opb,1)){ + case 0: +@@ -225,7 +227,7 @@ int vorbis_staticbook_unpack(oggpack_buf + int quantvals=0; + switch(s->maptype){ + case 1: +- quantvals=_book_maptype1_quantvals(s); ++ quantvals=(s->dim==0?0:_book_maptype1_quantvals(s)); + break; + case 2: + quantvals=s->entries*s->dim; -- cgit v1.2.3