libvorbis: CVE-2018-5146
Prevent out-of-bounds write in codebook decoding. The bug could allow code execution from a specially crafted Ogg Vorbis file. References: https://www.debian.org/security/2018/dsa-4140 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146 (From OE-Core rev: 5c880fe974907195c563b5580cb43b3b2fb92203) Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
8950d4ffc4
commit
d748513116
|
@ -0,0 +1,100 @@
|
|||
From 3a017f591457bf6e80231b563bf83ee583fdbca8 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Daede <daede003@umn.edu>
|
||||
Date: Thu, 15 Mar 2018 14:15:31 -0700
|
||||
Subject: [PATCH] CVE-2018-5146: Prevent out-of-bounds write in codebook
|
||||
decoding.
|
||||
|
||||
Codebooks that are not an exact divisor of the partition size are now
|
||||
truncated to fit within the partition.
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2018-5146
|
||||
|
||||
Reference to upstream patch:
|
||||
https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
|
||||
|
||||
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
|
||||
---
|
||||
lib/codebook.c | 48 ++++++++++--------------------------------------
|
||||
1 file changed, 10 insertions(+), 38 deletions(-)
|
||||
|
||||
diff --git a/lib/codebook.c b/lib/codebook.c
|
||||
index 8b766e8..7022fd2 100644
|
||||
--- a/lib/codebook.c
|
||||
+++ b/lib/codebook.c
|
||||
@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){
|
||||
t[i] = book->valuelist+entry[i]*book->dim;
|
||||
}
|
||||
for(i=0,o=0;i<book->dim;i++,o+=step)
|
||||
- for (j=0;j<step;j++)
|
||||
+ for (j=0;o+j<n && j<step;j++)
|
||||
a[o+j]+=t[j][i];
|
||||
}
|
||||
return(0);
|
||||
@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){
|
||||
int i,j,entry;
|
||||
float *t;
|
||||
|
||||
- if(book->dim>8){
|
||||
- for(i=0;i<n;){
|
||||
- entry = decode_packed_entry_number(book,b);
|
||||
- if(entry==-1)return(-1);
|
||||
- t = book->valuelist+entry*book->dim;
|
||||
- for (j=0;j<book->dim;)
|
||||
- a[i++]+=t[j++];
|
||||
- }
|
||||
- }else{
|
||||
- for(i=0;i<n;){
|
||||
- entry = decode_packed_entry_number(book,b);
|
||||
- if(entry==-1)return(-1);
|
||||
- t = book->valuelist+entry*book->dim;
|
||||
- j=0;
|
||||
- switch((int)book->dim){
|
||||
- case 8:
|
||||
- a[i++]+=t[j++];
|
||||
- case 7:
|
||||
- a[i++]+=t[j++];
|
||||
- case 6:
|
||||
- a[i++]+=t[j++];
|
||||
- case 5:
|
||||
- a[i++]+=t[j++];
|
||||
- case 4:
|
||||
- a[i++]+=t[j++];
|
||||
- case 3:
|
||||
- a[i++]+=t[j++];
|
||||
- case 2:
|
||||
- a[i++]+=t[j++];
|
||||
- case 1:
|
||||
- a[i++]+=t[j++];
|
||||
- case 0:
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
+ for(i=0;i<n;){
|
||||
+ entry = decode_packed_entry_number(book,b);
|
||||
+ if(entry==-1)return(-1);
|
||||
+ t = book->valuelist+entry*book->dim;
|
||||
+ for(j=0;i<n && j<book->dim;)
|
||||
+ a[i++]+=t[j++];
|
||||
}
|
||||
}
|
||||
return(0);
|
||||
@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch,
|
||||
long i,j,entry;
|
||||
int chptr=0;
|
||||
if(book->used_entries>0){
|
||||
- for(i=offset/ch;i<(offset+n)/ch;){
|
||||
+ int m=(offset+n)/ch;
|
||||
+ for(i=offset/ch;i<m;){
|
||||
entry = decode_packed_entry_number(book,b);
|
||||
if(entry==-1)return(-1);
|
||||
{
|
||||
const float *t = book->valuelist+entry*book->dim;
|
||||
- for (j=0;j<book->dim;j++){
|
||||
+ for (j=0;i<m && j<book->dim;j++){
|
||||
a[chptr++][i]+=t[j];
|
||||
if(chptr==ch){
|
||||
chptr=0;
|
||||
--
|
||||
2.16.2
|
||||
|
|
@ -14,6 +14,7 @@ SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
|
|||
file://0001-configure-Check-for-clang.patch \
|
||||
file://CVE-2017-14633.patch \
|
||||
file://CVE-2017-14632.patch \
|
||||
file://CVE-2018-5146.patch \
|
||||
"
|
||||
SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f"
|
||||
SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1"
|
||||
|
|
Loading…
Reference in New Issue