mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-22 04:17:44 +00:00
Code Issues Releases Activity

* add code to prevent heap attacks by exploiting dim=bignum and

Browse Source 
partition_codewords = partion_values
* correctly handle the nonsensical codebook.dim==0 case
* dd checks/rejection for absurdly huge codebooks

Obtained from:	Xiph SVN
Security:	http://www.vuxml.org/freebsd/f5a76faf-244c-11dd-b143-0211d880e350
This commit is contained in:
Christian Weisgerber 2008-05-17 20:28:41 +00:00
parent 8aaeb29542
commit 09ea3216e5
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=213217
3 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
audio/libvorbis/Makefile
View File

@ -7,7 +7,7 @@
PORTNAME= libvorbis
PORTVERSION= 1.2.0
PORTREVISION= 1
PORTREVISION= 2
PORTEPOCH= 3
CATEGORIES= audio
MASTER_SITES= http://downloads.xiph.org/releases/vorbis/ \

23
audio/libvorbis/files/patch-lib_codebook.c Normal file
View File

@ -0,0 +1,23 @@
$FreeBSD$
--- lib/codebook.c.orig
+++ lib/codebook.c
@@ -159,6 +159,8 @@
s->entries=oggpack_read(opb,24);
if(s->entries==-1)goto _eofout;
+ if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout;
+
/* codeword ordering.... length ordered or unordered? */
switch((int)oggpack_read(opb,1)){
case 0:
@@ -225,7 +227,7 @@
int quantvals=0;
switch(s->maptype){
case 1:
- quantvals=_book_maptype1_quantvals(s);
+ quantvals=(s->dim==0?0:_book_maptype1_quantvals(s));
break;
case 2:
quantvals=s->entries*s->dim;

35
audio/libvorbis/files/patch-lib_res0.c Normal file
View File

@ -0,0 +1,35 @@
$FreeBSD$
--- lib/res0.c.orig
+++ lib/res0.c
@@ -223,6 +223,20 @@
for(j=0;j<acc;j++)
if(info->booklist[j]>=ci->books)goto errout;
+ /* verify the phrasebook is not specifying an impossible or
+ inconsistent partitioning scheme. */
+ {
+ int entries = ci->book_param[info->groupbook]->entries;
+ int dim = ci->book_param[info->groupbook]->dim;
+ int partvals = 1;
+ while(dim>0){
+ partvals *= info->partitions;
+ if(partvals > entries) goto errout;
+ dim--;
+ }
+ if(partvals != entries) goto errout;
+ }
+
return(info);
errout:
res0_free_info(info);
@@ -263,7 +277,7 @@
}
}
- look->partvals=rint(pow((float)look->parts,(float)dim));
+ look->partvals=look->phrasebook->entries;
look->stages=maxstage;
look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
for(j=0;j<look->partvals;j++){