File libvorbis-CVE-2018-5146.patch of Package libvorbis.openSUSE_Leap_42.3_Update

Overview Repositories Revisions Requests Users Attributes Meta

File libvorbis-CVE-2018-5146.patch of Package libvorbis.openSUSE_Leap_42.3_Update

Fix out of bounds memory write while processing Vorbis audio data

Taken from firefox fix patch (CVE-2018-5146, bsc#1085687)

# HG changeset patch
# User Monty Montgomery <monty@xiph.org>
# Date 1521151925 14400
# Node ID 494e5d5278ba6f5fdda9a2bb9ac7ca772653ee4a
# Parent  f2eb8ad26a29ec9715a1994b982cbe35a3ba3a12
Bug 1446062 - Vorbis fix. r=jmspeex, a=lizzard

---
 lib/codebook.c |   48 ++++++++++--------------------------------------
 1 file changed, 10 insertions(+), 38 deletions(-)

--- a/lib/codebook.c
+++ b/lib/codebook.c
@@ -381,7 +381,7 @@ long vorbis_book_decodevs_add(codebook *
       t[i] = book->valuelist+entry[i]*book->dim;
     }
     for(i=0,o=0;i<book->dim;i++,o+=step)
-      for (j=0;j<step;j++)
+      for (j=0;o+j<n && j<step;j++)
         a[o+j]+=t[j][i];
   }
   return(0);
@@ -393,41 +393,12 @@ long vorbis_book_decodev_add(codebook *b
     int i,j,entry;
     float *t;
 
-    if(book->dim>8){
-      for(i=0;i<n;){
-        entry = decode_packed_entry_number(book,b);
-        if(entry==-1)return(-1);
-        t     = book->valuelist+entry*book->dim;
-        for (j=0;j<book->dim;)
-          a[i++]+=t[j++];
-      }
-    }else{
-      for(i=0;i<n;){
-        entry = decode_packed_entry_number(book,b);
-        if(entry==-1)return(-1);
-        t     = book->valuelist+entry*book->dim;
-        j=0;
-        switch((int)book->dim){
-        case 8:
-          a[i++]+=t[j++];
-        case 7:
-          a[i++]+=t[j++];
-        case 6:
-          a[i++]+=t[j++];
-        case 5:
-          a[i++]+=t[j++];
-        case 4:
-          a[i++]+=t[j++];
-        case 3:
-          a[i++]+=t[j++];
-        case 2:
-          a[i++]+=t[j++];
-        case 1:
-          a[i++]+=t[j++];
-        case 0:
-          break;
-        }
-      }
+    for(i=0;i<n;){
+      entry = decode_packed_entry_number(book,b);
+      if(entry==-1)return(-1);
+      t     = book->valuelist+entry*book->dim;
+      for(j=0;i<n && j<book->dim;)
+        a[i++]+=t[j++];
     }
   }
   return(0);
@@ -465,12 +436,13 @@ long vorbis_book_decodevv_add(codebook *
   long i,j,entry;
   int chptr=0;
   if(book->used_entries>0){
-    for(i=offset/ch;i<(offset+n)/ch;){
+    int m=(offset+n)/ch;
+    for(i=offset/ch;i<m;){
       entry = decode_packed_entry_number(book,b);
       if(entry==-1)return(-1);
       {
         const float *t = book->valuelist+entry*book->dim;
-        for (j=0;j<book->dim;j++){
+        for (j=0;i<m && j<book->dim;j++){
           a[chptr++][i]+=t[j];
           if(chptr==ch){
             chptr=0;

Places

File libvorbis-CVE-2018-5146.patch of Package libvorbis.openSUSE_Leap_42.3_Update

Places