Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-12-SP1:GA
libvorbis.7353
libvorbis-CVE-2018-5146.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libvorbis-CVE-2018-5146.patch of Package libvorbis.7353
Fix out of bounds memory write while processing Vorbis audio data Taken from firefox fix patch (CVE-2018-5146, bsc#1085687) # HG changeset patch # User Monty Montgomery <monty@xiph.org> # Date 1521151925 14400 # Node ID 494e5d5278ba6f5fdda9a2bb9ac7ca772653ee4a # Parent f2eb8ad26a29ec9715a1994b982cbe35a3ba3a12 Bug 1446062 - Vorbis fix. r=jmspeex, a=lizzard --- lib/codebook.c | 48 ++++++++++-------------------------------------- 1 file changed, 10 insertions(+), 38 deletions(-) --- a/lib/codebook.c +++ b/lib/codebook.c @@ -381,7 +381,7 @@ long vorbis_book_decodevs_add(codebook * t[i] = book->valuelist+entry[i]*book->dim; } for(i=0,o=0;i<book->dim;i++,o+=step) - for (j=0;j<step;j++) + for (j=0;o+j<n && j<step;j++) a[o+j]+=t[j][i]; } return(0); @@ -393,41 +393,12 @@ long vorbis_book_decodev_add(codebook *b int i,j,entry; float *t; - if(book->dim>8){ - for(i=0;i<n;){ - entry = decode_packed_entry_number(book,b); - if(entry==-1)return(-1); - t = book->valuelist+entry*book->dim; - for (j=0;j<book->dim;) - a[i++]+=t[j++]; - } - }else{ - for(i=0;i<n;){ - entry = decode_packed_entry_number(book,b); - if(entry==-1)return(-1); - t = book->valuelist+entry*book->dim; - j=0; - switch((int)book->dim){ - case 8: - a[i++]+=t[j++]; - case 7: - a[i++]+=t[j++]; - case 6: - a[i++]+=t[j++]; - case 5: - a[i++]+=t[j++]; - case 4: - a[i++]+=t[j++]; - case 3: - a[i++]+=t[j++]; - case 2: - a[i++]+=t[j++]; - case 1: - a[i++]+=t[j++]; - case 0: - break; - } - } + for(i=0;i<n;){ + entry = decode_packed_entry_number(book,b); + if(entry==-1)return(-1); + t = book->valuelist+entry*book->dim; + for(j=0;i<n && j<book->dim;) + a[i++]+=t[j++]; } } return(0); @@ -465,12 +436,13 @@ long vorbis_book_decodevv_add(codebook * long i,j,entry; int chptr=0; if(book->used_entries>0){ - for(i=offset/ch;i<(offset+n)/ch;){ + int m=(offset+n)/ch; + for(i=offset/ch;i<m;){ entry = decode_packed_entry_number(book,b); if(entry==-1)return(-1); { const float *t = book->valuelist+entry*book->dim; - for (j=0;j<book->dim;j++){ + for (j=0;i<m && j<book->dim;j++){ a[chptr++][i]+=t[j]; if(chptr==ch){ chptr=0;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor