Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1
libvorbis
libvorbis-r16222-CVE-2009-2663.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libvorbis-r16222-CVE-2009-2663.diff of Package libvorbis
--- lib/codebook.c | 1 + lib/floor1.c | 2 ++ lib/info.c | 21 +++++++++++---------- lib/mapping0.c | 23 ++++++++++++++--------- 4 files changed, 28 insertions(+), 19 deletions(-) --- a/lib/codebook.c +++ b/lib/codebook.c @@ -222,6 +222,7 @@ s->q_delta=oggpack_read(opb,32); s->q_quant=oggpack_read(opb,4)+1; s->q_sequencep=oggpack_read(opb,1); + if(s->q_sequencep==-1)goto _eofout; { int quantvals=0; --- a/lib/floor1.c +++ b/lib/floor1.c @@ -148,6 +148,7 @@ info->partitions=oggpack_read(opb,5); /* only 0 to 31 legal */ for(j=0;j<info->partitions;j++){ info->partitionclass[j]=oggpack_read(opb,4); /* only 0 to 15 legal */ + if(info->partitionclass[j]<0)goto err_out; if(maxclass<info->partitionclass[j])maxclass=info->partitionclass[j]; } @@ -170,6 +171,7 @@ /* read the post list */ info->mult=oggpack_read(opb,2)+1; /* only 1,2,3,4 legal now */ rangebits=oggpack_read(opb,4); + if(rangebits<0)goto err_out; for(j=0,k=0;j<info->partitions;j++){ count+=info->class_dim[info->partitionclass[j]]; --- a/lib/info.c +++ b/lib/info.c @@ -239,8 +239,10 @@ if(vendorlen>opb->storage-8)goto err_out; vc->vendor=_ogg_calloc(vendorlen+1,1); _v_readstring(opb,vc->vendor,vendorlen); - vc->comments=oggpack_read(opb,32); - if(vc->comments<0)goto err_out; + i=oggpack_read(opb,32); + if(i<0)goto err_out; + if(i>((opb->storage-oggpack_bytes(opb))>>2))goto err_out; + vc->comments=i; vc->user_comments=_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments)); vc->comment_lengths=_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths)); @@ -269,7 +271,7 @@ /* codebooks */ ci->books=oggpack_read(opb,8)+1; - /*ci->book_param=_ogg_calloc(ci->books,sizeof(*ci->book_param));*/ + if(ci->books<=0)goto err_out; for(i=0;i<ci->books;i++){ ci->book_param[i]=_ogg_calloc(1,sizeof(*ci->book_param[i])); if(vorbis_staticbook_unpack(opb,ci->book_param[i]))goto err_out; @@ -278,6 +280,7 @@ /* time backend settings; hooks are unused */ { int times=oggpack_read(opb,6)+1; + if(times<=0)goto err_out; for(i=0;i<times;i++){ int test=oggpack_read(opb,16); if(test<0 || test>=VI_TIMEB)goto err_out; @@ -286,8 +289,7 @@ /* floor backend settings */ ci->floors=oggpack_read(opb,6)+1; - /*ci->floor_type=_ogg_malloc(ci->floors*sizeof(*ci->floor_type));*/ - /*ci->floor_param=_ogg_calloc(ci->floors,sizeof(void *));*/ + if(ci->floors<=0)goto err_out; for(i=0;i<ci->floors;i++){ ci->floor_type[i]=oggpack_read(opb,16); if(ci->floor_type[i]<0 || ci->floor_type[i]>=VI_FLOORB)goto err_out; @@ -297,8 +299,7 @@ /* residue backend settings */ ci->residues=oggpack_read(opb,6)+1; - /*ci->residue_type=_ogg_malloc(ci->residues*sizeof(*ci->residue_type));*/ - /*ci->residue_param=_ogg_calloc(ci->residues,sizeof(void *));*/ + if(ci->residues<=0)goto err_out; for(i=0;i<ci->residues;i++){ ci->residue_type[i]=oggpack_read(opb,16); if(ci->residue_type[i]<0 || ci->residue_type[i]>=VI_RESB)goto err_out; @@ -308,8 +309,7 @@ /* map backend settings */ ci->maps=oggpack_read(opb,6)+1; - /*ci->map_type=_ogg_malloc(ci->maps*sizeof(*ci->map_type));*/ - /*ci->map_param=_ogg_calloc(ci->maps,sizeof(void *));*/ + if(ci->maps<=0)goto err_out; for(i=0;i<ci->maps;i++){ ci->map_type[i]=oggpack_read(opb,16); if(ci->map_type[i]<0 || ci->map_type[i]>=VI_MAPB)goto err_out; @@ -319,7 +319,7 @@ /* mode settings */ ci->modes=oggpack_read(opb,6)+1; - /*vi->mode_param=_ogg_calloc(vi->modes,sizeof(void *));*/ + if(ci->modes<=0)goto err_out; for(i=0;i<ci->modes;i++){ ci->mode_param[i]=_ogg_calloc(1,sizeof(*ci->mode_param[i])); ci->mode_param[i]->blockflag=oggpack_read(opb,1); @@ -330,6 +330,7 @@ if(ci->mode_param[i]->windowtype>=VI_WINDOWB)goto err_out; if(ci->mode_param[i]->transformtype>=VI_WINDOWB)goto err_out; if(ci->mode_param[i]->mapping>=ci->maps)goto err_out; + if(ci->mode_param[i]->mapping<0)goto err_out; } if(oggpack_read(opb,1)!=1)goto err_out; /* top level EOP check */ --- a/lib/mapping0.c +++ b/lib/mapping0.c @@ -100,19 +100,24 @@ /* also responsible for range checking */ static vorbis_info_mapping *mapping0_unpack(vorbis_info *vi,oggpack_buffer *opb){ - int i; + int i,b; vorbis_info_mapping0 *info=_ogg_calloc(1,sizeof(*info)); codec_setup_info *ci=vi->codec_setup; memset(info,0,sizeof(*info)); - if(oggpack_read(opb,1)) + b=oggpack_read(opb,1); + if(b<0)goto err_out; + if(b){ info->submaps=oggpack_read(opb,4)+1; - else + if(info->submaps<=0)goto err_out; + }else info->submaps=1; - if(oggpack_read(opb,1)){ + b=oggpack_read(opb,1); + if(b<0)goto err_out; + if(b){ info->coupling_steps=oggpack_read(opb,8)+1; - + if(info->coupling_steps<=0)goto err_out; for(i=0;i<info->coupling_steps;i++){ int testM=info->coupling_mag[i]=oggpack_read(opb,ilog(vi->channels)); int testA=info->coupling_ang[i]=oggpack_read(opb,ilog(vi->channels)); @@ -126,20 +131,20 @@ } - if(oggpack_read(opb,2)>0)goto err_out; /* 2,3:reserved */ + if(oggpack_read(opb,2)!=0)goto err_out; /* 2,3:reserved */ if(info->submaps>1){ for(i=0;i<vi->channels;i++){ info->chmuxlist[i]=oggpack_read(opb,4); - if(info->chmuxlist[i]>=info->submaps)goto err_out; + if(info->chmuxlist[i]>=info->submaps || info->chmuxlist[i]<0)goto err_out; } } for(i=0;i<info->submaps;i++){ oggpack_read(opb,8); /* time submap unused */ info->floorsubmap[i]=oggpack_read(opb,8); - if(info->floorsubmap[i]>=ci->floors)goto err_out; + if(info->floorsubmap[i]>=ci->floors || info->floorsubmap[i]<0)goto err_out; info->residuesubmap[i]=oggpack_read(opb,8); - if(info->residuesubmap[i]>=ci->residues)goto err_out; + if(info->residuesubmap[i]>=ci->residues || info->residuesubmap[i]<0)goto err_out; } return info;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
