Hi, here's the final patch I used in Ubuntu. This includes fixes for
CVE-2007-3106 as well.
--
Kees Cook @outflux.net
Index: libvorbis-1.1.2.dfsg/lib/floor1.c
===================================================================
--- libvorbis-1.1.2.dfsg.orig/lib/floor1.c 2007-08-15 14:04:50.000000000 -0700
+++ libvorbis-1.1.2.dfsg/lib/floor1.c 2007-08-15 16:26:17.000000000 -0700
@@ -358,7 +358,7 @@
0.82788260F, 0.88168307F, 0.9389798F, 1.F,
};
-static void render_line(int x0,int x1,int y0,int y1,float *d){
+static void render_line(int n, int x0,int x1,int y0,int y1,float *d){
int dy=y1-y0;
int adx=x1-x0;
int ady=abs(dy);
@@ -370,8 +370,12 @@
ady-=abs(base*adx);
+ if(n>x1)n=x1;
+
+ if(x<n)
d[x]*=FLOOR1_fromdB_LOOKUP[y];
- while(++x<x1){
+
+ while(++x<n){
err=err+ady;
if(err>=adx){
err-=adx;
@@ -1068,7 +1072,7 @@
hy*=info->mult;
hx=info->postlist[current];
- render_line(lx,hx,ly,hy,out);
+ render_line(n,lx,hx,ly,hy,out);
lx=hx;
ly=hy;
Index: libvorbis-1.1.2.dfsg/lib/res0.c
===================================================================
--- libvorbis-1.1.2.dfsg.orig/lib/res0.c 2007-08-15 14:04:50.000000000 -0700
+++ libvorbis-1.1.2.dfsg/lib/res0.c 2007-08-15 16:26:17.000000000 -0700
@@ -512,7 +512,7 @@
#ifdef TRAIN_RES
for(i=0;i<ch;i++)
- for(j=info->begin;j<info->end;j++){
+ for(j=info->begin;j<end;j++){
if(in[i][j]>look->tmax)look->tmax=in[i][j];
if(in[i][j]<look->tmin)look->tmin=in[i][j];
}
@@ -617,8 +617,11 @@
/* move all this setup out later */
int samples_per_partition=info->grouping;
int partitions_per_word=look->phrasebook->dim;
- int n=info->end-info->begin;
+ int max=vb->pcmend>>1;
+ int end=(info->end<max?info->end:max);
+ int n=end-info->begin;
+ if(n>0){
int partvals=n/samples_per_partition;
int partwords=(partvals+partitions_per_word-1)/partitions_per_word;
int ***partword=alloca(ch*sizeof(*partword));
@@ -655,7 +658,7 @@
}
}
}
-
+ }
errout:
eopbreak:
return(0);
@@ -833,8 +836,11 @@
/* move all this setup out later */
int samples_per_partition=info->grouping;
int partitions_per_word=look->phrasebook->dim;
- int n=info->end-info->begin;
+ int max=(vb->pcmend*ch)>>1;
+ int end=(info->end<max?info->end:max);
+ int n=end-info->begin;
+ if(n>0){
int partvals=n/samples_per_partition;
int partwords=(partvals+partitions_per_word-1)/partitions_per_word;
int **partword=_vorbis_block_alloc(vb,partwords*sizeof(*partword));
@@ -867,7 +873,7 @@
}
}
}
-
+ }
errout:
eopbreak:
return(0);
Index: libvorbis-1.1.2.dfsg/lib/info.c
===================================================================
--- libvorbis-1.1.2.dfsg.orig/lib/info.c 2007-08-15 16:26:18.000000000 -0700
+++ libvorbis-1.1.2.dfsg/lib/info.c 2007-08-15 16:27:27.000000000 -0700
@@ -162,14 +162,23 @@
if(ci->mode_param[i])_ogg_free(ci->mode_param[i]);
for(i=0;i<ci->maps;i++) /* unpack does the range checking */
- _mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]);
+ if(ci->map_param[i]) /* this may be cleaning up an aborted
+ unpack, in which case the below type
+ cannot be trusted */
+ _mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]);
for(i=0;i<ci->floors;i++) /* unpack does the range checking */
- _floor_P[ci->floor_type[i]]->free_info(ci->floor_param[i]);
+ if(ci->floor_param[i]) /* this may be cleaning up an aborted
+ unpack, in which case the below type
+ cannot be trusted */
+ _floor_P[ci->floor_type[i]]->free_info(ci->floor_param[i]);
for(i=0;i<ci->residues;i++) /* unpack does the range checking */
- _residue_P[ci->residue_type[i]]->free_info(ci->residue_param[i]);
-
+ if(ci->residue_param[i]) /* this may be cleaning up an aborted
+ unpack, in which case the below type
+ cannot be trusted */
+ _residue_P[ci->residue_type[i]]->free_info(ci->residue_param[i]);
+
for(i=0;i<ci->books;i++){
if(ci->book_param[i]){
/* knows if the book was not alloced */
