rpms/libvorbis/F-10 r16182-CVE-2009-2663.patch, NONE, 1.1 libvorbis.spec, 1.32, 1.33

Sun Aug 9 06:09:16 UTC 2009

Author: jnovy

Update of /cvs/pkgs/rpms/libvorbis/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16319

Modified Files:
	libvorbis.spec 
Added Files:
	r16182-CVE-2009-2663.patch 
Log Message:
* Sun Aug  9 2009 Jindrich Novy <jnovy at redhat.com> 1.2.0-6
- fix CVE-2009-2663 (#516259)


r16182-CVE-2009-2663.patch:
 floor1.c |   18 ++++++++++++++----
 res0.c   |    4 +++-
 2 files changed, 17 insertions(+), 5 deletions(-)

--- NEW FILE r16182-CVE-2009-2663.patch ---
diff -up libvorbis-1.2.0/lib/floor1.c.r16182-CVE-2009-2663 libvorbis-1.2.0/lib/floor1.c
--- libvorbis-1.2.0/lib/floor1.c.r16182-CVE-2009-2663	2007-07-24 02:09:47.000000000 +0200
+++ libvorbis-1.2.0/lib/floor1.c	2009-08-08 21:11:18.000000000 +0200
@@ -138,6 +138,9 @@ static void floor1_pack (vorbis_info_flo
   }
 }
 
+static int icomp(const void *a,const void *b){
+  return(**(int **)a-**(int **)b);
+}
 
 static vorbis_info_floor *floor1_unpack (vorbis_info *vi,oggpack_buffer *opb){
   codec_setup_info     *ci=vi->codec_setup;
@@ -182,6 +185,17 @@ static vorbis_info_floor *floor1_unpack 
   info->postlist[0]=0;
   info->postlist[1]=1<<rangebits;
 
+  /* don't allow repeated values in post list as they'd result in
+     zero-length segments */
+  { 
+    int *sortpointer[VIF_POSIT+2];
+    for(j=0;j<count+2;j++)sortpointer[j]=info->postlist+j;
+    qsort(sortpointer,count+2,sizeof(*sortpointer),icomp);
+
+    for(j=1;j<count+2;j++)
+      if(*sortpointer[j-1]==*sortpointer[j])goto err_out;
+  }
+
   return(info);
   
  err_out:
@@ -189,10 +203,6 @@ static vorbis_info_floor *floor1_unpack 
   return(NULL);
 }
 
-static int icomp(const void *a,const void *b){
-  return(**(int **)a-**(int **)b);
-}
-
 static vorbis_look_floor *floor1_look(vorbis_dsp_state *vd,
 				      vorbis_info_floor *in){
 
diff -up libvorbis-1.2.0/lib/res0.c.r16182-CVE-2009-2663 libvorbis-1.2.0/lib/res0.c
--- libvorbis-1.2.0/lib/res0.c.r16182-CVE-2009-2663	2009-08-08 21:07:23.000000000 +0200
+++ libvorbis-1.2.0/lib/res0.c	2009-08-08 21:07:23.000000000 +0200
@@ -220,8 +220,10 @@ vorbis_info_residue *res0_unpack(vorbis_
     info->booklist[j]=oggpack_read(opb,8);
 
   if(info->groupbook>=ci->books)goto errout;
-  for(j=0;j<acc;j++)
+  for(j=0;j<acc;j++){
     if(info->booklist[j]>=ci->books)goto errout;
+    if(ci->book_param[info->booklist[j]]->maptype==0)goto errout;
+  }
 
   /* verify the phrasebook is not specifying an impossible or
      inconsistent partitioning scheme. */


Index: libvorbis.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libvorbis/F-10/libvorbis.spec,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -p -r1.32 -r1.33
--- libvorbis.spec	7 Sep 2008 14:55:05 -0000	1.32
+++ libvorbis.spec	9 Aug 2009 06:09:14 -0000	1.33
@@ -1,7 +1,7 @@
 Summary:	The Vorbis General Audio Compression Codec.
 Name:		libvorbis
 Version:	1.2.0
-Release: 	5%{?dist}
+Release: 	6%{?dist}
 Epoch:		1
 Group:		System Environment/Libraries
 License:	BSD
@@ -13,6 +13,7 @@ Patch2: r14598-CVE-2008-1420.patch
 Patch3: r14602-CVE-2008-1419.patch
 Patch4: r14602-CVE-2008-1423.patch
 Patch5: r14811.patch
+Patch6: r16182-CVE-2009-2663.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)	
 BuildRequires: 	libogg-devel >= 2:1.1
 
@@ -44,6 +45,7 @@ needed to develop applications with Ogg 
 %patch3 -p0 -b .r14602-CVE-2008-1419
 %patch4 -p0 -b .r14602-CVE-2008-1423
 %patch5 -p0 -b .r14811
+%patch6 -p1 -b .r16182-CVE-2009-2663
 perl -p -i -e "s/-O20/$RPM_OPT_FLAGS/" configure
 perl -p -i -e "s/-ffast-math//" configure
 # link to .pdf spec rather than ship redundant copy
@@ -91,6 +93,9 @@ rm -rf $RPM_BUILD_ROOT
 %postun -p /sbin/ldconfig
 
 %changelog
+* Sun Aug  9 2009 Jindrich Novy <jnovy at redhat.com> 1.2.0-6
+- fix CVE-2009-2663 (#516259)
+
 * Sun Sep  7 2008 Hans de Goede <hdegoede at redhat.com> -1:1.2.0-5
 - Fix patch fuzz build failure
 


