diff options
Diffstat (limited to 'poky/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch')
-rw-r--r-- | poky/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch | 100 |
1 files changed, 0 insertions, 100 deletions
diff --git a/poky/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch b/poky/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch deleted file mode 100644 index 6d4052a87..000000000 --- a/poky/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 3a017f591457bf6e80231b563bf83ee583fdbca8 Mon Sep 17 00:00:00 2001 -From: Thomas Daede <daede003@umn.edu> -Date: Thu, 15 Mar 2018 14:15:31 -0700 -Subject: [PATCH] CVE-2018-5146: Prevent out-of-bounds write in codebook - decoding. - -Codebooks that are not an exact divisor of the partition size are now -truncated to fit within the partition. - -Upstream-Status: Backport -CVE: CVE-2018-5146 - -Reference to upstream patch: -https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f - -Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> ---- - lib/codebook.c | 48 ++++++++++-------------------------------------- - 1 file changed, 10 insertions(+), 38 deletions(-) - -diff --git a/lib/codebook.c b/lib/codebook.c -index 8b766e8..7022fd2 100644 ---- a/lib/codebook.c -+++ b/lib/codebook.c -@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){ - t[i] = book->valuelist+entry[i]*book->dim; - } - for(i=0,o=0;i<book->dim;i++,o+=step) -- for (j=0;j<step;j++) -+ for (j=0;o+j<n && j<step;j++) - a[o+j]+=t[j][i]; - } - return(0); -@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){ - int i,j,entry; - float *t; - -- if(book->dim>8){ -- for(i=0;i<n;){ -- entry = decode_packed_entry_number(book,b); -- if(entry==-1)return(-1); -- t = book->valuelist+entry*book->dim; -- for (j=0;j<book->dim;) -- a[i++]+=t[j++]; -- } -- }else{ -- for(i=0;i<n;){ -- entry = decode_packed_entry_number(book,b); -- if(entry==-1)return(-1); -- t = book->valuelist+entry*book->dim; -- j=0; -- switch((int)book->dim){ -- case 8: -- a[i++]+=t[j++]; -- case 7: -- a[i++]+=t[j++]; -- case 6: -- a[i++]+=t[j++]; -- case 5: -- a[i++]+=t[j++]; -- case 4: -- a[i++]+=t[j++]; -- case 3: -- a[i++]+=t[j++]; -- case 2: -- a[i++]+=t[j++]; -- case 1: -- a[i++]+=t[j++]; -- case 0: -- break; -- } -- } -+ for(i=0;i<n;){ -+ entry = decode_packed_entry_number(book,b); -+ if(entry==-1)return(-1); -+ t = book->valuelist+entry*book->dim; -+ for(j=0;i<n && j<book->dim;) -+ a[i++]+=t[j++]; - } - } - return(0); -@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch, - long i,j,entry; - int chptr=0; - if(book->used_entries>0){ -- for(i=offset/ch;i<(offset+n)/ch;){ -+ int m=(offset+n)/ch; -+ for(i=offset/ch;i<m;){ - entry = decode_packed_entry_number(book,b); - if(entry==-1)return(-1); - { - const float *t = book->valuelist+entry*book->dim; -- for (j=0;j<book->dim;j++){ -+ for (j=0;i<m && j<book->dim;j++){ - a[chptr++][i]+=t[j]; - if(chptr==ch){ - chptr=0; --- -2.16.2 - |