+++ /dev/null
-From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
-Date: Tue, 31 Oct 2017 18:32:46 +0100
-Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
-
-Otherwise
-
- for(i=0;i<vi->channels;i++){
- /* the encoder setup assumes that all the modes used by any
- specific bitrate tweaking use the same floor */
- int submap=info->chmuxlist[i];
-
-overreads later in mapping0_forward since chmuxlist is a fixed array of
-256 elements max.
-
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- lib/info.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/info.c b/lib/info.c
-index fe759ed..7bc4ea4 100644
---- a/lib/info.c
-+++ b/lib/info.c
-@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
- oggpack_buffer opb;
- private_state *b=v->backend_state;
-
-- if(!b||vi->channels<=0){
-+ if(!b||vi->channels<=0||vi->channels>256){
- ret=OV_EFAULT;
- goto err_out;
- }
---
-2.11.0
-
+++ /dev/null
-From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
-Date: Wed, 15 Nov 2017 18:22:59 +0100
-Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
- if not initialized
-
-If the number of channels is not within the allowed range
-we call oggback_writeclear altough it's not initialized yet.
-
-This fixes
-
- =23371== Invalid free() / delete / delete[] / realloc()
- ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
- ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
- ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
- ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
- ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
- ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
- ==23371== by 0x10D82A: open_output_file (sox.c:1556)
- ==23371== by 0x10D82A: process (sox.c:1753)
- ==23371== by 0x10D82A: main (sox.c:3012)
- ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
- ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
- ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
- ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
- ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
- ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
- ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
- ==23371== by 0x10D82A: open_output_file (sox.c:1556)
- ==23371== by 0x10D82A: process (sox.c:1753)
- ==23371== by 0x10D82A: main (sox.c:3012)
-
-as seen when using the testcase from CVE-2017-11333 with
-008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
-there before.
-
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- lib/info.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/lib/info.c b/lib/info.c
-index 7bc4ea4..8d0b2ed 100644
---- a/lib/info.c
-+++ b/lib/info.c
-@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
- private_state *b=v->backend_state;
-
- if(!b||vi->channels<=0||vi->channels>256){
-+ b = NULL;
- ret=OV_EFAULT;
- goto err_out;
- }
---
-2.11.0
-
projects / buildroot.git / commitdiff