libvorbis-1.2.3: Address CVE-2009-3379

Fix handling of malformed Vorbis streams that would crash libvorbis.
CVE-2008-1420 (improved), CVE-2009-3379.

Patches are coming from FreeBSD.

6 files changed, 128 insertions, 1 deletions

diff --git a/recipes/libvorbis/libvorbis-1.2.3/patch-lib_backends.h b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_backends.h
new file mode 100644
index 0000000000..44da9d3107
--- /dev/null
+++ b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_backends.h
@@ -0,0 +1,11 @@
+$FreeBSD: ports/audio/libvorbis/files/patch-lib_backends.h,v 1.1 2009/11/24 21:32:39 naddy Exp $
+--- lib/backends.h.orig	2009-11-24 21:46:47.000000000 +0100
++++ lib/backends.h	2009-11-24 21:46:47.000000000 +0100
+@@ -109,6 +109,7 @@ typedef struct vorbis_info_residue0{
+   /* first stage (lossless partitioning) */
+   int    grouping;         /* group n vectors per partition */
+   int    partitions;       /* possible codebooks for a partition */
++  int    partvals;         /* partitions ^ groupbook dim */
+   int    groupbook;        /* huffbook for partitioning */
+   int    secondstages[64]; /* expanded out to pointers in lookup */
+   int    booklist[512];    /* list of second stage books */
diff --git a/recipes/libvorbis/libvorbis-1.2.3/patch-lib_codebook.c b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_codebook.c
new file mode 100644
index 0000000000..ed76a9edea
--- /dev/null
+++ b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_codebook.c
@@ -0,0 +1,11 @@
+$FreeBSD: ports/audio/libvorbis/files/patch-lib_codebook.c,v 1.3 2009/11/24 21:32:39 naddy Exp $
+--- lib/codebook.c.orig	2009-07-09 11:12:08.000000000 +0200
++++ lib/codebook.c	2009-11-24 21:46:47.000000000 +0100
+@@ -198,6 +198,7 @@ int vorbis_staticbook_unpack(oggpack_buf
+       for(i=0;i<s->entries;){
+         long num=oggpack_read(opb,_ilog(s->entries-i));
+         if(num==-1)goto _eofout;
++        if(length>32)goto _errout;
+         for(j=0;j<num && i<s->entries;j++,i++)
+           s->lengthlist[i]=length;
+         length++;
diff --git a/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44.h b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44.h
new file mode 100644
index 0000000000..13bc016feb
--- /dev/null
+++ b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44.h
@@ -0,0 +1,30 @@
+$FreeBSD: ports/audio/libvorbis/files/patch-lib_modes_residue_44.h,v 1.1 2009/11/24 21:32:39 naddy Exp $
+--- lib/modes/residue_44.h.orig	2009-07-09 11:12:08.000000000 +0200
++++ lib/modes/residue_44.h	2009-11-24 21:46:47.000000000 +0100
+@@ -22,7 +22,7 @@
+ /***** residue backends *********************************************/
+ 
+ static const vorbis_info_residue0 _residue_44_low={
+-  0,-1, -1, 9,-1,
++  0,-1, -1, 9,-1,-1,
+   /*  0     1     2     3     4     5     6     7  */
+   {0},
+   {-1},
+@@ -31,7 +31,7 @@ static const vorbis_info_residue0 _resid
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_mid={
+-  0,-1, -1, 10,-1,
++  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8  */
+   {0},
+   {-1},
+@@ -40,7 +40,7 @@ static const vorbis_info_residue0 _resid
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_high={
+-  0,-1, -1, 10,-1,
++  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8  */
+   {0},
+   {-1},
diff --git a/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44u.h b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44u.h
new file mode 100644
index 0000000000..4c0cb74ae1
--- /dev/null
+++ b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_modes_residue_44u.h
@@ -0,0 +1,30 @@
+$FreeBSD: ports/audio/libvorbis/files/patch-lib_modes_residue_44u.h,v 1.1 2009/11/24 21:32:39 naddy Exp $
+--- lib/modes/residue_44u.h.orig	2009-07-08 07:40:12.000000000 +0200
++++ lib/modes/residue_44u.h	2009-11-24 21:46:47.000000000 +0100
+@@ -23,7 +23,7 @@
+ 
+ 
+ static const vorbis_info_residue0 _residue_44_low_un={
+-  0,-1, -1, 8,-1,
++  0,-1, -1, 8,-1,-1,
+   {0},
+   {-1},
+   {  .5,  1.5,  1.5,  2.5,  2.5,  4.5, 28.5},
+@@ -31,7 +31,7 @@ static const vorbis_info_residue0 _resid
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_mid_un={
+-  0,-1, -1, 10,-1,
++  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8     9 */
+   {0},
+   {-1},
+@@ -40,7 +40,7 @@ static const vorbis_info_residue0 _resid
+ };
+ 
+ static const vorbis_info_residue0 _residue_44_hi_un={
+-  0,-1, -1, 10,-1,
++  0,-1, -1, 10,-1,-1,
+   /*  0     1     2     3     4     5     6     7     8     9 */
+   {0},
+   {-1},
diff --git a/recipes/libvorbis/libvorbis-1.2.3/patch-lib_res0.c b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_res0.c
new file mode 100644
index 0000000000..910311b271
--- /dev/null
+++ b/recipes/libvorbis/libvorbis-1.2.3/patch-lib_res0.c
@@ -0,0 +1,40 @@
+$FreeBSD: ports/audio/libvorbis/files/patch-lib_res0.c,v 1.3 2009/11/24 21:32:39 naddy Exp $
+--- lib/res0.c.orig	2009-11-24 21:51:43.000000000 +0100
++++ lib/res0.c	2009-11-24 21:52:01.000000000 +0100
+@@ -238,6 +238,10 @@ vorbis_info_residue *res0_unpack(vorbis_
+ 
+   /* verify the phrasebook is not specifying an impossible or
+      inconsistent partitioning scheme. */
++  /* modify the phrasebook ranging check from r16327; an early beta
++     encoder had a bug where it used an oversized phrasebook by
++     accident.  These files should continue to be playable, but don't
++     allow an exploit */
+   {
+     int entries = ci->book_param[info->groupbook]->entries;
+     int dim = ci->book_param[info->groupbook]->dim;
+@@ -247,6 +251,7 @@ vorbis_info_residue *res0_unpack(vorbis_
+       if(partvals > entries) goto errout;
+       dim--;
+     }
++    info->partvals = partvals;
+   }
+ 
+   return(info);
+@@ -667,7 +672,7 @@ static int _01inverse(vorbis_block *vb,v
+           for(j=0;j<ch;j++){
+             int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
+ 
+-            if(temp==-1)goto eopbreak;
++            if(temp==-1 || temp>=info->partvals)goto eopbreak;
+             partword[j][l]=look->decodemap[temp];
+             if(partword[j][l]==NULL)goto errout;
+           }
+@@ -883,7 +888,7 @@ int res2_inverse(vorbis_block *vb,vorbis
+         if(s==0){
+           /* fetch the partition word */
+           int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
+-          if(temp==-1)goto eopbreak;
++          if(temp==-1 || temp>info->partvals)goto eopbreak;
+           partword[l]=look->decodemap[temp];
+           if(partword[l]==NULL)goto errout;
+         }
diff --git a/recipes/libvorbis/libvorbis_1.2.3.bb b/recipes/libvorbis/libvorbis_1.2.3.bb
index 1173809d48..87d4d3cab3 100644
--- a/recipes/libvorbis/libvorbis_1.2.3.bb
+++ b/recipes/libvorbis/libvorbis_1.2.3.bb
@@ -1,10 +1,15 @@
 
 require libvorbis.inc
 
-PR = "${INC_PR}.0"
+PR = "${INC_PR}.1"
 
 SRC_URI = "http://downloads.xiph.org/releases/vorbis/libvorbis-${PV}.tar.gz \
 	   file://configure_powerpc-no-fixed-cpu.patch;patch=1 \
+	   file://patch-lib_backends.h;patch=1;pnum=0 \
+	   file://patch-lib_codebook.c;patch=1;pnum=0 \
+	   file://patch-lib_modes_residue_44.h;patch=1;pnum=0 \
+	   file://patch-lib_modes_residue_44u.h;patch=1;pnum=0 \
+	   file://patch-lib_res0.c;patch=1;pnum=0 \
 	  "
 
 # override should be handeld by pkgconfig now