--- /dev/null
+From 562307a4a7082e24553f3d2c55dab397a17c4b4f Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Thu, 15 Mar 2018 21:47:09 -0700
+Subject: [PATCH] Prevent out-of-bounds write in codebook decoding.
+
+Codebooks that are not an exact divisor of the partition size are now
+truncated to fit within the partition.
+---
+ codebook.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/codebook.c b/codebook.c
+index f8b7983..1e1ae8a 100644
+--- a/codebook.c
++++ b/codebook.c
+@@ -258,7 +258,7 @@ long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a,
+ t[i] = book->valuelist+entry[i]*book->dim;
+ }
+ for(i=0,o=0;i<book->dim;i++,o+=step)
+- for (j=0;j<step;j++)
++ for (j=0;o+j<n && j<step;j++)
+ a[o+j]+=t[j][i]>>shift;
+ }else{
+ for (i = 0; i < step; i++) {
+@@ -267,7 +267,7 @@ long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a,
+ t[i] = book->valuelist+entry[i]*book->dim;
+ }
+ for(i=0,o=0;i<book->dim;i++,o+=step)
+- for (j=0;j<step;j++)
++ for (j=0;o+j<n && j<step;j++)
+ a[o+j]+=t[j][i]<<-shift;
+ }
+ }
+@@ -287,7 +287,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
+ entry = decode_packed_entry_number(book,b);
+ if(entry==-1)return(-1);
+ t = book->valuelist+entry*book->dim;
+- for (j=0;j<book->dim;)
++ for (j=0;i<n && j<book->dim;)
+ a[i++]+=t[j++]>>shift;
+ }
+ }else{
+@@ -295,7 +295,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
+ entry = decode_packed_entry_number(book,b);
+ if(entry==-1)return(-1);
+ t = book->valuelist+entry*book->dim;
+- for (j=0;j<book->dim;)
++ for (j=0;i<n && j<book->dim;)
+ a[i++]+=t[j++]<<-shift;
+ }
+ }
+@@ -352,15 +352,15 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,\
+ long i,j,entry;
+ int chptr=0;
+ int shift=point-book->binarypoint;
+-
++ int m=offset+n;
+ if(shift>=0){
+
+- for(i=offset;i<offset+n;){
++ for(i=offset;i<m;){
+ entry = decode_packed_entry_number(book,b);
+ if(entry==-1)return(-1);
+ {
+ const ogg_int32_t *t = book->valuelist+entry*book->dim;
+- for (j=0;j<book->dim;j++){
++ for (j=0;i<m && j<book->dim;j++){
+ a[chptr++][i]+=t[j]>>shift;
+ if(chptr==ch){
+ chptr=0;
+@@ -371,12 +371,12 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,\
+ }
+ }else{
+
+- for(i=offset;i<offset+n;){
++ for(i=offset;i<m;){
+ entry = decode_packed_entry_number(book,b);
+ if(entry==-1)return(-1);
+ {
+ const ogg_int32_t *t = book->valuelist+entry*book->dim;
+- for (j=0;j<book->dim;j++){
++ for (j=0;i<m && j<book->dim;j++){
+ a[chptr++][i]+=t[j]<<-shift;
+ if(chptr==ch){
+ chptr=0;
+--
+2.11.0
+
--- /dev/null
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+# svn export http://svn.xiph.org/trunk/Tremor tremor-${PV}
+
+inherit autotools eutils ltprune multilib-minimal
+
+DESCRIPTION="A fixed-point version of the Ogg Vorbis decoder (also known as libvorbisidec)"
+HOMEPAGE="https://wiki.xiph.org/Tremor"
+SRC_URI="https://dev.gentoo.org/~ssuominen/${P}.tar.xz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"
+IUSE="low-accuracy static-libs"
+
+RDEPEND=">=media-libs/libogg-1.3.0:=[${MULTILIB_USEDEP}]"
+DEPEND="${RDEPEND}
+ virtual/pkgconfig"
+
+DOCS=( "CHANGELOG" "README" )
+
+PATCHES=(
+ "${FILESDIR}"/${P}-out-of-bounds-write.patch
+)
+
+src_prepare() {
+ epatch "${PATCHES[@]}"
+
+ sed -i \
+ -e '/CFLAGS/s:-O2::' \
+ -e 's:AM_CONFIG_HEADER:AC_CONFIG_HEADERS:' \
+ configure.in || die
+
+ eautoreconf
+}
+
+multilib_src_configure() {
+ ECONF_SOURCE="${S}" econf \
+ $(use_enable static-libs static) \
+ $(use_enable low-accuracy)
+}
+
+multilib_src_install_all() {
+ einstalldocs
+ dohtml -r doc/*
+ prune_libtool_files
+}
projects / gentoo.git / commitdiff