[SCM] FFmpeg packaging branch, ubuntu.karmic, updated. debian/0.5+svn20090706-1ubuntu3-36-g3f9d596
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Thu Oct 15 07:34:01 UTC 2009
The following commit has been merged in the ubuntu.karmic branch:
commit 1ebc392eba00f4ba5a75b236a28893d5b7e2bee4
Author: Reinhard Tartler <siretart at tauware.de>
Date: Wed Oct 14 23:14:27 2009 +0200
backport fixes for vorbis_dec
diff --git a/debian/patches/security/vorbis_dec/0001-Check-dimensions-against-0-too.patch b/debian/patches/security/vorbis_dec/0001-Check-dimensions-against-0-too.patch
new file mode 100644
index 0000000..f043c80
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0001-Check-dimensions-against-0-too.patch
@@ -0,0 +1,29 @@
+From 68cb8f3c6c3bde792c0e918a441be3ede478f8cc Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 08:35:29 +0000
+Subject: [PATCH 01/12] Check dimensions against 0 too.
+ 39_vorbis_zero_dims.patch from chrome
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19976 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index 00542b9..25cfb31 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -244,8 +244,8 @@ static int vorbis_parse_setup_hdr_codebooks(vorbis_context *vc) {
+ }
+
+ codebook_setup->dimensions=get_bits(gb, 16);
+- if (codebook_setup->dimensions>16) {
+- av_log(vc->avccontext, AV_LOG_ERROR, " %"PRIdFAST16". Codebook's dimension is too large (%d). \n", cb, codebook_setup->dimensions);
++ if (codebook_setup->dimensions>16||codebook_setup->dimensions==0) {
++ av_log(vc->avccontext, AV_LOG_ERROR, " %"PRIdFAST16". Codebook's dimension is invalid (%d). \n", cb, codebook_setup->dimensions);
+ goto error;
+ }
+ entries=get_bits(gb, 24);
+--
+1.6.3.3
+
diff --git a/debian/patches/security/vorbis_dec/0002-typo.patch b/debian/patches/security/vorbis_dec/0002-typo.patch
new file mode 100644
index 0000000..03045b0
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0002-typo.patch
@@ -0,0 +1,27 @@
+From 0a7e56db7441d14afa66d228de17c63d5b49f8e9 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 10:33:49 +0000
+Subject: [PATCH 02/12] = -> == typo.
+ 27_vorbis_residue_loop_error.patch by chrome
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19982 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index 25cfb31..532a060 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -1484,7 +1484,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
+ uint_fast8_t ch=0;
+
+ for(j=0;j<vc->audio_channels;++j) {
+- if ((mapping->submaps==1) || (i=mapping->mux[j])) {
++ if ((mapping->submaps==1) || (i==mapping->mux[j])) {
+ res_chan[j]=res_num;
+ if (no_residue[j]) {
+ do_not_decode[ch]=1;
+--
+1.6.3.3
+
diff --git a/debian/patches/security/vorbis_dec/0003-Sanity-checks-for-magnitude-and-angle.patch b/debian/patches/security/vorbis_dec/0003-Sanity-checks-for-magnitude-and-angle.patch
new file mode 100644
index 0000000..a82fc81
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0003-Sanity-checks-for-magnitude-and-angle.patch
@@ -0,0 +1,34 @@
+From b8f5dcd9af3d9997143b42980aec5226f7bad677 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 10:40:33 +0000
+Subject: [PATCH 03/12] Sanity checks for magnitude and angle.
+ 26_vorbis_mag_angle_index.patch by chrome
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19983 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index 532a060..28417ee 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -697,7 +697,14 @@ static int vorbis_parse_setup_hdr_mappings(vorbis_context *vc) {
+ for(j=0;j<mapping_setup->coupling_steps;++j) {
+ mapping_setup->magnitude[j]=get_bits(gb, ilog(vc->audio_channels-1));
+ mapping_setup->angle[j]=get_bits(gb, ilog(vc->audio_channels-1));
+- // FIXME: sanity checks
++ if (mapping_setup->magnitude[j]>=vc->audio_channels) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "magnitude channel %d out of range. \n", mapping_setup->magnitude[j]);
++ return 1;
++ }
++ if (mapping_setup->angle[j]>=vc->audio_channels) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "angle channel %d out of range. \n", mapping_setup->angle[j]);
++ return 1;
++ }
+ }
+ } else {
+ mapping_setup->coupling_steps=0;
+--
+1.6.3.3
+
diff --git a/debian/patches/security/vorbis_dec/0004-Fix-book_idx-check.patch b/debian/patches/security/vorbis_dec/0004-Fix-book_idx-check.patch
new file mode 100644
index 0000000..2fcb199
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0004-Fix-book_idx-check.patch
@@ -0,0 +1,33 @@
+From a2dad711e92fbb83a2d79959bb67764d034a56e3 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 10:45:14 +0000
+Subject: [PATCH 04/12] Fix book_idx check.
+ 25_vorbis_floor0_index.patch by chrome.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19984 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index 28417ee..ce5a139 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -553,12 +553,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) {
+ uint_fast8_t book_idx;
+ for (idx=0;idx<floor_setup->data.t0.num_books;++idx) {
+ book_idx=get_bits(gb, 8);
++ if (book_idx>=vc->codebook_count)
++ return 1;
+ floor_setup->data.t0.book_list[idx]=book_idx;
+ if (vc->codebooks[book_idx].dimensions > max_codebook_dim)
+ max_codebook_dim=vc->codebooks[book_idx].dimensions;
+-
+- if (floor_setup->data.t0.book_list[idx]>vc->codebook_count)
+- return 1;
+ }
+ }
+
+--
+1.6.3.3
+
diff --git a/debian/patches/security/vorbis_dec/0005-Check-classbook-value.patch b/debian/patches/security/vorbis_dec/0005-Check-classbook-value.patch
new file mode 100644
index 0000000..cd7f26d
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0005-Check-classbook-value.patch
@@ -0,0 +1,29 @@
+From 093a791b172df483199fe81ac59ffcdbb63bf6c7 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 12:02:31 +0000
+Subject: [PATCH 05/12] Check classbook value.
+ 11_vorbis_residue_book_index.patch by chrome.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19989 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index ce5a139..2d5e610 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -630,6 +630,10 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc){
+ res_setup->partition_size=get_bits(gb, 24)+1;
+ res_setup->classifications=get_bits(gb, 6)+1;
+ res_setup->classbook=get_bits(gb, 8);
++ if (res_setup->classbook>=vc->codebook_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "classbook value %d out of range. \n", res_setup->classbook);
++ return 1;
++ }
+
+ AV_DEBUG(" begin %d end %d part.size %d classif.s %d classbook %d \n", res_setup->begin, res_setup->end, res_setup->partition_size,
+ res_setup->classifications, res_setup->classbook);
+--
+1.6.3.3
+
diff --git a/debian/patches/security/vorbis_dec/0006-Add-checks-for-per-packet-mode-indexes-and-per-heade.patch b/debian/patches/security/vorbis_dec/0006-Add-checks-for-per-packet-mode-indexes-and-per-heade.patch
new file mode 100644
index 0000000..39962ec
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0006-Add-checks-for-per-packet-mode-indexes-and-per-heade.patch
@@ -0,0 +1,43 @@
+From 6d7908b8de6d34b425e18c412c341ed34e4f1fe4 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 12:09:33 +0000
+Subject: [PATCH 06/12] Add checks for per-packet mode indexes and per-header mode mapping indexes.
+ 12_vorbis_mode_indexes.patch by chrome
+ maybe exploitable
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19990 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index 2d5e610..ec305ba 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -793,7 +793,11 @@ static int vorbis_parse_setup_hdr_modes(vorbis_context *vc) {
+ mode_setup->blockflag=get_bits1(gb);
+ mode_setup->windowtype=get_bits(gb, 16); //FIXME check
+ mode_setup->transformtype=get_bits(gb, 16); //FIXME check
+- mode_setup->mapping=get_bits(gb, 8); //FIXME check
++ mode_setup->mapping=get_bits(gb, 8);
++ if (mode_setup->mapping>=vc->mapping_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "mode mapping value %d out of range. \n", mode_setup->mapping);
++ return 1;
++ }
+
+ AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping);
+ }
+@@ -1450,6 +1454,10 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
+ } else {
+ mode_number=get_bits(gb, ilog(vc->mode_count-1));
+ }
++ if (mode_number>=vc->mode_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "mode number %d out of range.\n", mode_number);
++ return -1;
++ }
+ vc->mode_number=mode_number;
+ mapping=&vc->mappings[vc->modes[mode_number].mapping];
+
+--
+1.6.3.3
+
diff --git a/debian/patches/security/vorbis_dec/0007-Check-masterbook-index-and-subclass-book-index.patch b/debian/patches/security/vorbis_dec/0007-Check-masterbook-index-and-subclass-book-index.patch
new file mode 100644
index 0000000..a63af1e
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0007-Check-masterbook-index-and-subclass-book-index.patch
@@ -0,0 +1,44 @@
+From 8ff644b871f3afe9529e451d86efb2f08014b53b Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 12:17:54 +0000
+Subject: [PATCH 07/12] Check masterbook index and subclass book index.
+ 14_floor_masterbook_index.patch by chrome
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19991 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 14 ++++++++++++--
+ 1 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index ec305ba..3daba8f 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -487,13 +487,23 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) {
+ AV_DEBUG(" %d floor %d class dim: %d subclasses %d \n", i, j, floor_setup->data.t1.class_dimensions[j], floor_setup->data.t1.class_subclasses[j]);
+
+ if (floor_setup->data.t1.class_subclasses[j]) {
+- floor_setup->data.t1.class_masterbook[j]=get_bits(gb, 8);
++ int bits=get_bits(gb, 8);
++ if (bits>=vc->codebook_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "Masterbook index %d is out of range.\n", bits);
++ return 1;
++ }
++ floor_setup->data.t1.class_masterbook[j]=bits;
+
+ AV_DEBUG(" masterbook: %d \n", floor_setup->data.t1.class_masterbook[j]);
+ }
+
+ for(k=0;k<(1<<floor_setup->data.t1.class_subclasses[j]);++k) {
+- floor_setup->data.t1.subclass_books[j][k]=(int16_t)get_bits(gb, 8)-1;
++ int16_t bits=get_bits(gb, 8)-1;
++ if (bits!=-1 && bits>=vc->codebook_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "Subclass book index %d is out of range.\n", bits);
++ return 1;
++ }
++ floor_setup->data.t1.subclass_books[j][k]=bits;
+
+ AV_DEBUG(" book %d. : %d \n", k, floor_setup->data.t1.subclass_books[j][k]);
+ }
+--
+1.6.3.3
+
diff --git a/debian/patches/security/vorbis_dec/0008-Check-res_setup-books.patch b/debian/patches/security/vorbis_dec/0008-Check-res_setup-books.patch
new file mode 100644
index 0000000..9429c34
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0008-Check-res_setup-books.patch
@@ -0,0 +1,32 @@
+From ecd690a24a440553e0ba587e13dc5b2ec279f0a8 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 12:24:21 +0000
+Subject: [PATCH 08/12] Check res_setup->books.
+ 15_more_residue_book_indexes.patch by chrome.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19992 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index 3daba8f..ca43e99 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -663,7 +663,12 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc){
+ for(j=0;j<res_setup->classifications;++j) {
+ for(k=0;k<8;++k) {
+ if (cascade[j]&(1<<k)) {
+- res_setup->books[j][k]=get_bits(gb, 8);
++ int bits=get_bits(gb, 8);
++ if (bits>=vc->codebook_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "book value %d out of range. \n", bits);
++ return 1;
++ }
++ res_setup->books[j][k]=bits;
+
+ AV_DEBUG(" %d class casscade depth %d book: %d \n", j, k, res_setup->books[j][k]);
+
+--
+1.6.3.3
+
diff --git a/debian/patches/security/vorbis_dec/0009-Check-begin-end-partition_size.patch b/debian/patches/security/vorbis_dec/0009-Check-begin-end-partition_size.patch
new file mode 100644
index 0000000..79e62a4
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0009-Check-begin-end-partition_size.patch
@@ -0,0 +1,43 @@
+From d71f5b5b2b9f2e0ba2da67ca2c15b9bbb69ac1fc Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 13:08:48 +0000
+Subject: [PATCH 09/12] Check begin/end/partition_size.
+ 23_vorbis_sane_partition.patch by chrome.
+ Also this should be better documented but i prefer not to leave potential
+ security issues open due to missing documentation.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19996 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 9 +++++++++
+ 1 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index ca43e99..ec3c561 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -37,6 +37,7 @@
+ #define V_NB_BITS 8
+ #define V_NB_BITS2 11
+ #define V_MAX_VLCS (1<<16)
++#define V_MAX_PARTITIONS (1<<20)
+
+ #ifndef V_DEBUG
+ #define AV_DEBUG(...)
+@@ -638,6 +639,14 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc){
+ res_setup->begin=get_bits(gb, 24);
+ res_setup->end=get_bits(gb, 24);
+ res_setup->partition_size=get_bits(gb, 24)+1;
++ /* Validations to prevent a buffer overflow later. */
++ if (res_setup->begin>res_setup->end
++ || res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
++ || (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
++ return 1;
++ }
++
+ res_setup->classifications=get_bits(gb, 6)+1;
+ res_setup->classbook=get_bits(gb, 8);
+ if (res_setup->classbook>=vc->codebook_count) {
+--
+1.6.3.3
+
diff --git a/debian/patches/security/vorbis_dec/0010-Make-error-return-sign-consistent.patch b/debian/patches/security/vorbis_dec/0010-Make-error-return-sign-consistent.patch
new file mode 100644
index 0000000..a3961aa
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0010-Make-error-return-sign-consistent.patch
@@ -0,0 +1,251 @@
+From 213d02328757c6b212ac6d4bb7ec23f70080fb25 Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 13:18:29 +0000
+Subject: [PATCH 10/12] Make error return sign consistent.
+
+edited by siretart at tauware.de to apply to 0.5
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19997 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 60 +++++++++++++++++++++++-----------------------
+ 1 files changed, 30 insertions(+), 30 deletions(-)
+
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -418,7 +418,7 @@ static int vorbis_parse_setup_hdr_codebo
+ error:
+ av_free(tmp_vlc_bits);
+ av_free(tmp_vlc_codes);
+- return 1;
++ return -1;
+ }
+
+ // Process time domain transforms part (unused in Vorbis I)
+@@ -435,7 +435,7 @@ static int vorbis_parse_setup_hdr_tdtran
+
+ if (vorbis_tdtransform) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Vorbis time domain transform data nonzero. \n");
+- return 1;
++ return -1;
+ }
+ }
+ return 0;
+@@ -496,7 +496,7 @@ static int vorbis_parse_setup_hdr_floors
+ int bits=get_bits(gb, 8);
+ if (bits>=vc->codebook_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Masterbook index %d is out of range.\n", bits);
+- return 1;
++ return -1;
+ }
+ floor_setup->data.t1.class_masterbook[j]=bits;
+
+@@ -507,7 +507,7 @@ static int vorbis_parse_setup_hdr_floors
+ int16_t bits=get_bits(gb, 8)-1;
+ if (bits!=-1 && bits>=vc->codebook_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Subclass book index %d is out of range.\n", bits);
+- return 1;
++ return -1;
+ }
+ floor_setup->data.t1.subclass_books[j][k]=bits;
+
+@@ -554,7 +554,7 @@ static int vorbis_parse_setup_hdr_floors
+ if (floor_setup->data.t0.amplitude_bits == 0) {
+ av_log(vc->avccontext, AV_LOG_ERROR,
+ "Floor 0 amplitude bits is 0.\n");
+- return 1;
++ return -1;
+ }
+ floor_setup->data.t0.amplitude_offset=get_bits(gb, 8);
+ floor_setup->data.t0.num_books=get_bits(gb, 4)+1;
+@@ -562,7 +562,7 @@ static int vorbis_parse_setup_hdr_floors
+ /* allocate mem for booklist */
+ floor_setup->data.t0.book_list=
+ av_malloc(floor_setup->data.t0.num_books);
+- if(!floor_setup->data.t0.book_list) { return 1; }
++ if(!floor_setup->data.t0.book_list) { return -1; }
+ /* read book indexes */
+ {
+ int idx;
+@@ -570,7 +570,7 @@ static int vorbis_parse_setup_hdr_floors
+ for (idx=0;idx<floor_setup->data.t0.num_books;++idx) {
+ book_idx=get_bits(gb, 8);
+ if (book_idx>=vc->codebook_count)
+- return 1;
++ return -1;
+ floor_setup->data.t0.book_list[idx]=book_idx;
+ if (vc->codebooks[book_idx].dimensions > max_codebook_dim)
+ max_codebook_dim=vc->codebooks[book_idx].dimensions;
+@@ -586,7 +586,7 @@ static int vorbis_parse_setup_hdr_floors
+ floor_setup->data.t0.lsp=
+ av_malloc((floor_setup->data.t0.order+1 + max_codebook_dim)
+ * sizeof(float));
+- if(!floor_setup->data.t0.lsp) { return 1; }
++ if(!floor_setup->data.t0.lsp) { return -1; }
+ }
+
+ #ifdef V_DEBUG /* debug output parsed headers */
+@@ -614,7 +614,7 @@ static int vorbis_parse_setup_hdr_floors
+ }
+ else {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Invalid floor type!\n");
+- return 1;
++ return -1;
+ }
+ }
+ return 0;
+@@ -649,14 +649,14 @@ static int vorbis_parse_setup_hdr_residu
+ || res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
+ || (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
+- return 1;
++ return -1;
+ }
+
+ res_setup->classifications=get_bits(gb, 6)+1;
+ res_setup->classbook=get_bits(gb, 8);
+ if (res_setup->classbook>=vc->codebook_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "classbook value %d out of range. \n", res_setup->classbook);
+- return 1;
++ return -1;
+ }
+
+ AV_DEBUG(" begin %d end %d part.size %d classif.s %d classbook %d \n", res_setup->begin, res_setup->end, res_setup->partition_size,
+@@ -680,7 +680,7 @@ static int vorbis_parse_setup_hdr_residu
+ int bits=get_bits(gb, 8);
+ if (bits>=vc->codebook_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "book value %d out of range. \n", bits);
+- return 1;
++ return -1;
+ }
+ res_setup->books[j][k]=bits;
+
+@@ -714,7 +714,7 @@ static int vorbis_parse_setup_hdr_mappin
+
+ if (get_bits(gb, 16)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Other mappings than type 0 are not compliant with the Vorbis I specification. \n");
+- return 1;
++ return -1;
+ }
+ if (get_bits1(gb)) {
+ mapping_setup->submaps=get_bits(gb, 4)+1;
+@@ -731,11 +731,11 @@ static int vorbis_parse_setup_hdr_mappin
+ mapping_setup->angle[j]=get_bits(gb, ilog(vc->audio_channels-1));
+ if (mapping_setup->magnitude[j]>=vc->audio_channels) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "magnitude channel %d out of range. \n", mapping_setup->magnitude[j]);
+- return 1;
++ return -1;
+ }
+ if (mapping_setup->angle[j]>=vc->audio_channels) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "angle channel %d out of range. \n", mapping_setup->angle[j]);
+- return 1;
++ return -1;
+ }
+ }
+ } else {
+@@ -746,7 +746,7 @@ static int vorbis_parse_setup_hdr_mappin
+
+ if(get_bits(gb, 2)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "%d. mapping setup data invalid. \n", i);
+- return 1; // following spec.
++ return -1; // following spec.
+ }
+
+ if (mapping_setup->submaps>1) {
+@@ -825,7 +825,7 @@ static int vorbis_parse_setup_hdr_modes(
+ mode_setup->mapping=get_bits(gb, 8);
+ if (mode_setup->mapping>=vc->mapping_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "mode mapping value %d out of range. \n", mode_setup->mapping);
+- return 1;
++ return -1;
+ }
+
+ AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping);
+@@ -842,36 +842,36 @@ static int vorbis_parse_setup_hdr(vorbis
+ (get_bits(gb, 8)!='r') || (get_bits(gb, 8)!='b') ||
+ (get_bits(gb, 8)!='i') || (get_bits(gb, 8)!='s')) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (no vorbis signature). \n");
+- return 1;
++ return -1;
+ }
+
+ if (vorbis_parse_setup_hdr_codebooks(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (codebooks). \n");
+- return 2;
++ return -2;
+ }
+ if (vorbis_parse_setup_hdr_tdtransforms(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (time domain transforms). \n");
+- return 3;
++ return -3;
+ }
+ if (vorbis_parse_setup_hdr_floors(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (floors). \n");
+- return 4;
++ return -4;
+ }
+ if (vorbis_parse_setup_hdr_residues(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (residues). \n");
+- return 5;
++ return -5;
+ }
+ if (vorbis_parse_setup_hdr_mappings(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (mappings). \n");
+- return 6;
++ return -6;
+ }
+ if (vorbis_parse_setup_hdr_modes(vc)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (modes). \n");
+- return 7;
++ return -7;
+ }
+ if (!get_bits1(gb)) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis setup header packet corrupt (framing flag). \n");
+- return 8; // framing flag bit unset error
++ return -8; // framing flag bit unset error
+ }
+
+ return 0;
+@@ -887,7 +887,7 @@ static int vorbis_parse_id_hdr(vorbis_co
+ (get_bits(gb, 8)!='r') || (get_bits(gb, 8)!='b') ||
+ (get_bits(gb, 8)!='i') || (get_bits(gb, 8)!='s')) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (no vorbis signature). \n");
+- return 1;
++ return -1;
+ }
+
+ vc->version=get_bits_long(gb, 32); //FIXME check 0
+@@ -902,14 +902,14 @@ static int vorbis_parse_id_hdr(vorbis_co
+ vc->blocksize[1]=(1<<bl1);
+ if (bl0>13 || bl0<6 || bl1>13 || bl1<6 || bl1<bl0) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (illegal blocksize). \n");
+- return 3;
++ return -3;
+ }
+ // output format int16
+ if (vc->blocksize[1]/2 * vc->audio_channels * 2 >
+ AVCODEC_MAX_AUDIO_FRAME_SIZE) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "Vorbis channel count makes "
+ "output packets too large.\n");
+- return 4;
++ return -4;
+ }
+ vc->win[0]=ff_vorbis_vwin[bl0-6];
+ vc->win[1]=ff_vorbis_vwin[bl1-6];
+@@ -926,7 +926,7 @@ static int vorbis_parse_id_hdr(vorbis_co
+
+ if ((get_bits1(gb)) == 0) {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (framing flag not set). \n");
+- return 2;
++ return -2;
+ }
+
+ vc->channel_residues= av_malloc((vc->blocksize[1]/2)*vc->audio_channels * sizeof(float));
+@@ -1415,7 +1415,7 @@ static inline int vorbis_residue_decode(
+ return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0);
+ else {
+ av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n");
+- return 1;
++ return -1;
+ }
+ }
+
diff --git a/debian/patches/security/vorbis_dec/0011-Check-submap-indexes.patch b/debian/patches/security/vorbis_dec/0011-Check-submap-indexes.patch
new file mode 100644
index 0000000..db75037
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0011-Check-submap-indexes.patch
@@ -0,0 +1,43 @@
+From c1fe0583d44a67f94047bd3e59f2b53f304db4ec Mon Sep 17 00:00:00 2001
+From: michael <michael at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 14:19:17 +0000
+Subject: [PATCH 11/12] Check submap indexes.
+ 10_vorbis_submap_indexes.patch by chrome.
+ Iam applying this even though reimar had some comments to improve it as it fixes
+ a serious security issue and i do not want to leave such things unfixed.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20001 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 15 +++++++++++++--
+ 1 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index 2152f5f..ed4dace 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -752,9 +752,20 @@ static int vorbis_parse_setup_hdr_mappings(vorbis_context *vc) {
+ }
+
+ for(j=0;j<mapping_setup->submaps;++j) {
++ int bits;
+ skip_bits(gb, 8); // FIXME check?
+- mapping_setup->submap_floor[j]=get_bits(gb, 8);
+- mapping_setup->submap_residue[j]=get_bits(gb, 8);
++ bits=get_bits(gb, 8);
++ if (bits>=vc->floor_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "submap floor value %d out of range. \n", bits);
++ return -1;
++ }
++ mapping_setup->submap_floor[j]=bits;
++ bits=get_bits(gb, 8);
++ if (bits>=vc->residue_count) {
++ av_log(vc->avccontext, AV_LOG_ERROR, "submap residue value %d out of range. \n", bits);
++ return -1;
++ }
++ mapping_setup->submap_residue[j]=bits;
+
+ AV_DEBUG(" %d mapping %d submap : floor %d, residue %d \n", i, j, mapping_setup->submap_floor[j], mapping_setup->submap_residue[j]);
+ }
+--
+1.6.3.3
+
diff --git a/debian/patches/security/vorbis_dec/0012-Fix-format-string-to-match-the-types-printed.patch b/debian/patches/security/vorbis_dec/0012-Fix-format-string-to-match-the-types-printed.patch
new file mode 100644
index 0000000..bc22352
--- /dev/null
+++ b/debian/patches/security/vorbis_dec/0012-Fix-format-string-to-match-the-types-printed.patch
@@ -0,0 +1,26 @@
+From c2ca1c6ee96c27ec872012dbc5a8b15fdb15eca9 Mon Sep 17 00:00:00 2001
+From: reimar <reimar at 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
+Date: Wed, 23 Sep 2009 15:30:38 +0000
+Subject: [PATCH 12/12] Fix format string to match the types printed.
+
+git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20003 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
+---
+ libavcodec/vorbis_dec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
+index ed4dace..4d992a8 100644
+--- a/libavcodec/vorbis_dec.c
++++ b/libavcodec/vorbis_dec.c
+@@ -643,7 +643,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc){
+ if (res_setup->begin>res_setup->end
+ || res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
+ || (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
+- av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
++ av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %"PRIdFAST32", %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
+ return -1;
+ }
+
+--
+1.6.3.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 450c1c5..b2c6ff0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,3 +33,17 @@ neon/0018-Prepare-for-optimised-forward-MDCT-implementations.patch
neon/0019-ARM-NEON-optimised-MDCT.patch
neon/0020-ARM-remove-unnecessary-.fpu-neon-directives.patch
neon/0021-ARM-check-for-VFP-register-arguments.patch
+
+#vorbis_dec security backports
+security/vorbis_dec/0001-Check-dimensions-against-0-too.patch
+security/vorbis_dec/0002-typo.patch
+security/vorbis_dec/0003-Sanity-checks-for-magnitude-and-angle.patch
+security/vorbis_dec/0004-Fix-book_idx-check.patch
+security/vorbis_dec/0005-Check-classbook-value.patch
+security/vorbis_dec/0006-Add-checks-for-per-packet-mode-indexes-and-per-heade.patch
+security/vorbis_dec/0007-Check-masterbook-index-and-subclass-book-index.patch
+security/vorbis_dec/0008-Check-res_setup-books.patch
+security/vorbis_dec/0009-Check-begin-end-partition_size.patch
+security/vorbis_dec/0010-Make-error-return-sign-consistent.patch
+security/vorbis_dec/0011-Check-submap-indexes.patch
+security/vorbis_dec/0012-Fix-format-string-to-match-the-types-printed.patch
--
FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list