1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch
new file mode 100644
index 0000000000..4036b966fe
--- /dev/null
+++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch
@@ -0,0 +1,62 @@
+From 39704ce16835e5c019bb03f6a94dc1f0677406c5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
+ if not initialized
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+This fixes
+    =23371== Invalid free() / delete / delete[] / realloc()
+    ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+    ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+    ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+    ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+    ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+    ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+    ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+    ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+Upstream-Status: Backport
+CVE: CVE-2017-14632
+Reference to upstream patch:
+https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=c1c2831fc7306d5fbd7bc800324efd12b28d327f
+Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/lib/info.c b/lib/info.c
+index 81b7557..4d82568 100644
+--- a/lib/info.c
+++ b/lib/info.c
+@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+   private_state *b=v->backend_state;
+ 
+   if(!b||vi->channels<=0||vi->channels>256){
+    b = NULL;
+     ret=OV_EFAULT;
+     goto err_out;
+   }
+-- 
+2.16.2

diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch new file mode 100644 index 0000000000..4036b966fe --- /dev/null +++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch
@@ -0,0 +1,62 @@
	1	From 39704ce16835e5c019bb03f6a94dc1f0677406c5 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
	3	Date: Wed, 15 Nov 2017 18:22:59 +0100
	4	Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
	5	if not initialized
	6
	7	If the number of channels is not within the allowed range
	8	we call oggback_writeclear altough it's not initialized yet.
	9
	10	This fixes
	11
	12	=23371== Invalid free() / delete / delete[] / realloc()
	13	==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
	14	==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
	15	==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
	16	==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
	17	==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
	18	==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
	19	==23371== by 0x10D82A: open_output_file (sox.c:1556)
	20	==23371== by 0x10D82A: process (sox.c:1753)
	21	==23371== by 0x10D82A: main (sox.c:3012)
	22	==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
	23	==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
	24	==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
	25	==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
	26	==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
	27	==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
	28	==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
	29	==23371== by 0x10D82A: open_output_file (sox.c:1556)
	30	==23371== by 0x10D82A: process (sox.c:1753)
	31	==23371== by 0x10D82A: main (sox.c:3012)
	32
	33	as seen when using the testcase from CVE-2017-11333 with
	34	008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
	35	there before.
	36
	37	Upstream-Status: Backport
	38	CVE: CVE-2017-14632
	39
	40	Reference to upstream patch:
	41	https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=c1c2831fc7306d5fbd7bc800324efd12b28d327f
	42
	43	Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
	44	---
	45	lib/info.c \| 1 +
	46	1 file changed, 1 insertion(+)
	47
	48	diff --git a/lib/info.c b/lib/info.c
	49	index 81b7557..4d82568 100644
	50	--- a/lib/info.c
	51	+++ b/lib/info.c
	52	@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
	53	private_state *b=v->backend_state;
	54
	55	if(!b\|\|vi->channels<=0\|\|vi->channels>256){
	56	+ b = NULL;
	57	ret=OV_EFAULT;
	58	goto err_out;
	59	}
	60	--
	61	2.16.2
	62