5 files changed, 13 insertions, 220 deletions
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/0001-configure-Check-for-clang.patch b/meta/recipes-multimedia/libvorbis/libvorbis/0001-configure-Check-for-clang.patch
index 7dad0cd8a5..b06029b98b 100644
--- a/meta/recipes-multimedia/libvorbis/libvorbis/0001-configure-Check-for-clang.patch
+++ b/meta/recipes-multimedia/libvorbis/libvorbis/0001-configure-Check-for-clang.patch
@@ -1,4 +1,4 @@
-From 44b4511784f9b51c514dff4ceb3cbeaf9c374d08 Mon Sep 17 00:00:00 2001
+From d619ccf6c11ab574466914c57994a82fb99401af Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 22 Mar 2017 16:06:55 +0000
 Subject: [PATCH] configure: Check for clang
@@ -13,12 +13,12 @@ Upstream-Status: Pending
 1 file changed, 17 insertions(+), 2 deletions(-)
 diff --git a/configure.ac b/configure.ac
-index eddd02d..00ecba5 100644
+index 28b0a14..2d4e984 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -93,6 +93,16 @@ AC_ARG_ENABLE(examples,
+@@ -98,6 +98,16 @@ AC_ARG_ENABLE(examples,
-        
+ 
- AM_CONDITIONAL(BUILD_EXAMPLES, [test "x$enable_examples" = xyes]) 
+ AM_CONDITIONAL(BUILD_EXAMPLES, [test "x$enable_examples" = xyes])
 
 +AC_MSG_CHECKING([whether C compiler is clang])
 +$CC -x c /dev/null -dM -E > conftest.txt 2>&1
@@ -33,9 +33,9 @@ index eddd02d..00ecba5 100644
 dnl --------------------------------------------------
 dnl Set build flags based on environment
 dnl --------------------------------------------------
-@@ -127,10 +137,15 @@ else
+@@ -132,10 +142,15 @@ else
        AC_MSG_RESULT([$GCC_VERSION])
-        case $host in 
+        case $host in
        *86-*-linux*)
 +               if test "$CC_CLANG" = "1"; then
 +                       ieeefp=""
@@ -43,8 +43,8 @@ index eddd02d..00ecba5 100644
 +                       ieefp="-mno-ieee-fp"
 +               fi
                DEBUG="-g -Wall -Wextra -D_REENTRANT -D__NO_MATH_INLINES -fsigned-char"
-               CFLAGS="-O3 -ffast-math -mno-ieee-fp -D_REENTRANT -fsigned-char"
+-               CFLAGS="-O3 -Wall -Wextra -ffast-math -mno-ieee-fp -D_REENTRANT -fsigned-char"
-+               CFLAGS="-O3 -ffast-math -D_REENTRANT -fsigned-char ${ieefp}"
+               CFLAGS="-O3 -Wall -Wextra -ffast-math -D_REENTRANT -fsigned-char ${ieefp}"
 #                      PROFILE="-Wall -Wextra -pg -g -O3 -ffast-math -D_REENTRANT -fsigned-char -fno-inline -static"
 -               PROFILE="-Wall -Wextra -pg -g -O3 -ffast-math -mno-ieee-fp -D_REENTRANT -fsigned-char -fno-inline"
 +               PROFILE="-Wall -Wextra -pg -g -O3 -ffast-math ${ieefp} -D_REENTRANT -fsigned-char -fno-inline"
@@ -52,5 +52,5 @@ index eddd02d..00ecba5 100644
                # glibc < 2.1.3 has a serious FP bug in the math inline header
                # that will cripple Vorbis.  Look to see if the magic FP stack
 -- 
-1.8.3.1
+2.17.0
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch
deleted file mode 100644
index 4036b966fe..0000000000
--- a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 39704ce16835e5c019bb03f6a94dc1f0677406c5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
-Date: Wed, 15 Nov 2017 18:22:59 +0100
-Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
- if not initialized
-If the number of channels is not within the allowed range
-we call oggback_writeclear altough it's not initialized yet.
-This fixes
-    =23371== Invalid free() / delete / delete[] / realloc()
-    ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
-    ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
-    ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
-    ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
-    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
-    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
-    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
-    ==23371==    by 0x10D82A: process (sox.c:1753)
-    ==23371==    by 0x10D82A: main (sox.c:3012)
-    ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
-    ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
-    ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
-    ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
-    ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
-    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
-    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
-    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
-    ==23371==    by 0x10D82A: process (sox.c:1753)
-    ==23371==    by 0x10D82A: main (sox.c:3012)
-as seen when using the testcase from CVE-2017-11333 with
-008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
-there before.
-Upstream-Status: Backport
-CVE: CVE-2017-14632
-Reference to upstream patch:
-https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=c1c2831fc7306d5fbd7bc800324efd12b28d327f
-Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
---
- lib/info.c | 1 +
- 1 file changed, 1 insertion(+)
-diff --git a/lib/info.c b/lib/info.c
-index 81b7557..4d82568 100644
--- a/lib/info.c
-+++ b/lib/info.c
-@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
-   private_state *b=v->backend_state;
- 
-   if(!b||vi->channels<=0||vi->channels>256){
-+    b = NULL;
-     ret=OV_EFAULT;
-     goto err_out;
-   }
-- 
-2.16.2
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14633.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14633.patch
deleted file mode 100644
index 9c9e688d43..0000000000
--- a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14633.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 07eda55f336e5c44dfc0e4a1e21628faed7255fa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
-Date: Tue, 31 Oct 2017 18:32:46 +0100
-Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
-Otherwise
- for(i=0;i<vi->channels;i++){
-      /* the encoder setup assumes that all the modes used by any
-         specific bitrate tweaking use the same floor */
-      int submap=info->chmuxlist[i];
-overreads later in mapping0_forward since chmuxlist is a fixed array of
-256 elements max.
-Upstream-Status: Backport
-CVE: CVE-2017-14633
-Reference to upstream patch:
-https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
-Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
---
- lib/info.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/lib/info.c b/lib/info.c
-index e447a0c..81b7557 100644
--- a/lib/info.c
-+++ b/lib/info.c
-@@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
-   oggpack_buffer opb;
-   private_state *b=v->backend_state;
- 
-  if(!b||vi->channels<=0){
-+  if(!b||vi->channels<=0||vi->channels>256){
-     ret=OV_EFAULT;
-     goto err_out;
-   }
-- 
-2.16.2
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch
deleted file mode 100644
index 6d4052a872..0000000000
--- a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 3a017f591457bf6e80231b563bf83ee583fdbca8 Mon Sep 17 00:00:00 2001
-From: Thomas Daede <daede003@umn.edu>
-Date: Thu, 15 Mar 2018 14:15:31 -0700
-Subject: [PATCH] CVE-2018-5146: Prevent out-of-bounds write in codebook
- decoding.
-Codebooks that are not an exact divisor of the partition size are now
-truncated to fit within the partition.
-Upstream-Status: Backport
-CVE: CVE-2018-5146
-Reference to upstream patch:
-https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
-Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
---
- lib/codebook.c | 48 ++++++++++--------------------------------------
- 1 file changed, 10 insertions(+), 38 deletions(-)
-diff --git a/lib/codebook.c b/lib/codebook.c
-index 8b766e8..7022fd2 100644
--- a/lib/codebook.c
-+++ b/lib/codebook.c
-@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){
-       t[i] = book->valuelist+entry[i]*book->dim;
-     }
-     for(i=0,o=0;i<book->dim;i++,o+=step)
-      for (j=0;j<step;j++)
-+      for (j=0;o+j<n && j<step;j++)
-         a[o+j]+=t[j][i];
-   }
-   return(0);
-@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){
-     int i,j,entry;
-     float *t;
- 
-    if(book->dim>8){
-      for(i=0;i<n;){
-        entry = decode_packed_entry_number(book,b);
-        if(entry==-1)return(-1);
-        t     = book->valuelist+entry*book->dim;
-        for (j=0;j<book->dim;)
-          a[i++]+=t[j++];
-      }
-    }else{
-      for(i=0;i<n;){
-        entry = decode_packed_entry_number(book,b);
-        if(entry==-1)return(-1);
-        t     = book->valuelist+entry*book->dim;
-        j=0;
-        switch((int)book->dim){
-        case 8:
-          a[i++]+=t[j++];
-        case 7:
-          a[i++]+=t[j++];
-        case 6:
-          a[i++]+=t[j++];
-        case 5:
-          a[i++]+=t[j++];
-        case 4:
-          a[i++]+=t[j++];
-        case 3:
-          a[i++]+=t[j++];
-        case 2:
-          a[i++]+=t[j++];
-        case 1:
-          a[i++]+=t[j++];
-        case 0:
-          break;
-        }
-      }
-+    for(i=0;i<n;){
-+      entry = decode_packed_entry_number(book,b);
-+      if(entry==-1)return(-1);
-+      t     = book->valuelist+entry*book->dim;
-+      for(j=0;i<n && j<book->dim;)
-+        a[i++]+=t[j++];
-     }
-   }
-   return(0);
-@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch,
-   long i,j,entry;
-   int chptr=0;
-   if(book->used_entries>0){
-    for(i=offset/ch;i<(offset+n)/ch;){
-+    int m=(offset+n)/ch;
-+    for(i=offset/ch;i<m;){
-       entry = decode_packed_entry_number(book,b);
-       if(entry==-1)return(-1);
-       {
-         const float *t = book->valuelist+entry*book->dim;
-        for (j=0;j<book->dim;j++){
-+        for (j=0;i<m && j<book->dim;j++){
-           a[chptr++][i]+=t[j];
-           if(chptr==ch){
-             chptr=0;
-- 
-2.16.2
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb
index 20f887c252..bd46451612 100644
--- a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
+++ b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb
@@ -6,17 +6,14 @@ HOMEPAGE = "http://www.vorbis.com/"
 BUGTRACKER = "https://trac.xiph.org"
 SECTION = "libs"
 LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=7d2c487d2fc7dd3e3c7c465a5b7f6217 \
+LIC_FILES_CHKSUM = "file://COPYING;md5=70c7063491d2d9f76a098d62ed5134f1 \
                    file://include/vorbis/vorbisenc.h;beginline=1;endline=11;md5=d1c1d138863d6315131193d4046d81cb"
 DEPENDS = "libogg"
 SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
           file://0001-configure-Check-for-clang.patch \
-           file://CVE-2017-14633.patch \
-           file://CVE-2017-14632.patch \
-           file://CVE-2018-5146.patch \
          "
-SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f"
+SRC_URI[md5sum] = "b7d1692f275c73e7833ed1cc2697cd65"
-SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1"
+SRC_URI[sha256sum] = "af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415"
 inherit autotools pkgconfig

diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/0001-configure-Check-for-clang.patch b/meta/recipes-multimedia/libvorbis/libvorbis/0001-configure-Check-for-clang.patch index 7dad0cd8a5..b06029b98b 100644 --- a/meta/recipes-multimedia/libvorbis/libvorbis/0001-configure-Check-for-clang.patch +++ b/meta/recipes-multimedia/libvorbis/libvorbis/0001-configure-Check-for-clang.patch
@@ -1,4 +1,4 @@
1	From 44b4511784f9b51c514dff4ceb3cbeaf9c374d08 Mon Sep 17 00:00:00 2001	1	From d619ccf6c11ab574466914c57994a82fb99401af Mon Sep 17 00:00:00 2001
2	From: Khem Raj <raj.khem@gmail.com>	2	From: Khem Raj <raj.khem@gmail.com>
3	Date: Wed, 22 Mar 2017 16:06:55 +0000	3	Date: Wed, 22 Mar 2017 16:06:55 +0000
4	Subject: [PATCH] configure: Check for clang	4	Subject: [PATCH] configure: Check for clang
@@ -13,12 +13,12 @@ Upstream-Status: Pending
13	1 file changed, 17 insertions(+), 2 deletions(-)	13	1 file changed, 17 insertions(+), 2 deletions(-)
14		14
15	diff --git a/configure.ac b/configure.ac	15	diff --git a/configure.ac b/configure.ac
16	index eddd02d..00ecba5 100644	16	index 28b0a14..2d4e984 100644
17	--- a/configure.ac	17	--- a/configure.ac
18	+++ b/configure.ac	18	+++ b/configure.ac
19	@@ -93,6 +93,16 @@ AC_ARG_ENABLE(examples,	19	@@ -98,6 +98,16 @@ AC_ARG_ENABLE(examples,
20		20
21	AM_CONDITIONAL(BUILD_EXAMPLES, [test "x$enable_examples" = xyes])	21	AM_CONDITIONAL(BUILD_EXAMPLES, [test "x$enable_examples" = xyes])
22		22
23	+AC_MSG_CHECKING([whether C compiler is clang])	23	+AC_MSG_CHECKING([whether C compiler is clang])
24	+$CC -x c /dev/null -dM -E > conftest.txt 2>&1	24	+$CC -x c /dev/null -dM -E > conftest.txt 2>&1
@@ -33,9 +33,9 @@ index eddd02d..00ecba5 100644
33	dnl --------------------------------------------------	33	dnl --------------------------------------------------
34	dnl Set build flags based on environment	34	dnl Set build flags based on environment
35	dnl --------------------------------------------------	35	dnl --------------------------------------------------
36	@@ -127,10 +137,15 @@ else	36	@@ -132,10 +142,15 @@ else
37	AC_MSG_RESULT([$GCC_VERSION])	37	AC_MSG_RESULT([$GCC_VERSION])
38	case $host in	38	case $host in
39	86--linux*)	39	86--linux*)
40	+ if test "$CC_CLANG" = "1"; then	40	+ if test "$CC_CLANG" = "1"; then
41	+ ieeefp=""	41	+ ieeefp=""
@@ -43,8 +43,8 @@ index eddd02d..00ecba5 100644
43	+ ieefp="-mno-ieee-fp"	43	+ ieefp="-mno-ieee-fp"
44	+ fi	44	+ fi
45	DEBUG="-g -Wall -Wextra -D_REENTRANT -D__NO_MATH_INLINES -fsigned-char"	45	DEBUG="-g -Wall -Wextra -D_REENTRANT -D__NO_MATH_INLINES -fsigned-char"
46	- CFLAGS="-O3 -ffast-math -mno-ieee-fp -D_REENTRANT -fsigned-char"	46	- CFLAGS="-O3 -Wall -Wextra -ffast-math -mno-ieee-fp -D_REENTRANT -fsigned-char"
47	+ CFLAGS="-O3 -ffast-math -D_REENTRANT -fsigned-char ${ieefp}"	47	+ CFLAGS="-O3 -Wall -Wextra -ffast-math -D_REENTRANT -fsigned-char ${ieefp}"
48	# PROFILE="-Wall -Wextra -pg -g -O3 -ffast-math -D_REENTRANT -fsigned-char -fno-inline -static"	48	# PROFILE="-Wall -Wextra -pg -g -O3 -ffast-math -D_REENTRANT -fsigned-char -fno-inline -static"
49	- PROFILE="-Wall -Wextra -pg -g -O3 -ffast-math -mno-ieee-fp -D_REENTRANT -fsigned-char -fno-inline"	49	- PROFILE="-Wall -Wextra -pg -g -O3 -ffast-math -mno-ieee-fp -D_REENTRANT -fsigned-char -fno-inline"
50	+ PROFILE="-Wall -Wextra -pg -g -O3 -ffast-math ${ieefp} -D_REENTRANT -fsigned-char -fno-inline"	50	+ PROFILE="-Wall -Wextra -pg -g -O3 -ffast-math ${ieefp} -D_REENTRANT -fsigned-char -fno-inline"
@@ -52,5 +52,5 @@ index eddd02d..00ecba5 100644
52	# glibc < 2.1.3 has a serious FP bug in the math inline header	52	# glibc < 2.1.3 has a serious FP bug in the math inline header
53	# that will cripple Vorbis. Look to see if the magic FP stack	53	# that will cripple Vorbis. Look to see if the magic FP stack
54	--	54	--
55	1.8.3.1	55	2.17.0
56		56


diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch deleted file mode 100644 index 4036b966fe..0000000000 --- a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch +++ /dev/null
@@ -1,62 +0,0 @@
1	From 39704ce16835e5c019bb03f6a94dc1f0677406c5 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
3	Date: Wed, 15 Nov 2017 18:22:59 +0100
4	Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
5	if not initialized
6
7	If the number of channels is not within the allowed range
8	we call oggback_writeclear altough it's not initialized yet.
9
10	This fixes
11
12	=23371== Invalid free() / delete / delete[] / realloc()
13	==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
14	==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
15	==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
16	==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
17	==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
18	==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
19	==23371== by 0x10D82A: open_output_file (sox.c:1556)
20	==23371== by 0x10D82A: process (sox.c:1753)
21	==23371== by 0x10D82A: main (sox.c:3012)
22	==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
23	==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
24	==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
25	==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
26	==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
27	==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
28	==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
29	==23371== by 0x10D82A: open_output_file (sox.c:1556)
30	==23371== by 0x10D82A: process (sox.c:1753)
31	==23371== by 0x10D82A: main (sox.c:3012)
32
33	as seen when using the testcase from CVE-2017-11333 with
34	008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
35	there before.
36
37	Upstream-Status: Backport
38	CVE: CVE-2017-14632
39
40	Reference to upstream patch:
41	https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=c1c2831fc7306d5fbd7bc800324efd12b28d327f
42
43	Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
44	---
45	lib/info.c \| 1 +
46	1 file changed, 1 insertion(+)
47
48	diff --git a/lib/info.c b/lib/info.c
49	index 81b7557..4d82568 100644
50	--- a/lib/info.c
51	+++ b/lib/info.c
52	@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
53	private_state *b=v->backend_state;
54
55	if(!b\|\|vi->channels<=0\|\|vi->channels>256){
56	+ b = NULL;
57	ret=OV_EFAULT;
58	goto err_out;
59	}
60	--
61	2.16.2
62


diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14633.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14633.patch deleted file mode 100644 index 9c9e688d43..0000000000 --- a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14633.patch +++ /dev/null
@@ -1,42 +0,0 @@
1	From 07eda55f336e5c44dfc0e4a1e21628faed7255fa Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
3	Date: Tue, 31 Oct 2017 18:32:46 +0100
4	Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
5
6	Otherwise
7
8	for(i=0;i<vi->channels;i++){
9	/* the encoder setup assumes that all the modes used by any
10	specific bitrate tweaking use the same floor */
11	int submap=info->chmuxlist[i];
12
13	overreads later in mapping0_forward since chmuxlist is a fixed array of
14	256 elements max.
15
16	Upstream-Status: Backport
17	CVE: CVE-2017-14633
18
19	Reference to upstream patch:
20	https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
21
22	Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
23	---
24	lib/info.c \| 2 +-
25	1 file changed, 1 insertion(+), 1 deletion(-)
26
27	diff --git a/lib/info.c b/lib/info.c
28	index e447a0c..81b7557 100644
29	--- a/lib/info.c
30	+++ b/lib/info.c
31	@@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
32	oggpack_buffer opb;
33	private_state *b=v->backend_state;
34
35	- if(!b\|\|vi->channels<=0){
36	+ if(!b\|\|vi->channels<=0\|\|vi->channels>256){
37	ret=OV_EFAULT;
38	goto err_out;
39	}
40	--
41	2.16.2
42


diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch deleted file mode 100644 index 6d4052a872..0000000000 --- a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch +++ /dev/null
@@ -1,100 +0,0 @@
1	From 3a017f591457bf6e80231b563bf83ee583fdbca8 Mon Sep 17 00:00:00 2001
2	From: Thomas Daede <daede003@umn.edu>
3	Date: Thu, 15 Mar 2018 14:15:31 -0700
4	Subject: [PATCH] CVE-2018-5146: Prevent out-of-bounds write in codebook
5	decoding.
6
7	Codebooks that are not an exact divisor of the partition size are now
8	truncated to fit within the partition.
9
10	Upstream-Status: Backport
11	CVE: CVE-2018-5146
12
13	Reference to upstream patch:
14	https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
15
16	Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
17	---
18	lib/codebook.c \| 48 ++++++++++--------------------------------------
19	1 file changed, 10 insertions(+), 38 deletions(-)
20
21	diff --git a/lib/codebook.c b/lib/codebook.c
22	index 8b766e8..7022fd2 100644
23	--- a/lib/codebook.c
24	+++ b/lib/codebook.c
25	@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook book,float a,oggpack_buffer *b,int n){
26	t[i] = book->valuelist+entry[i]*book->dim;
27	}
28	for(i=0,o=0;i<book->dim;i++,o+=step)
29	- for (j=0;j<step;j++)
30	+ for (j=0;o+j<n && j<step;j++)
31	a[o+j]+=t[j][i];
32	}
33	return(0);
34	@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook book,float a,oggpack_buffer *b,int n){
35	int i,j,entry;
36	float *t;
37
38	- if(book->dim>8){
39	- for(i=0;i<n;){
40	- entry = decode_packed_entry_number(book,b);
41	- if(entry==-1)return(-1);
42	- t = book->valuelist+entry*book->dim;
43	- for (j=0;j<book->dim;)
44	- a[i++]+=t[j++];
45	- }
46	- }else{
47	- for(i=0;i<n;){
48	- entry = decode_packed_entry_number(book,b);
49	- if(entry==-1)return(-1);
50	- t = book->valuelist+entry*book->dim;
51	- j=0;
52	- switch((int)book->dim){
53	- case 8:
54	- a[i++]+=t[j++];
55	- case 7:
56	- a[i++]+=t[j++];
57	- case 6:
58	- a[i++]+=t[j++];
59	- case 5:
60	- a[i++]+=t[j++];
61	- case 4:
62	- a[i++]+=t[j++];
63	- case 3:
64	- a[i++]+=t[j++];
65	- case 2:
66	- a[i++]+=t[j++];
67	- case 1:
68	- a[i++]+=t[j++];
69	- case 0:
70	- break;
71	- }
72	- }
73	+ for(i=0;i<n;){
74	+ entry = decode_packed_entry_number(book,b);
75	+ if(entry==-1)return(-1);
76	+ t = book->valuelist+entry*book->dim;
77	+ for(j=0;i<n && j<book->dim;)
78	+ a[i++]+=t[j++];
79	}
80	}
81	return(0);
82	@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook book,float *a,long offset,int ch,
83	long i,j,entry;
84	int chptr=0;
85	if(book->used_entries>0){
86	- for(i=offset/ch;i<(offset+n)/ch;){
87	+ int m=(offset+n)/ch;
88	+ for(i=offset/ch;i<m;){
89	entry = decode_packed_entry_number(book,b);
90	if(entry==-1)return(-1);
91	{
92	const float t = book->valuelist+entrybook->dim;
93	- for (j=0;j<book->dim;j++){
94	+ for (j=0;i<m && j<book->dim;j++){
95	a[chptr++][i]+=t[j];
96	if(chptr==ch){
97	chptr=0;
98	--
99	2.16.2
100


diff --git a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb index 20f887c252..bd46451612 100644 --- a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb +++ b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb
@@ -6,17 +6,14 @@ HOMEPAGE = "http://www.vorbis.com/"
6	BUGTRACKER = "https://trac.xiph.org"	6	BUGTRACKER = "https://trac.xiph.org"
7	SECTION = "libs"	7	SECTION = "libs"
8	LICENSE = "BSD"	8	LICENSE = "BSD"
9	LIC_FILES_CHKSUM = "file://COPYING;md5=7d2c487d2fc7dd3e3c7c465a5b7f6217 \	9	LIC_FILES_CHKSUM = "file://COPYING;md5=70c7063491d2d9f76a098d62ed5134f1 \
10	file://include/vorbis/vorbisenc.h;beginline=1;endline=11;md5=d1c1d138863d6315131193d4046d81cb"	10	file://include/vorbis/vorbisenc.h;beginline=1;endline=11;md5=d1c1d138863d6315131193d4046d81cb"
11	DEPENDS = "libogg"	11	DEPENDS = "libogg"
12		12
13	SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \	13	SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
14	file://0001-configure-Check-for-clang.patch \	14	file://0001-configure-Check-for-clang.patch \
15	file://CVE-2017-14633.patch \
16	file://CVE-2017-14632.patch \
17	file://CVE-2018-5146.patch \
18	"	15	"
19	SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f"	16	SRC_URI[md5sum] = "b7d1692f275c73e7833ed1cc2697cd65"
20	SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1"	17	SRC_URI[sha256sum] = "af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415"
21		18
22	inherit autotools pkgconfig	19	inherit autotools pkgconfig