From: Kang Kai <Kai.Kang@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: [meta-multimedia][PATCH] vorbis-tools: fix CVE-2015-6749
Date: Fri, 16 Oct 2015 13:02:50 +0800 [thread overview]
Message-ID: <562084FA.3080905@windriver.com> (raw)
In-Reply-To: <1444965782-22372-1-git-send-email-kai.kang@windriver.com>
On 2015年10月16日 11:23, kai.kang@windriver.com wrote:
> From: Kai Kang <kai.kang@windriver.com>
>
> Backport patch to fix CVE-2015-6749 from:
>
> https://trac.xiph.org/ticket/2212
Forgot layer info. Add it to title.
--Kai
>
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
> ...oggenc-Fix-large-alloca-on-bad-AIFF-input.patch | 49 ++++++++++++++++++++++
> .../vorbis-tools/vorbis-tools_1.4.0.bb | 4 +-
> 2 files changed, 52 insertions(+), 1 deletion(-)
> create mode 100644 meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch
>
> diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch
> new file mode 100644
> index 0000000..b623dbf
> --- /dev/null
> +++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch
> @@ -0,0 +1,49 @@
> +Upstream-Status: Backport
> +
> +Backport patch to fix CVE-2015-6749 from:
> +
> +https://trac.xiph.org/ticket/2212
> +
> +Signed-off-by: Kai Kang <kai.kang@windriver.com>
> +---
> +From 04815d3e1bfae3a6cdfb2c25358a5a72b61299f7 Mon Sep 17 00:00:00 2001
> +From: Mark Harris <mark.hsj@gmail.com>
> +Date: Sun, 30 Aug 2015 05:54:46 -0700
> +Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input
> +
> +Fixes #2212
> +---
> + oggenc/audio.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/oggenc/audio.c b/oggenc/audio.c
> +index 477da8c..4921fb9 100644
> +--- a/oggenc/audio.c
> ++++ b/oggenc/audio.c
> +@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
> + int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
> + {
> + int aifc; /* AIFC or AIFF? */
> +- unsigned int len;
> +- unsigned char *buffer;
> ++ unsigned int len, readlen;
> ++ unsigned char buffer[22];
> + unsigned char buf2[8];
> + aiff_fmt format;
> + aifffile *aiff = malloc(sizeof(aifffile));
> +@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
> + return 0; /* Weird common chunk */
> + }
> +
> +- buffer = alloca(len);
> +-
> +- if(fread(buffer,1,len,in) < len)
> ++ readlen = len < sizeof(buffer) ? len : sizeof(buffer);
> ++ if(fread(buffer,1,readlen,in) < readlen ||
> ++ (len > readlen && !seek_forward(in, len-readlen)))
> + {
> + fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
> + return 0;
> +--
> +2.5.0
> +
> diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.0.bb b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.0.bb
> index a35dee6..2683555 100644
> --- a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.0.bb
> +++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.0.bb
> @@ -10,7 +10,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
>
> DEPENDS = "libogg libvorbis curl libao"
>
> -SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz"
> +SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz \
> + file://0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch \
> + "
>
> SRC_URI[md5sum] = "567e0fb8d321b2cd7124f8208b8b90e6"
> SRC_URI[sha256sum] = "a389395baa43f8e5a796c99daf62397e435a7e73531c9f44d9084055a05d22bc"
--
Regards,
Neil | Kai Kang
prev parent reply other threads:[~2015-10-16 5:02 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-16 3:23 [PATCH] vorbis-tools: fix CVE-2015-6749 kai.kang
2015-10-16 5:02 ` Kang Kai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=562084FA.3080905@windriver.com \
--to=kai.kang@windriver.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.