Bug 438125
Summary: | vorbis: multiple issues in ogg vorbis and tremor | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | cmontgom, jnovy, security-response-team, zprikryl |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-06-19 13:00:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 440700, 440706, 440709, 444443 | ||
Bug Blocks: |
Description
Tomas Hoger
2008-03-19 09:40:53 UTC
Here are the fixes according to Monty: r14604: check for / reject impossibly large codebook requests; protects against the case of overflowing a 32 bit integer and requesting a negative heap allocation. r14602: reject nonsensiscal 0-dimension codebooks. Prevents a divide by zero crash. r14598, r14600: Prevent heap overflows caused by dim=bignum and partition_codewords = partion_values^dim. partition_codewords is actually overdetermined; in the case of inconsistency, mark stream undecodable. Protects against the case of overflowing a 32 bit integer and requesting a negative heap allocation. The revisions refer to the xiph subversion repository: http://svn.xiph.org/ Monty also says we want revision 14502: "It just checked to see if the declared string lengths (vorbis comments are length coded) are longer than the actual comment packet." All individual issues are resolved now, closing this bug as well. |