Fedora Account System
Red Hat Associate
Red Hat Customer
Will Drewry of the Google Security Team reported an issue in OGG Vorbis library, that can cause an integer overflow leading to possible heap overflow.
Upstream patch: $ svn log -r 14598 http://svn.xiph.org/trunk/vorbis/ ------------------------------------------------------------------------ r14598 | xiphmont | 2008-03-18 16:39:43 +0100 (Tue, 18 Mar 2008) | 6 lines Add code to prevent heap attacks by exploiting dim=bignum and partition_codewords = partion_values^dim. partition_codewords is actually overdetermined; in the case of inconsistency, mark stream undecodable. ------------------------------------------------------------------------ $ svn diff -r 14597:14600 http://svn.xiph.org/trunk/vorbis/lib Index: misc.h =================================================================== --- misc.h (revision 14597) +++ misc.h (revision 14600) @@ -29,6 +29,7 @@ #ifdef DEBUG_MALLOC #define _VDBG_GRAPHFILE "malloc.m" +#undef _VDBG_GRAPHFILE extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line); extern void _VDBG_free(void *ptr,char *file,long line); Index: res0.c =================================================================== --- res0.c (revision 14597) +++ res0.c (revision 14600) @@ -223,6 +223,20 @@ for(j=0;j<acc;j++) if(info->booklist[j]>=ci->books)goto errout; + /* verify the phrasebook is not specifying an impossible or + inconsistent partitioning scheme. */ + { + int entries = ci->book_param[info->groupbook]->entries; + int dim = ci->book_param[info->groupbook]->dim; + int partvals = 1; + while(dim>0){ + partvals *= info->partitions; + if(partvals > entries) goto errout; + dim--; + } + if(partvals != entries) goto errout; + } + return(info); errout: res0_free_info(info); @@ -263,7 +277,7 @@ } } - look->partvals=rint(pow((float)look->parts,(float)dim)); + look->partvals=look->phrasebook->entries; look->stages=maxstage; look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap)); for(j=0;j<look->partvals;j++){ Index: misc.c =================================================================== --- misc.c (revision 14597) +++ misc.c (revision 14600) @@ -190,7 +190,10 @@ pthread_mutex_unlock(&memlock); } -extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line){ +void *_VDBG_malloc(void *ptr,long bytes,char *file,long line){ + if(bytes<=0) + fprintf(stderr,"bad malloc request (%ld bytes) from %s:%ld\n",bytes,file,line); + bytes+=HEAD_ALIGN; if(ptr){ ptr-=HEAD_ALIGN; @@ -203,7 +206,7 @@ return _insert(ptr,bytes,file,line); } -extern void _VDBG_free(void *ptr,char *file,long line){ +void _VDBG_free(void *ptr,char *file,long line){ if(ptr){ ptr-=HEAD_ALIGN; _ripremove(ptr);
https://trac.xiph.org/changeset/14598 https://trac.xiph.org/changeset/14600
Lifting embargo.
libvorbis-1.2.0-4.fc9 has been submitted as an update for Fedora 9
libvorbis-1.2.0-2.fc8 has been submitted as an update for Fedora 8
libvorbis-1.1.2-4.fc7 has been submitted as an update for Fedora 7
libvorbis-1.2.0-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
libvorbis-1.1.2-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
libvorbis-1.2.0-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0271.html http://rhn.redhat.com/errata/RHSA-2008-0270.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3898 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3934 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3910