Will Drewry of the Google Security Team reported an issue in OGG Vorbis library, that can cause an integer overflow leading to possible heap overflow.
Upstream patch: $ svn log -r 14598 http://svn.xiph.org/trunk/vorbis/ ------------------------------------------------------------------------ r14598 | xiphmont | 2008-03-18 16:39:43 +0100 (Tue, 18 Mar 2008) | 6 lines Add code to prevent heap attacks by exploiting dim=bignum and partition_codewords = partion_values^dim. partition_codewords is actually overdetermined; in the case of inconsistency, mark stream undecodable. ------------------------------------------------------------------------ $ svn diff -r 14597:14600 http://svn.xiph.org/trunk/vorbis/lib Index: misc.h =================================================================== --- misc.h (revision 14597) +++ misc.h (revision 14600) @@ -29,6 +29,7 @@ #ifdef DEBUG_MALLOC #define _VDBG_GRAPHFILE "malloc.m" +#undef _VDBG_GRAPHFILE extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line); extern void _VDBG_free(void *ptr,char *file,long line); Index: res0.c =================================================================== --- res0.c (revision 14597) +++ res0.c (revision 14600) @@ -223,6 +223,20 @@ for(j=0;j<acc;j++) if(info->booklist[j]>=ci->books)goto errout; + /* verify the phrasebook is not specifying an impossible or + inconsistent partitioning scheme. */ + { + int entries = ci->book_param[info->groupbook]->entries; + int dim = ci->book_param[info->groupbook]->dim; + int partvals = 1; + while(dim>0){ + partvals *= info->partitions; + if(partvals > entries) goto errout; + dim--; + } + if(partvals != entries) goto errout; + } + return(info); errout: res0_free_info(info); @@ -263,7 +277,7 @@ } } - look->partvals=rint(pow((float)look->parts,(float)dim)); + look->partvals=look->phrasebook->entries; look->stages=maxstage; look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap)); for(j=0;j<look->partvals;j++){ Index: misc.c =================================================================== --- misc.c (revision 14597) +++ misc.c (revision 14600) @@ -190,7 +190,10 @@ pthread_mutex_unlock(&memlock); } -extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line){ +void *_VDBG_malloc(void *ptr,long bytes,char *file,long line){ + if(bytes<=0) + fprintf(stderr,"bad malloc request (%ld bytes) from %s:%ld\n",bytes,file,line); + bytes+=HEAD_ALIGN; if(ptr){ ptr-=HEAD_ALIGN; @@ -203,7 +206,7 @@ return _insert(ptr,bytes,file,line); } -extern void _VDBG_free(void *ptr,char *file,long line){ +void _VDBG_free(void *ptr,char *file,long line){ if(ptr){ ptr-=HEAD_ALIGN; _ripremove(ptr);
https://trac.xiph.org/changeset/14598 https://trac.xiph.org/changeset/14600
Lifting embargo.
libvorbis-1.2.0-4.fc9 has been submitted as an update for Fedora 9
libvorbis-1.2.0-2.fc8 has been submitted as an update for Fedora 8
libvorbis-1.1.2-4.fc7 has been submitted as an update for Fedora 7
libvorbis-1.2.0-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
libvorbis-1.1.2-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
libvorbis-1.2.0-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0271.html http://rhn.redhat.com/errata/RHSA-2008-0270.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3898 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3934 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3910