Will Drewry of the Google Security Team reported an issue in OGG Vorbis library, that can cause an integer overflow in the computation of quantvals and of the space required for quantlist leading to a heap overflow. Check for the overflow added in the fix. Files are rejected if the total virtual space of the codebook exceeds 24 bits.
Upstream patch: $ svn log -r 14604 http://svn.xiph.org/trunk/vorbis/ ------------------------------------------------------------------------ r14604 | xiphmont | 2008-03-19 09:03:29 +0100 (Wed, 19 Mar 2008) | 3 lines dd checks/rejection for absurdly huge codebooks. ------------------------------------------------------------------------ $ svn diff -c 14604 http://svn.xiph.org/trunk/vorbis/ Index: lib/codebook.c =================================================================== --- lib/codebook.c (revision 14603) +++ lib/codebook.c (revision 14604) @@ -159,6 +159,8 @@ s->entries=oggpack_read(opb,24); if(s->entries==-1)goto _eofout; + if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout; + /* codeword ordering.... length ordered or unordered? */ switch((int)oggpack_read(opb,1)){ case 0:
https://trac.xiph.org/changeset/14604
Lifting embargo.
libvorbis-1.2.0-4.fc9 has been submitted as an update for Fedora 9
libvorbis-1.2.0-2.fc8 has been submitted as an update for Fedora 8
libvorbis-1.1.2-4.fc7 has been submitted as an update for Fedora 7
libvorbis-1.2.0-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
libvorbis-1.1.2-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
libvorbis-1.2.0-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0271.html http://rhn.redhat.com/errata/RHSA-2008-0270.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3898 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3934 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3910