Fix security bug 186716. CVE-3106 and 4029.

(Portage version: 2.1.3.6)
author: Samuli Suominen <drac@gentoo.org> 2007-08-20 14:07:18 +0000
committer: Samuli Suominen <drac@gentoo.org> 2007-08-20 14:07:18 +0000
commit: 9ad4183d4bc32c8b50fa51096a152c405388764e (patch)
tree: cc723765daf4904cdd79e6623b3e91c720683c70 /media-libs/libvorbis
parent: Bumpage (diff)
download: gentoo-2-9ad4183d4bc32c8b50fa51096a152c405388764e.tar.gz
gentoo-2-9ad4183d4bc32c8b50fa51096a152c405388764e.tar.bz2
gentoo-2-9ad4183d4bc32c8b50fa51096a152c405388764e.zip
4 files changed, 214 insertions, 1 deletions
diff --git a/media-libs/libvorbis/ChangeLog b/media-libs/libvorbis/ChangeLog
index b763c934831f..69ef1d82e829 100644
--- a/media-libs/libvorbis/ChangeLog
+++ b/media-libs/libvorbis/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for media-libs/libvorbis
 # Copyright 2002-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/libvorbis/ChangeLog,v 1.72 2007/04/15 18:07:32 drac Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libvorbis/ChangeLog,v 1.73 2007/08/20 14:07:17 drac Exp $
+
+*libvorbis-1.1.2-r1 (20 Aug 2007)
+
+  20 Aug 2007; Samuli Suominen <drac@gentoo.org>
+  +files/libvorbis-1.1.2-CVE-3106-4029.patch, +libvorbis-1.1.2-r1.ebuild:
+  Fix security bug 186716. CVE-3106 and 4029.
 
   15 Apr 2007; Samuli Suominen <drac@gentoo.org> -libvorbis-1.0.1-r2.ebuild,
   libvorbis-1.1.0.ebuild, -libvorbis-1.1.1.ebuild:
diff --git a/media-libs/libvorbis/files/digest-libvorbis-1.1.2-r1 b/media-libs/libvorbis/files/digest-libvorbis-1.1.2-r1
new file mode 100644
index 000000000000..e9656b24f33a
--- /dev/null
+++ b/media-libs/libvorbis/files/digest-libvorbis-1.1.2-r1
@@ -0,0 +1,6 @@
+MD5 515d046afd4e2a8244ec1442c715b80a aotuvb4.51-libvorbis-1.1.2.diff.bz2 23371
+RMD160 df4f90ddd7e38069aff77674734d8d39c780c74a aotuvb4.51-libvorbis-1.1.2.diff.bz2 23371
+SHA256 feaae2ed481635bf36e5eb18e966559f743e95e410c21560f961d42455b91560 aotuvb4.51-libvorbis-1.1.2.diff.bz2 23371
+MD5 37847626b8e1b53ae79a34714c7b3211 libvorbis-1.1.2.tar.gz 1316434
+RMD160 2f1c59ab8237fe3af28f9979cd96008cfa3567cb libvorbis-1.1.2.tar.gz 1316434
+SHA256 3f7135ccbda589c251017912f5f5ec9da626c976d2376bcfda19ad6b9c4a6050 libvorbis-1.1.2.tar.gz 1316434
diff --git a/media-libs/libvorbis/files/libvorbis-1.1.2-CVE-3106-4029.patch b/media-libs/libvorbis/files/libvorbis-1.1.2-CVE-3106-4029.patch
new file mode 100644
index 000000000000..b490648d750b
--- /dev/null
+++ b/media-libs/libvorbis/files/libvorbis-1.1.2-CVE-3106-4029.patch
@@ -0,0 +1,125 @@
+Index: libvorbis-1.1.2.dfsg/lib/floor1.c
+===================================================================
+--- libvorbis-1.1.2.dfsg.orig/lib/floor1.c	2007-08-15 14:04:50.000000000 -0700
++++ libvorbis-1.1.2.dfsg/lib/floor1.c	2007-08-15 16:26:17.000000000 -0700
+@@ -358,7 +358,7 @@
+   0.82788260F, 0.88168307F, 0.9389798F, 1.F, 
+ };
+ 
+-static void render_line(int x0,int x1,int y0,int y1,float *d){
++static void render_line(int n, int x0,int x1,int y0,int y1,float *d){
+   int dy=y1-y0;
+   int adx=x1-x0;
+   int ady=abs(dy);
+@@ -370,8 +370,12 @@
+ 
+   ady-=abs(base*adx);
+ 
++  if(n>x1)n=x1;
++
++  if(x<n)
+   d[x]*=FLOOR1_fromdB_LOOKUP[y];
+-  while(++x<x1){
++
++  while(++x<n){
+     err=err+ady;
+     if(err>=adx){
+       err-=adx;
+@@ -1068,7 +1072,7 @@
+ 	hy*=info->mult;
+ 	hx=info->postlist[current];
+ 	
+-	render_line(lx,hx,ly,hy,out);
++	render_line(n,lx,hx,ly,hy,out);
+ 	
+ 	lx=hx;
+ 	ly=hy;
+Index: libvorbis-1.1.2.dfsg/lib/res0.c
+===================================================================
+--- libvorbis-1.1.2.dfsg.orig/lib/res0.c	2007-08-15 14:04:50.000000000 -0700
++++ libvorbis-1.1.2.dfsg/lib/res0.c	2007-08-15 16:26:17.000000000 -0700
+@@ -512,7 +512,7 @@
+ 
+ #ifdef TRAIN_RES
+   for(i=0;i<ch;i++)
+-    for(j=info->begin;j<info->end;j++){
++    for(j=info->begin;j<end;j++){
+       if(in[i][j]>look->tmax)look->tmax=in[i][j];
+       if(in[i][j]<look->tmin)look->tmin=in[i][j];
+     }
+@@ -617,8 +617,11 @@
+   /* move all this setup out later */
+   int samples_per_partition=info->grouping;
+   int partitions_per_word=look->phrasebook->dim;
+-  int n=info->end-info->begin;
++  int max=vb->pcmend>>1;
++  int end=(info->end<max?info->end:max);
++  int n=end-info->begin;
+   
++  if(n>0){
+   int partvals=n/samples_per_partition;
+   int partwords=(partvals+partitions_per_word-1)/partitions_per_word;
+   int ***partword=alloca(ch*sizeof(*partword));
+@@ -655,7 +658,7 @@
+ 	}
+     } 
+   }
+-  
++  }
+  errout:
+  eopbreak:
+   return(0);
+@@ -833,8 +836,11 @@
+   /* move all this setup out later */
+   int samples_per_partition=info->grouping;
+   int partitions_per_word=look->phrasebook->dim;
+-  int n=info->end-info->begin;
++  int max=(vb->pcmend*ch)>>1;
++  int end=(info->end<max?info->end:max);
++  int n=end-info->begin;
+ 
++  if(n>0){
+   int partvals=n/samples_per_partition;
+   int partwords=(partvals+partitions_per_word-1)/partitions_per_word;
+   int **partword=_vorbis_block_alloc(vb,partwords*sizeof(*partword));
+@@ -867,7 +873,7 @@
+ 	}
+     } 
+   }
+-  
++  }
+  errout:
+  eopbreak:
+   return(0);
+Index: libvorbis-1.1.2.dfsg/lib/info.c
+===================================================================
+--- libvorbis-1.1.2.dfsg.orig/lib/info.c	2007-08-15 16:26:18.000000000 -0700
++++ libvorbis-1.1.2.dfsg/lib/info.c	2007-08-15 16:27:27.000000000 -0700
+@@ -162,14 +162,23 @@
+       if(ci->mode_param[i])_ogg_free(ci->mode_param[i]);
+ 
+     for(i=0;i<ci->maps;i++) /* unpack does the range checking */
+-      _mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]);
++      if(ci->map_param[i]) /* this may be cleaning up an aborted
++			      unpack, in which case the below type
++			      cannot be trusted */
++	_mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]);
+ 
+     for(i=0;i<ci->floors;i++) /* unpack does the range checking */
+-      _floor_P[ci->floor_type[i]]->free_info(ci->floor_param[i]);
++      if(ci->floor_param[i]) /* this may be cleaning up an aborted
++				unpack, in which case the below type
++				cannot be trusted */
++	_floor_P[ci->floor_type[i]]->free_info(ci->floor_param[i]);
+     
+     for(i=0;i<ci->residues;i++) /* unpack does the range checking */
+-      _residue_P[ci->residue_type[i]]->free_info(ci->residue_param[i]);
+-
++      if(ci->residue_param[i]) /* this may be cleaning up an aborted
++				  unpack, in which case the below type
++				  cannot be trusted */
++	_residue_P[ci->residue_type[i]]->free_info(ci->residue_param[i]);
++    
+     for(i=0;i<ci->books;i++){
+       if(ci->book_param[i]){
+ 	/* knows if the book was not alloced */
diff --git a/media-libs/libvorbis/libvorbis-1.1.2-r1.ebuild b/media-libs/libvorbis/libvorbis-1.1.2-r1.ebuild
new file mode 100644
index 000000000000..780d64a4303a
--- /dev/null
+++ b/media-libs/libvorbis/libvorbis-1.1.2-r1.ebuild
@@ -0,0 +1,76 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libvorbis/libvorbis-1.1.2-r1.ebuild,v 1.1 2007/08/20 14:07:17 drac Exp $
+
+inherit libtool flag-o-matic eutils toolchain-funcs
+
+DESCRIPTION="the Ogg Vorbis sound file format library"
+HOMEPAGE="http://xiph.org/vorbis/"
+SRC_URI="http://downloads.xiph.org/releases/vorbis/${P}.tar.gz
+	aotuv? ( mirror://gentoo/aotuvb4.51-${P}.diff.bz2 )"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="aotuv"
+
+RDEPEND=">=media-libs/libogg-1.0"
+DEPEND="${RDEPEND}
+	sys-apps/sed"
+
+S="${WORKDIR}"/${P/_*/}
+
+src_unpack() {
+	unpack ${P}.tar.gz
+	cd "${S}"
+
+	# Security patch for bug 186716.
+	epatch "${FILESDIR}"/${P}-CVE-3106-4029.patch
+
+	# Fix a gcc crash.  With the new atexit patch to gcc, it
+	# seems it does not handle -mno-ieee-fp very well.
+	sed -i -e "s:-mno-ieee-fp::g" configure
+
+	use aotuv && epatch "${DISTDIR}"/aotuvb4.51-${P}.diff.bz2
+
+	elibtoolize
+
+	epunt_cxx #74493
+}
+
+src_compile() {
+	# Cannot compile with sse2 support it would seem #36104
+	use x86 && [[ $(gcc-major-version) == 3 ]] && append-flags -mno-sse2
+
+	# take out -fomit-frame-pointer from CFLAGS if k6-2
+	is-flag -march=k6-3 && filter-flags -fomit-frame-pointer
+	is-flag -march=k6-2 && filter-flags -fomit-frame-pointer
+	is-flag -march=k6 && filter-flags -fomit-frame-pointer
+
+	# over optimization causes horrible audio artifacts #26463
+	filter-flags -march=pentium?
+
+	# gcc-3.4 and k6 with -ftracer causes code generation problems #49472
+	if [[ "$(gcc-major-version)$(gcc-minor-version)" == "34" ]]; then
+		is-flag -march=k6* && filter-flags -ftracer
+		is-flag -mtune=k6* && filter-flags -ftracer
+
+		replace-flags -Os -O2
+	fi
+
+	# gcc on hppa causes issues when assembling
+	use hppa && replace-flags -march=2.0 -march=1.0
+
+	econf || die
+	emake || die
+}
+
+src_install() {
+	make DESTDIR="${D}" install || die
+
+	rm -rf ${D}/usr/share/doc
+	dodoc AUTHORS README todo.txt
+	docinto txt
+	dodoc doc/*.txt
+	dohtml -r doc
+}
author	Samuli Suominen <drac@gentoo.org>	2007-08-20 14:07:18 +0000
committer	Samuli Suominen <drac@gentoo.org>	2007-08-20 14:07:18 +0000
commit	9ad4183d4bc32c8b50fa51096a152c405388764e (patch)
tree	cc723765daf4904cdd79e6623b3e91c720683c70 /media-libs/libvorbis
parent	Bumpage (diff)
download	gentoo-2-9ad4183d4bc32c8b50fa51096a152c405388764e.tar.gz gentoo-2-9ad4183d4bc32c8b50fa51096a152c405388764e.tar.bz2 gentoo-2-9ad4183d4bc32c8b50fa51096a152c405388764e.zip