user/libvorbis: new patch for CVE-2018-10392 (#157)

Also, use upstream patch for CVE-2017-14160

4 files changed, 62 insertions, 65 deletions

diff --git a/user/libvorbis/APKBUILD b/user/libvorbis/APKBUILD
index 2b5b41f4c..73520bf56 100644
--- a/user/libvorbis/APKBUILD
+++ b/user/libvorbis/APKBUILD
@@ -10,18 +10,21 @@ license="BSD-3-Clause"
 subpackages="$pkgname-dev $pkgname-doc"
 makedepends="libogg-dev"
 source="https://downloads.xiph.org/releases/vorbis/$pkgname-$pkgver.tar.xz
-	CVE-2017-14160.patch
+	CVE-2017-14160-and-2018-10393.patch
+	CVE-2018-10392.patch
 	"
 
 # secfixes:
+#   1.3.6-r1:
+#     - CVE-2018-10392
 #   1.3.5-r4:
-#   - CVE-2017-14632
-#   - CVE-2017-14633
+#     - CVE-2017-14632
+#     - CVE-2017-14633
 #   1.3.5-r3:
-#   - CVE-2017-14160
+#     - CVE-2017-14160
+#     - CVE-2018-10393
 
 build() {
-	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -33,9 +36,9 @@ build() {
 }
 
 package() {
-	cd "$builddir"
 	make DESTDIR="$pkgdir" install
 }
 
 sha512sums="a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132  libvorbis-1.3.6.tar.xz
-4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e  CVE-2017-14160.patch"
+332081da5dd8fb28ee70dfbc123e7fcef279317ee977be9da97e97a105e788da452c33097bf597f369fea0e49749f876a93d6af0fa2fa20405acbc57771c89a9  CVE-2017-14160-and-2018-10393.patch
+294de5e0c40b64d495df7f53196260be5ffaba11c75fc4a1a54ec0c058eeba4793c1ef685c8cf866195a2972c91a7a896df5f05f478b7f25a564abb3f82f331f  CVE-2018-10392.patch"
diff --git a/user/libvorbis/CVE-2017-14160-and-2018-10393.patch b/user/libvorbis/CVE-2017-14160-and-2018-10393.patch
new file mode 100644
index 000000000..3a7097ec7
--- /dev/null
+++ b/user/libvorbis/CVE-2017-14160-and-2018-10393.patch
@@ -0,0 +1,27 @@
+From 018ca26dece618457dd13585cad52941193c4a25 Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Wed, 9 May 2018 14:56:59 -0700
+Subject: [PATCH] CVE-2017-14160: fix bounds check on very low sample rates.
+
+---
+ lib/psy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/psy.c b/lib/psy.c
+index 422c6f1..1310123 100644
+--- a/lib/psy.c
++++ b/lib/psy.c
+@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b,
+   for (i = 0, x = 0.f;; i++, x += 1.f) {
+ 
+     lo = b[i] >> 16;
+-    if( lo>=0 ) break;
+     hi = b[i] & 0xffff;
++    if( lo>=0 ) break;
++    if( hi>=n ) break;
+ 
+     tN = N[hi] + N[-lo];
+     tX = X[hi] - X[-lo];
+-- 
+2.22.0
+
diff --git a/user/libvorbis/CVE-2017-14160.patch b/user/libvorbis/CVE-2017-14160.patch
deleted file mode 100644
index 9ad9d18f7..000000000
--- a/user/libvorbis/CVE-2017-14160.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001
-Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org>
-From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
-Date: Wed, 15 Nov 2017 13:12:00 +0100
-Subject: [PATCH] CVE-2017-14160: make sure we don't overflow
-
----
- lib/psy.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/lib/psy.c b/lib/psy.c
-index 422c6f1e..8bbf6cf3 100644
---- a/lib/psy.c
-+++ b/lib/psy.c
-@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,const long *b,
-     XY[i] = tXY;
-   }
- 
--  for (i = 0, x = 0.f;; i++, x += 1.f) {
-+  for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
- 
-     lo = b[i] >> 16;
-     if( lo>=0 ) break;
-@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,const long *b,
-     noise[i] = R - offset;
-   }
- 
--  for ( ;; i++, x += 1.f) {
-+  for ( ; i < n; i++, x += 1.f) {
- 
-     lo = b[i] >> 16;
-     hi = b[i] & 0xffff;
-     if(hi>=n)break;
--
-     tN = N[hi] - N[lo];
-     tX = X[hi] - X[lo];
-     tXX = XX[hi] - XX[lo];
-@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,const long *b,
- 
-   if (fixed <= 0) return;
- 
--  for (i = 0, x = 0.f;; i++, x += 1.f) {
-+  for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
-     hi = i + fixed / 2;
-     lo = hi - fixed;
-     if(lo>=0)break;
-@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,const long *b,
- 
-     if (R - offset < noise[i]) noise[i] = R - offset;
-   }
--  for ( ;; i++, x += 1.f) {
-+  for ( ; i < n; i++, x += 1.f) {
- 
-     hi = i + fixed / 2;
-     lo = hi - fixed;
--- 
-2.15.0
-
diff --git a/user/libvorbis/CVE-2018-10392.patch b/user/libvorbis/CVE-2018-10392.patch
new file mode 100644
index 000000000..a12038a94
--- /dev/null
+++ b/user/libvorbis/CVE-2018-10392.patch
@@ -0,0 +1,25 @@
+From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Thu, 17 May 2018 16:19:19 -0700
+Subject: [PATCH] Sanity check number of channels in setup.
+
+Fixes #2335.
+---
+ lib/vorbisenc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c
+index 4fc7b62..64a51b5 100644
+--- a/lib/vorbisenc.c
++++ b/lib/vorbisenc.c
+@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){
+   highlevel_encode_setup *hi=&ci->hi;
+ 
+   if(ci==NULL)return(OV_EINVAL);
++  if(vi->channels<1||vi->channels>255)return(OV_EINVAL);
+   if(!hi->impulse_block_p)i0=1;
+ 
+   /* too low/high an ATH floater is nonsensical, but doesn't break anything */
+-- 
+2.22.0
+