From 48062dbff757ffabd9a580ee8de6b05d37dcc4bd Mon Sep 17 00:00:00 2001
From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
Date: Mon, 9 Jul 2018 21:49:59 -0500
Subject: user/libvorbis: pull in, bump, fix

---
 user/libvorbis/CVE-2017-14160.patch | 58 +++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 user/libvorbis/CVE-2017-14160.patch

(limited to 'user/libvorbis/CVE-2017-14160.patch')

diff --git a/user/libvorbis/CVE-2017-14160.patch b/user/libvorbis/CVE-2017-14160.patch
new file mode 100644
index 000000000..9ad9d18f7
--- /dev/null
+++ b/user/libvorbis/CVE-2017-14160.patch
@@ -0,0 +1,58 @@
+From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001
+Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org>
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 13:12:00 +0100
+Subject: [PATCH] CVE-2017-14160: make sure we don't overflow
+
+---
+ lib/psy.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/lib/psy.c b/lib/psy.c
+index 422c6f1e..8bbf6cf3 100644
+--- a/lib/psy.c
++++ b/lib/psy.c
+@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,const long *b,
+     XY[i] = tXY;
+   }
+ 
+-  for (i = 0, x = 0.f;; i++, x += 1.f) {
++  for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
+ 
+     lo = b[i] >> 16;
+     if( lo>=0 ) break;
+@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,const long *b,
+     noise[i] = R - offset;
+   }
+ 
+-  for ( ;; i++, x += 1.f) {
++  for ( ; i < n; i++, x += 1.f) {
+ 
+     lo = b[i] >> 16;
+     hi = b[i] & 0xffff;
+     if(hi>=n)break;
+-
+     tN = N[hi] - N[lo];
+     tX = X[hi] - X[lo];
+     tXX = XX[hi] - XX[lo];
+@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,const long *b,
+ 
+   if (fixed <= 0) return;
+ 
+-  for (i = 0, x = 0.f;; i++, x += 1.f) {
++  for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
+     hi = i + fixed / 2;
+     lo = hi - fixed;
+     if(lo>=0)break;
+@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,const long *b,
+ 
+     if (R - offset < noise[i]) noise[i] = R - offset;
+   }
+-  for ( ;; i++, x += 1.f) {
++  for ( ; i < n; i++, x += 1.f) {
+ 
+     hi = i + fixed / 2;
+     lo = hi - fixed;
+-- 
+2.15.0
+
-- 
cgit v1.2.3-60-g2f50