# --- T2-COPYRIGHT-NOTE-BEGIN --- # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # T2 SDE: package/.../libvorbis/CVE-2007-3106.patch # Copyright (C) 2007 The T2 SDE Project # # More information can be found in the files COPYING and README. # # This patch file is dual-licensed. It is available under the license the # patched project is licensed under, as long as it is an OpenSource license # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later # version. # --- T2-COPYRIGHT-NOTE-END --- diff -Nur libvorbis-1.1.2-orig/lib/info.c libvorbis-1.1.2/lib/info.c --- libvorbis-1.1.2-orig/lib/info.c 2005-11-28 05:43:25.000000000 +0000 +++ libvorbis-1.1.2/lib/info.c 2007-07-27 16:32:54.000000000 +0100 @@ -139,7 +139,7 @@ memset(vc,0,sizeof(*vc)); } -/* blocksize 0 is guaranteed to be short, 1 is guarantted to be long. +/* blocksize 0 is guaranteed to be short, 1 is guaranteed to be long. They may be equal, but short will never ge greater than long */ int vorbis_info_blocksize(vorbis_info *vi,int zo){ codec_setup_info *ci = vi->codec_setup; @@ -162,14 +162,23 @@ if(ci->mode_param[i])_ogg_free(ci->mode_param[i]); for(i=0;imaps;i++) /* unpack does the range checking */ - _mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]); + if(ci->map_param[i]) /* this may be cleaning up an aborted + unpack, in which case the below type + cannot be trusted */ + _mapping_P[ci->map_type[i]]->free_info(ci->map_param[i]); for(i=0;ifloors;i++) /* unpack does the range checking */ - _floor_P[ci->floor_type[i]]->free_info(ci->floor_param[i]); + if(ci->floor_param[i]) /* this may be cleaning up an aborted + unpack, in which case the below type + cannot be trusted */ + _floor_P[ci->floor_type[i]]->free_info(ci->floor_param[i]); for(i=0;iresidues;i++) /* unpack does the range checking */ - _residue_P[ci->residue_type[i]]->free_info(ci->residue_param[i]); - + if(ci->residue_param[i]) /* this may be cleaning up an aborted + unpack, in which case the below type + cannot be trusted */ + _residue_P[ci->residue_type[i]]->free_info(ci->residue_param[i]); + for(i=0;ibooks;i++){ if(ci->book_param[i]){ /* knows if the book was not alloced */ @@ -416,7 +425,7 @@ } static int _vorbis_pack_comment(oggpack_buffer *opb,vorbis_comment *vc){ - char temp[]="Xiph.Org libVorbis I 20050304"; + char temp[]="Xiph.Org libVorbis I 20070621"; int bytes = strlen(temp); /* preamble */