tags 704870 + patch thanks Gregor -- thanks for finding the links. The .diff just had different line numbers, so would likely apply with fuzz, but I made a quick patch that doesn't agaist the git repo.
I would have made a quilt patch, but this looks like a package in 1.0 format. -- Chris -- Chris Knadle chris.kna...@coredump.us
From d5aeb4fa4ff5e93deb7641359678d91b49fae4b0 Mon Sep 17 00:00:00 2001 From: Christopher Knadle <chris.kna...@coredump.us> Date: Mon, 8 Apr 2013 17:59:28 -0400 Subject: [PATCH] fix for CVE-2013-0899 Fix possible overflow padding by feeding ~16 MB of 0xff bytes to the decoder Thanks to Gregor Herrmann for finding these links with more detail: https://code.google.com/p/chromium/issues/detail?id=160480 http://git.xiph.org/?p=opus.git;a=commitdiff;h=9345aaa5ca1c2fb7d62981b2a538e0ce20612c38 --- src/opus_decoder.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/opus_decoder.c b/src/opus_decoder.c index 24869e7..7d2219d 100644 --- a/src/opus_decoder.c +++ b/src/opus_decoder.c @@ -596,16 +596,14 @@ static int opus_packet_parse_impl(const unsigned char *data, opus_int32 len, /* Padding flag is bit 6 */ if (ch&0x40) { - int padding=0; int p; do { if (len<=0) return OPUS_INVALID_PACKET; p = *data++; len--; - padding += p==255 ? 254: p; + len -= p==255 ? 254: p; } while (p==255); - len -= padding; } if (len<0) return OPUS_INVALID_PACKET; -- 1.7.10.4
signature.asc
Description: This is a digitally signed message part.
