1. 04 Jul, 2020 1 commit
  2. 03 Jul, 2020 1 commit
  3. 28 Jan, 2019 1 commit
  4. 23 May, 2018 1 commit
  5. 16 Mar, 2018 1 commit
  6. 11 Dec, 2017 2 commits
    • Guido Günther's avatar
      CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not initialized · c1c2831f
      Guido Günther authored
      If the number of channels is not within the allowed range
      we call oggback_writeclear altough it's not initialized yet.
      
      This fixes
      
          =23371== Invalid free() / delete / delete[] / realloc()
          ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
          ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
          ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
          ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
          ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
          ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
          ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
          ==23371==    by 0x10D82A: process (sox.c:1753)
          ==23371==    by 0x10D82A: main (sox.c:3012)
          ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
          ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
          ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
          ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
          ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
          ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
          ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
          ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
          ==23371==    by 0x10D82A: process (sox.c:1753)
          ==23371==    by 0x10D82A: main (sox.c:3012)
      
      as seen when using the testcase from CVE-2017-11333 with
      008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
      there before.
      c1c2831f
    • Guido Günther's avatar
      CVE-2017-14633: Don't allow for more than 256 channels · a79ec216
      Guido Günther authored
      Otherwise
      
       for(i=0;i<vi->channels;i++){
            /* the encoder setup assumes that all the modes used by any
               specific bitrate tweaking use the same floor */
            int submap=info->chmuxlist[i];
      
      overreads later in mapping0_forward since chmuxlist is a fixed array of
      256 elements max.
      a79ec216
  7. 10 Nov, 2017 1 commit
  8. 22 Jul, 2017 1 commit
    • Jörn Heusipp's avatar
      Fix reading maximum, nominal, minimum bitrate in _vorbis_unpack_info(). · 68ebc894
      Jörn Heusipp authored
      https://xiph.org/vorbis/doc/Vorbis_I_spec.html#x1-630004.2.2 specifies
      these fields as 32bit signed. oggpack_read(opb,32), which is used to
      read these fields, returns 32 bits stored in a long. On architectures
      where long is 64bit, this results in a positive value being returned.
      This value is then stored in struct vorbis_info in bitrate_upper,
      bitrate_nominal and bitrate_lower, also as long. ogginfo relies on
      these values in order to display the respective header fields and thus
      misrepresented the stored value -1 (which has the intended meaning of
      "bitrate not set") as 2**32-1 on architectures where long is 64bit.
      
      Explicitly cast the return value of oggpack_read() to a signed 32bit
      integer type.
      
      A nominal bitrate value of -1 is valid as per specification, and is
      written by libvorbis for VBR files with samplerate >= 50000Hz.
      Signed-off-by: Timothy B. Terriberry's avatarTimothy B. Terriberry <tterribe@xiph.org>
      68ebc894
  9. 16 Jun, 2017 1 commit
    • Ralph Giles's avatar
      Remove svn $Id$ header. · 679433eb
      Ralph Giles authored
      Most checked-in files had a comment with a filename and
      last-modified string automatically updated by the
      subversion version control tool. These became obsolete
      when we migrated the repository to git. Remove them.
      679433eb
  10. 13 Oct, 2015 1 commit
    • Ralph Giles's avatar
      Allocate comment temporaries on the heap. · c75b3b12
      Ralph Giles authored
      Use malloc/free instead of the more convenient alloca for
      comment data. Album art can easily be larger than the local
      stack limit and crash the process.
      
      Thanks to Robert Kausch for the suggestion.
      c75b3b12
  11. 21 Jan, 2015 1 commit
  12. 07 Jan, 2015 1 commit
    • Timothy B. Terriberry's avatar
      Reject multiple headers of the same type. · c761e218
      Timothy B. Terriberry authored
      A common application pattern is to call vorbis_synthesis_headerin()
       and count how many times it succeeds.
      If you feed it multiple valid comment headers, they will all
       succeed, meaning you can be fooled into think you have a valid
       Vorbis file despite never seeing a setup header.
      This patch makes libvorbis reject multiple headers of the same type,
       preventing this from occurring.
      
      svn path=/trunk/vorbis/; revision=19426
      c761e218
  13. 05 Jan, 2015 2 commits
  14. 22 Jan, 2014 1 commit
  15. 03 Feb, 2012 1 commit
  16. 20 Jan, 2012 1 commit
  17. 04 Nov, 2011 1 commit
  18. 01 Nov, 2010 1 commit
  19. 26 Oct, 2010 1 commit
  20. 24 Oct, 2010 1 commit
  21. 26 Mar, 2010 3 commits
  22. 25 Mar, 2010 2 commits
  23. 03 Mar, 2010 1 commit
  24. 10 Jul, 2009 1 commit
  25. 08 Jul, 2009 2 commits
  26. 07 Jul, 2009 2 commits
  27. 23 Jun, 2009 1 commit
  28. 03 Jun, 2009 1 commit
  29. 26 May, 2009 1 commit
  30. 14 May, 2009 1 commit
  31. 27 Nov, 2008 1 commit
  32. 28 Sep, 2008 1 commit
  33. 31 May, 2008 1 commit