[notify] libvorbis: fixed buffer overflow.

See CVE-2012-0444 for details.

3 files changed, 28 insertions, 2 deletions

diff --git a/libvorbis/.md5sum b/libvorbis/.md5sum
index c59354f7d..ed13677ee 100644
--- a/libvorbis/.md5sum
+++ b/libvorbis/.md5sum
@@ -1 +1,2 @@
 798a4211221073c1409f26eac4567e8b  libvorbis-1.3.2.tar.bz2
+da63af101889342f87cf33f15924adc4  libvorbis.diff
diff --git a/libvorbis/Pkgfile b/libvorbis/Pkgfile
index bf54e9ba2..85344b128 100644
--- a/libvorbis/Pkgfile
+++ b/libvorbis/Pkgfile
@@ -5,11 +5,12 @@
 
 name=libvorbis
 version=1.3.2
-release=1
-source=(http://downloads.xiph.org/releases/vorbis/$name-$version.tar.bz2)
+release=2
+source=(http://downloads.xiph.org/releases/vorbis/$name-$version.tar.bz2 $name.diff)
 
 build() {
     cd $name-$version
+    patch -p3 -i $SRC/$name.diff
     ./configure --prefix=/usr
     make
     make DESTDIR=$PKG install
diff --git a/libvorbis/libvorbis.diff b/libvorbis/libvorbis.diff
new file mode 100644
index 000000000..938a9ca8d
--- /dev/null
+++ b/libvorbis/libvorbis.diff
@@ -0,0 +1,24 @@
+# Stolen from Mozilla, with minor adjustments.
+# Author: Timothy B. Terriberry <tterribe@vt.edu>
+
+diff --git a/media/libvorbis/lib/floor1.c b/media/libvorbis/lib/floor1.c
+--- a/media/libvorbis/lib/floor1.c
++++ b/media/libvorbis/lib/floor1.c
+@@ -162,16 +162,17 @@ static vorbis_info_floor *floor1_unpack 
+ 
+   /* read the post list */
+   info->mult=oggpack_read(opb,2)+1;     /* only 1,2,3,4 legal now */
+   rangebits=oggpack_read(opb,4);
+   if(rangebits<0)goto err_out;
+ 
+   for(j=0,k=0;j<info->partitions;j++){
+     count+=info->class_dim[info->partitionclass[j]];
++    if(count>VIF_POSIT) goto err_out;
+     for(;k<count;k++){
+       int t=info->postlist[k+2]=oggpack_read(opb,rangebits);
+       if(t<0 || t>=(1<<rangebits))
+         goto err_out;
+     }
+   }
+   info->postlist[0]=0;
+   info->postlist[1]=1<<rangebits;