Bug 498827 - libvorbis update - r=xiphmont

media/libvorbis/README_MOZILLA

@@ -12,3 +12,4 @@ support for builds with WINCE defined.
 BUG 469639 - Failed to build firefox trunk on OpenSolaris
 bug481601.patch is appled to fix bug 481601.
 bug487519.patch: fix for bug 487519.
+bug498827.patch: fix for bug 498827

media/libvorbis/bug498827.patch

@@ -0,0 +1,53 @@
+diff --git a/media/libvorbis/lib/vorbis_info.c b/media/libvorbis/lib/vorbis_info.c
+index 5a9d209..1d50526 100644
+--- a/media/libvorbis/lib/vorbis_info.c
++++ b/media/libvorbis/lib/vorbis_info.c
+@@ -16,16 +16,17 @@
+  ********************************************************************/
+ 
+ /* general handling of the header and the vorbis_info structure (and
+    substructures) */
+ 
+ #include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <limits.h>
+ #include <ogg/ogg.h>
+ #include "vorbis/codec.h"
+ #include "codec_internal.h"
+ #include "codebook.h"
+ #include "registry.h"
+ #include "window.h"
+ #include "psy.h"
+ #include "misc.h"
+@@ -230,27 +231,27 @@ static int _vorbis_unpack_info(vorbis_info *vi,oggpack_buffer *opb){
+  err_out:
+   vorbis_info_clear(vi);
+   return(OV_EBADHEADER);
+ }
+ 
+ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){
+   int i;
+   int vendorlen=oggpack_read(opb,32);
+-  if(vendorlen<0)goto err_out;
++  if(vendorlen<0||vendorlen>opb->storage)goto err_out;
+   vc->vendor=_ogg_calloc(vendorlen+1,1);
+   _v_readstring(opb,vc->vendor,vendorlen);
+   vc->comments=oggpack_read(opb,32);
+-  if(vc->comments<0)goto err_out;
++  if(vc->comments<0||vc->comments>(LONG_MAX>>2)||vc->comments<<2>opb->storage)goto err_out;
+   vc->user_comments=_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
+   vc->comment_lengths=_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
+ 	    
+   for(i=0;i<vc->comments;i++){
+     int len=oggpack_read(opb,32);
+-    if(len<0)goto err_out;
++    if(len<0||len>opb->storage)goto err_out;
+ 	vc->comment_lengths[i]=len;
+     vc->user_comments[i]=_ogg_calloc(len+1,1);
+     _v_readstring(opb,vc->user_comments[i],len);
+   }	  
+   if(oggpack_read(opb,1)!=1)goto err_out; /* EOP check */
+ 
+   return(0);
+  err_out:

media/libvorbis/lib/vorbis_info.c

@@ -21,6 +21,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
+#include <limits.h>
 #include <ogg/ogg.h>
 #include "vorbis/codec.h"
 #include "codec_internal.h"
@@ -235,17 +236,17 @@ static int _vorbis_unpack_info(vorbis_info *vi,oggpack_buffer *opb){
 static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){
   int i;
   int vendorlen=oggpack_read(opb,32);
-  if(vendorlen<0)goto err_out;
+  if(vendorlen<0||vendorlen>opb->storage)goto err_out;
   vc->vendor=_ogg_calloc(vendorlen+1,1);
   _v_readstring(opb,vc->vendor,vendorlen);
   vc->comments=oggpack_read(opb,32);
-  if(vc->comments<0)goto err_out;
+  if(vc->comments<0||vc->comments>(LONG_MAX>>2)||vc->comments<<2>opb->storage)goto err_out;
   vc->user_comments=_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
   vc->comment_lengths=_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
 	    
   for(i=0;i<vc->comments;i++){
     int len=oggpack_read(opb,32);
-    if(len<0)goto err_out;
+    if(len<0||len>opb->storage)goto err_out;
 	vc->comment_lengths[i]=len;
     vc->user_comments[i]=_ogg_calloc(len+1,1);
     _v_readstring(opb,vc->user_comments[i],len);

media/libvorbis/update.sh

@@ -49,3 +49,4 @@ cp $1/AUTHORS ./AUTHORS
 patch -p3 < ./alloca.diff
 patch -p3 <./bug481601.patch
 patch -p3 <bug487519.patch
+patch -p3 <bug498827.patch