diff --git a/libtheora.spec b/libtheora.spec index badbd4e689d7c575c0398352cfb5fb49faa771ee..c04a77a03fdd826f27d1b0cfec15f2a868a3d0f9 100644 --- a/libtheora.spec +++ b/libtheora.spec @@ -1,4 +1,4 @@ -%define anolis_release 6 +%define anolis_release 7 Name: libtheora Epoch: 2 Version: 1.1.1 @@ -11,6 +11,7 @@ Source0: http://downloads.xiph.org/releases/theora/%{name}-%{version}.tar Patch1: 0001-Fix-pp_sharp_mod-calculation.patch Patch2: 0002-examples-png_sizeof-no-longer-available-since-libpng.patch Patch3: 0003-examples-fix-underlinking.patch +Patch4: test.patch BuildRequires: autoconf automake doxygen libtool make BuildRequires: libogg-devel >= 2:1.1 @@ -77,7 +78,6 @@ sed -i 's/CFLAGS="$CFLAGS $cflags_save"/CFLAGS="$cflags_save"/g' configure %make_build %make_build -C doc/spec - %install %make_install @@ -125,6 +125,9 @@ install -m 0755 examples/.libs/png2theora $RPM_BUILD_ROOT/%{_bindir}/png2theora %doc doc/libtheora/html doc/color.html %changelog +* Fri Apr 18 2025 zjl02254423 - 2:1.1.1-7 +- test + * Tue Apr 18 2023 Chunmei Xu - 2:1.1.1-6 - format patches diff --git a/test.patch b/test.patch new file mode 100644 index 0000000000000000000000000000000000000000..5f971de270202b087649ae3a256dfd0645ab4c67 --- /dev/null +++ b/test.patch @@ -0,0 +1,47 @@ +From 5665f86b8fd8345bb09469990e79221562ac204b Mon Sep 17 00:00:00 2001 +From: Petter Reinholdtsen +Date: Mon, 10 Mar 2025 22:45:57 +0100 +Subject: [PATCH] Avoid negative bit shift operatoin in huffdec.c + (CVE-2024-56431). + +A crash was discovered using input fuzzying, in th_decode_ceaderin() +where the len value in the oc_fuff_tree_unpack() can end up as -1. +Added a check to ensure this do not happen. + +Based on feedback from Timothy B. Terriberry. + +The issue was discovered using gcc sanitazion, which reported the following: + +huffdec.c:228:27: runtime error: shift exponent -1 is negative + #0 0x5d471012bfd0 in oc_huff_tree_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:228 + #1 0x5d471012c134 in oc_huff_trees_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:392 + #2 0x5d471010a98c in oc_setup_unpack /home/uos/libtheora-18570/theora/lib/decinfo.c:169 + #3 0x5d471010a98c in oc_dec_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:238 + #4 0x5d471010a98c in th_decode_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:266 + #5 0x5d47100fd638 in TheoraDecoder::initialize() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:66 + #6 0x5d47100ffa76 in TheoraDecoder::Run() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:180 + #7 0x5d47100ffe48 in main /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:240 + #8 0x7cc9a5e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #9 0x7cc9a5e29e3f in __libc_start_main_impl ../csu/libc-start.c:392 + #10 0x5d47100f9964 in _start (/home/uos/libtheora-18570/libtheora-18570/poc1+0x83964) + +Fixes github pull request #19. +--- + lib/huffdec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/huffdec.c b/lib/huffdec.c +index cc1828dd..1bab3dd9 100644 +--- a/lib/huffdec.c ++++ b/lib/huffdec.c +@@ -224,6 +224,7 @@ int oc_huff_tree_unpack(oc_pack_buf *_opb,unsigned char _tokens[256][2]){ + _tokens[ntokens][1]=(unsigned char)(len+neb); + ntokens++; + } ++ if(len<=0)break; + code_bit=0x80000000U>>len-1; + while(len>0&&(code&code_bit)){ + code^=code_bit; +-- +GitLab +