The following 4 patches are based on PR submissions at mainstream.
I modified most of the patches and notified the patch author about
them.
(1) Fix CVE-2023-45676 and CVE-2023-45677 (integer overflow in setup_malloc()):
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted
to mainstream at: https://github.com/nothings/stb/pull/1554 and https://github.com/nothings/stb/pull/1555
GHSL-2023-166/CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder()
GHSL-2023-167/CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
Test files (for convenience): 1554.ogg.zip, 1555.ogg.zip
(2) Fix CVE-2023-45679 and CVE-2023-45680:
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted
to mainstream at: https://github.com/nothings/stb/pull/1557 and https://github.com/nothings/stb/pull/1558
GHSL-2023-169/CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
GHSL-2023-170/CVE-2023-45680: Null pointer dereference in vorbis_deinit()
Test files (for convenience): 1557.ogg.zip, 1558.ogg.zip
(3) Fix CVE-2023-45681 (integer overflow):
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at https://github.com/nothings/stb/pull/1559
GHSL-2023-171/CVE-2023-45681: Out of bounds heap buffer write
Test files (for convenience): 1559.ogg.zip
(4) Fix CVE-2023-45682:
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at https://github.com/nothings/stb/pull/1560
GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
Test files (for convenience): 1560.ogg.zip
(5) music_ogg_stb.c: Error-out early if the vorbis file has no samples
This is not a CVE fix, but 1560.ogg attached above runs in an endless loop
in our playmus program, so this was my quick solution. Any other solutions
are welcome, of course.
This is prepared against SDL2 branch: If this goes in, I will cherry-pick
into SDL3 branch (and can also apply to Ryan's SDL_sound.)
The following 4 patches are based on PR submissions at mainstream. I modified most of the patches and notified the patch author about them.
(1) Fix CVE-2023-45676 and CVE-2023-45677 (integer overflow in setup_malloc()): Based on the patches by Jaroslav Lobačevski (@JarLob) submitted to mainstream at: https://github.com/nothings/stb/pull/1554 and https://github.com/nothings/stb/pull/1555 GHSL-2023-166/CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder() GHSL-2023-167/CVE-2023-45677: Heap buffer out of bounds write in start_decoder() Test files (for convenience): 1554.ogg.zip, 1555.ogg.zip
(2) Fix CVE-2023-45679 and CVE-2023-45680: Based on the patches by Jaroslav Lobačevski (@JarLob) submitted to mainstream at: https://github.com/nothings/stb/pull/1557 and https://github.com/nothings/stb/pull/1558 GHSL-2023-169/CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit() GHSL-2023-170/CVE-2023-45680: Null pointer dereference in vorbis_deinit() Test files (for convenience): 1557.ogg.zip, 1558.ogg.zip
(3) Fix CVE-2023-45681 (integer overflow): Based on patch by Jaroslav Lobačevski (@JarLob) submitted to mainstream at https://github.com/nothings/stb/pull/1559 GHSL-2023-171/CVE-2023-45681: Out of bounds heap buffer write Test files (for convenience): 1559.ogg.zip
(4) Fix CVE-2023-45682: Based on patch by Jaroslav Lobačevski (@JarLob) submitted to mainstream at https://github.com/nothings/stb/pull/1560 GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest() Test files (for convenience): 1560.ogg.zip
(5) music_ogg_stb.c: Error-out early if the vorbis file has no samples This is not a CVE fix, but 1560.ogg attached above runs in an endless loop in our playmus program, so this was my quick solution. Any other solutions are welcome, of course.
This is prepared against SDL2 branch: If this goes in, I will cherry-pick into SDL3 branch (and can also apply to Ryan's SDL_sound.)
@slouken, @icculus: Please review.