Open Youlean opened 1 year ago
Another bug: https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3908
c->multiplicands could be null
Possible fix:
{
float last=0;
CHECK(f);
int multiplicands_size = 0;
if (c->multiplicands != NULL) multiplicands_size = sizeof(c->multiplicands[0]) * c->lookup_values;
c->multiplicands = (codetype *) setup_malloc(f, multiplicands_size);
if (c->multiplicands == NULL) { setup_temp_free(f, mults,sizeof(mults[0])*c->lookup_values); return error(f, VORBIS_outofmem); }
for (j=0; j < (int) c->lookup_values; ++j) {
float val = mults[j] * c->delta_value + c->minimum_value + last;
c->multiplicands[j] = val;
if (c->sequence_p)
last = val;
}
}
I don't see what the failure cases in any of these are.
Here i could be 32 available[i] = 1U << (32 - i);
Also z could be 32 while (z > 0 && !available[z]) --z;
Can it, though? I quoted this line at you. Why do you think I did that?
assert(len[k] < 32); // no error return required, code reading lens checks this
I have test files that can reproduce the issue. It is causing a buffer overflow in the latest msvc compiler.
EDIT: found your email. Will send it right now.
c->multiplicands could be null
Doesn't make a difference. sizeof
is an operator that yields a result at compile time based on the type of the expression of the operand.
Maybe it won't be good to post it publicly as this could be a security vulnerability.
From what I've seen, stb library doesn't really deal with these type of things behind closed doors. Test cases are posted on the bug report publicly - which also makes it so others can also fix the issue and send a patch.
You are right about the multiplicands. The problem is that sz in static void setup_malloc(vorb f, int sz) could sometimes be negative. That could happen if int sz overlows
None of the three test files ever triggered the quoted assert of len[k] < 32 in a debug build, or an equivalent test in a release build in my old MSVC. If they do in yours, you're going to have to root cause why len[k] is getting through there invalid, not rewrite the code to deal with an invalid len[k].
If you think the setup_malloc sz thing is still a valid bug, please open that in a new bug report so there's no confusion about which things are being reported for which bugs.
Ah, sorry it seems like I was using a bit older version 1.14.This file should crash the latest version 1.22 in static void setup_free(vorb f, void p) I could set up the visual studio 2022 project with libFuzzer if you want to check it out. On Wednesday, June 21, 2023 at 03:06:36 AM GMT+2, Sean Barrett @.***> wrote:
None of the three test files ever triggered the quoted assert of len[k] < 32 in a debug build, or an equivalent test in a release build.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
Forgot to mention, you might need the address sanitizer enabled if it doesn't. On Wednesday, June 21, 2023 at 12:22:36 PM GMT+2, Julijan Nikolic @.***> wrote:
Ah, sorry it seems like I was using a bit older version 1.14.This file should crash the latest version 1.22 in static void setup_free(vorb f, void p) I could set up the visual studio 2022 project with libFuzzer if you want to check it out. On Wednesday, June 21, 2023 at 03:06:36 AM GMT+2, Sean Barrett @.***> wrote:
None of the three test files ever triggered the quoted assert of len[k] < 32 in a debug build, or an equivalent test in a release build.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
These lines could overflow when an invalid file is being used: https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L1100 https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L1116
Possible fix: