A crafted file may trigger out of bounds write in f->vendor[len] = (char)'\0'; [1]. The root cause is that if len read in start_decoder [2] is a negative number and setup_malloc [3] successfully allocates memory in that case [4], but memory write is done with a negative index len [1].
len = get32_packet(f); // [2]
f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1)); // [3]
if (f->vendor == NULL) return error(f, VORBIS_outofmem);
for(i=0; i < len; ++i) {
f->vendor[i] = get8_packet(f);
}
f->vendor[len] = (char)'\0'; // [1]
...
static void *setup_malloc(vorb *f, int sz)
{
sz = (sz+7) & ~7; // round up to nearest 8 for alignment of future allocs.
f->setup_memory_required += sz;
if (f->alloc.alloc_buffer) {
void *p = (char *) f->alloc.alloc_buffer + f->setup_offset; // [4]
if (f->setup_offset + sz > f->temp_offset) return NULL;
f->setup_offset += sz;
return p;
}
return sz ? malloc(sz) : NULL;
}
AddressSanitizer:DEADLYSIGNAL
=================================================================
==302322==ERROR: AddressSanitizer: SEGV on unknown address 0x7f70bd3697ff (pc 0x0000004e41f4 bp 0x7ffc029b3070 sp 0x7ffc029b0be0 T0)
==302322==The signal is caused by a WRITE memory access.
#0 0x4e41f4 in start_decoder(stb_vorbis*) tests/../stb_vorbis.c:3658:19
#1 0x4f9444 in stb_vorbis_open_memory tests/../stb_vorbis.c:5112:8
#2 0x4fd8e9 in main tests/stb_vorbis_fuzzer.c:24:23
A crafted file may trigger out of bounds write in
f->vendor[len] = (char)'\0';
[1]. The root cause is that iflen
read instart_decoder
[2] is a negative number andsetup_malloc
[3] successfully allocates memory in that case [4], but memory write is done with a negative indexlen
[1].Same vulnerability exists in
setup_temp_malloc
at [5]Similarly if
len
isINT_MAX
the integer overflowlen+1
happens inf->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));
[1] andf->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));
[6]. This case however allows writing multiple times past the end of the internalf->alloc.alloc_buffer
buffer.Impact
This issue may lead to code execution.
Resources
To reproduce the issue: