Closed JarLob closed 1 week ago
This #1557 and next #1558 must be combined into the following, and #1558 must be discarded.
diff --git a/stb_vorbis.c b/stb_vorbis.c
index 3e5c250..3dbfb55 100644
--- a/stb_vorbis.c
+++ b/stb_vorbis.c
@@ -3662,7 +3662,11 @@ static int start_decoder(vorb *f)
if (f->comment_list_length > 0)
{
f->comment_list = (char**) setup_malloc(f, sizeof(char*) * (f->comment_list_length));
- if (f->comment_list == NULL) return error(f, VORBIS_outofmem);
+ if (f->comment_list == NULL) {
+ f->comment_list_length = 0;
+ return error(f, VORBIS_outofmem);
+ }
+ memset(f->comment_list, 0, sizeof(char*) * f->comment_list_length);
}
for(i=0; i < f->comment_list_length; ++i) {
A crafted file may trigger memory allocation failure in
start_decoder
at [1]. In that case the function returns early [2], but some of the pointers inf->comment_list
are left initialized [3].Later
setup_free
is called on these pointers invorbis_deinit
[4].Impact
This issue may lead to code execution.
Resources
To reproduce the issue:
AddressSanitizer: requested allocation size ... exceeds maximum supported size
):ASAN_OPTIONS=allocator_may_return_null=1 <program name>
to hit the error.