A crafted file may trigger memory allocation failure in start_decoder at [1]. In that case the function returns early [2], the f->comment_list is set to NULL, but f->comment_list_length is not reset.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==264664==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004dbe50 bp 0x7ffddf2f2e30 sp 0x7ffddf2f2b40 T0)
==264664==The signal is caused by a READ memory access.
#0 0x4dbe50 in vorbis_deinit(stb_vorbis*) tests/../stb_vorbis.c:4214:21
#1 0x4f9638 in stb_vorbis_open_memory tests/../stb_vorbis.c:5122:4
#2 0x4fbfb1 in stb_vorbis_decode_memory tests/../stb_vorbis.c:5390:20
A crafted file may trigger memory allocation failure in
start_decoder
at [1]. In that case the function returns early [2], thef->comment_list
is set toNULL
, butf->comment_list_length
is not reset.Later in
vorbis_deinit
it tries to dereference theNULL
pointer at [3].Impact
This issue may lead to denial of service.
Resources
To reproduce the issue: