A crafted file may trigger memory write past an allocated heap buffer in start_decoder at [1]. The root cause is a potential integer overflow sizeof(char*) * (f->comment_list_length) at [2] which may make setup_malloc allocate less memory than required. Since there is another integer overflow at [1] attacker may overflow it too to force setup_malloc to return 0 and make the exploit more reliable.
==359215==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000018 at pc 0x0000004e45b7 bp 0x7ffcdb4f8df0 sp 0x7ffcdb4f8de8
WRITE of size 8 at 0x602000000018 thread T0
#0 0x4e45b6 in start_decoder(stb_vorbis*) tests/../stb_vorbis.c:3670:26
#1 0x4f9444 in stb_vorbis_open_memory tests/../stb_vorbis.c:5112:8
#2 0x4fbfb1 in stb_vorbis_decode_memory tests/../stb_vorbis.c:5390:20
A crafted file may trigger memory write past an allocated heap buffer in
start_decoder
at [1]. The root cause is a potential integer overflowsizeof(char*) * (f->comment_list_length)
at [2] which may makesetup_malloc
allocate less memory than required. Since there is another integer overflow at [1] attacker may overflow it too to forcesetup_malloc
to return0
and make the exploit more reliable.Similar potential vulnerability exists in other
setup_malloc
use cases as:f->codebooks = (Codebook *) setup_malloc(f, sizeof(*f->codebooks) * f->codebook_count);
c->codewords = (uint32 *) setup_malloc(f, sizeof(c->codewords[0]) * c->entries);
Impact
This issue may lead to code execution.
Resources
To reproduce the issue: