Closed Aurorainfinity closed 2 years ago
Looks like this may also affect CELT as it has a very similarly named read_samples
function that I suspect may be derived from this one in speex.
It was assigned as CVE-2020-23904
I have found a stack buffer overflow vulnerability in speexenc,this may cause a rce by open a crafted wav file sample2.zip the vulnerability function: speexenc.c:122 } else { nb_read = fread(in,1,to_read,fin);
How exactly are you running the command-line? This sample gets rejected for me with:
cat sample2.wav | ./src/speexenc - out.spx
Only mono and (intensity) stereo supported
Any news on this issue? It was assigned a CVE number 2 months ago and it seems nobody has been able to reproduce it. Would it make sense to dispute it?
I'm going to close this since as mentioned in https://github.com/xiph/speex/issues/14#issuecomment-966295906 I cannot reproduce it.
It's worth noting that speexenc
is a demo program and read_samples
is not part of libspeex itself.
I have found a stack buffer overflow vulnerability in speexenc,this may cause a rce by open a crafted wav file sample2.zip the vulnerability function: speexenc.c:122 } else { nb_read = fread(in,1,to_read,fin);