alexmurray
commented
2 years ago Looks like this may also affect CELT as it has a very similarly named read_samples function that I suspect may be derived from this one in speex.
Closed Aurorainfinity closed 2 years ago
alexmurray
commented
2 years ago Looks like this may also affect CELT as it has a very similarly named read_samples function that I suspect may be derived from this one in speex.
kirotawa
commented
2 years ago It was assigned as CVE-2020-23904
tmatth
commented
2 years ago I have found a stack buffer overflow vulnerability in speexenc,this may cause a rce by open a crafted wav file sample2.zip the vulnerability function: speexenc.c:122 } else { nb_read = fread(in,1,to_read,fin);
How exactly are you running the command-line? This sample gets rejected for me with:
cat sample2.wav | ./src/speexenc - out.spx
Only mono and (intensity) stereo supported
00xc
commented
2 years ago Any news on this issue? It was assigned a CVE number 2 months ago and it seems nobody has been able to reproduce it. Would it make sense to dispute it?
tmatth
commented
2 years ago I'm going to close this since as mentioned in https://github.com/xiph/speex/issues/14#issuecomment-966295906 I cannot reproduce it.
It's worth noting that speexenc is a demo program and read_samples is not part of libspeex itself.
I have found a stack buffer overflow vulnerability in speexenc,this may cause a rce by open a crafted wav file sample2.zip the vulnerability function: speexenc.c:122 } else { nb_read = fread(in,1,to_read,fin);