oggenc in vorbis-tools versions 1.4.0, 1.2.0, 1.1.1 suffer from DoS(infinite loop) with crafted input file
- the phenomenon
./oggenc/oggenc exploit_1_0
output got: Skipping chunk of type "", length -8
- the analysis (Version 1.4.0 as an example) audio.c:126 if(fread(buf,1,8,in) < 8 ) /* Suck down a chunk specifier */
(gdb)x/8xb buf
0xbffff254: 0x00 0x00 0x00 0x00 0xf8 0xff 0xff 0xff
here! 0xfffffff8 == -8
audio.c:134 *len = READ_U32_LE(buf+4);
(gdb)p/x *len
$7 = 0xfffffff8
audio.c:135 if(!seek_forward(in, *len))
audio.c:101 if( fseek(in, length, SEEK_CUR))
(gdb)p/x length
$15 = 0xfffffff8
In conclusion, fread() forwards the file position by 8 bytes and then fseek() backwards it by 8 bytes, meaning resets it;More worse,this happens within a while(1) loop,at audio.c:124 ,which results in the infinite loop.