Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
Vorbis
Vorbis
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 21
    • Issues 21
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 0
    • Merge Requests 0
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Xiph.Org
  • VorbisVorbis
  • Issues
  • #2078

Closed
Open
Opened Nov 06, 2014 by Martin Steghöfer@martin.steghoefer

Invalid memory access with samplingrate==0

I am forwarding this issue from the Debian bug tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716613

The Mayhem software detected a crash when passing a specially crafted FLAC file to oggenc. I've examined the problem further and found out that the problem is that the flac reader provides an input stream with a sampling rate of 0. This is something that neither oggenc itself nor libvorbisenc can cope with. The oggenc executable crashes with SIGFPE (division by the sampling rate in the statistics => division by 0) and libvorbisenc accesses invalid memory during the initialization.

While the oggenc crash doesn't affect the usability much (there is nothing valid to encode anyway in a file with sampling rate 0), libvorbisenc's access to invalid memory has the potential to either crash the whole downstream application with SIGSEGV or even be a security issue (although my preliminary examination didn't show any sign of exploitability).

The latest versions of vorbis-tools and libvorbis (and probably many earlier versions) are affected (I'm reporting this here because these version numbers don't appear in the TRAC version dropdown):

  • libvorbis: 1.3.4
  • vorbis-tools: 1.4.0

Please find attached the patches that we used in Debian. They add sanity checks to both the oggenc executable and the initialization routines of libvorbis.

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: xiph/vorbis#2078