I'm forwarding the bug 774516 (https://bugs.debian.org/774516) from the Debian bug tracker, so I can discuss with you the fix I'd propose.

---

Original report from Jakub Wilk jwilk@debian.org:

Package: vorbis-tools Version: 1.4.0-6 Usertags: afl

Both oggdec and ogg123 crash on the attached file, trying to dereference null pointer:

$ oggdec crash.ogg oggdec from vorbis-tools 1.4.0 Segmentation fault

$ ogg123 crash.ogg

Audio Device: Advanced Linux Sound Architecture (ALSA) output

Segmentation fault

Backtrace:

#0 0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0, op=0xffff910c) at synthesis.c:168 #1 0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at vorbisfile.c:440 #2 (closed) 0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625 #3 0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941 #4 ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0, ibytes=0, callbacks=...) at vorbisfile.c:997 #5 0x0804977a in decode_file (in=0x804d020, out=0xffff9098, out@entry=0x804d188, infile=0xffffd88d "crash.ogg", outfile=0x804d008 "crash.wav") at oggdec.c:265 #6 (closed) 0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455

This bug was found using American fuzzy lop: https://packages.debian.org/experimental/afl

-- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)

Versions of packages vorbis-tools depends on: ii libao4 1.1.0-3 ii libc6 2.19-13 ii libcurl3-gnutls 7.38.0-3 ii libflac8 1.3.0-3 ii libogg0 1.3.2-1 ii libspeex1 1.2~rc1.2-1 ii libvorbis0a 1.3.4-2 ii libvorbisenc2 1.3.4-2 ii libvorbisfile3 1.3.4-2

-- Jakub Wilk