Skip to content

CVE-2017-11735 - The vorbis_block_clear function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ogg file.

Discovered by qflb.wu See 2nd issue in http://seclists.org/fulldisclosure/2017/Jul/82

Copy paste from there:

2.
the vorbis_block_clear function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(NULL pointer 
dereference and application crash) via a crafted ogg file.


I found this bug when I test mp3splt 2.6.2 which used the libvorbis library.


./mp3splt -P -t 0.9 libvorbis_1.3.5_null_pointer_dereference.ogg


----debug info:----
0x00007ffff61752c0 in vorbis_block_clear () from /usr/local/lib/libvorbis.so.0
(gdb) disassemble 
Dump of assembler code for function vorbis_block_clear:
   0x00007ffff61752a0 <+0>:push   %r14
   0x00007ffff61752a2 <+2>:mov    %rdi,%r14
   0x00007ffff61752a5 <+5>:push   %r13
   0x00007ffff61752a7 <+7>:push   %r12
   0x00007ffff61752a9 <+9>:push   %rbp
   0x00007ffff61752aa <+10>:push   %rbx
   0x00007ffff61752ab <+11>:mov    0xb8(%rdi),%r13
   0x00007ffff61752b2 <+18>:callq  0x7ffff616b240 <_vorbis_block_ripcord@plt>
   0x00007ffff61752b7 <+23>:mov    0x70(%r14),%rdi
   0x00007ffff61752bb <+27>:test   %rdi,%rdi
   0x00007ffff61752be <+30>:je     0x7ffff61752c5 <vorbis_block_clear+37>
=> 0x00007ffff61752c0 <+32>:callq  0x7ffff616b130 <free@plt>
   0x00007ffff61752c5 <+37>:test   %r13,%r13
   0x00007ffff61752c8 <+40>:je     0x7ffff617530c <vorbis_block_clear+108>
   0x00007ffff61752ca <+42>:mov    $0x1,%r12d
   0x00007ffff61752d0 <+48>:xor    %ebx,%ebx
   0x00007ffff61752d2 <+50>:jmp    0x7ffff61752df <vorbis_block_clear+63>
   0x00007ffff61752d4 <+52>:nopl   0x0(%rax)
   0x00007ffff61752d8 <+56>:add    $0x1,%ebx
   0x00007ffff61752db <+59>:add    $0x1,%r12d
   0x00007ffff61752df <+63>:movslq %ebx,%rax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax            0x22
rbx            0x61fca06421664
rcx            0x00
rdx            0x7ffff7ba6778140737349576568
rsi            0x00
rdi            0x80128
rbp            0x7fffffffd4700x7fffffffd470
rsp            0x7fffffffd4000x7fffffffd400
r8             0x746e656d75636f008389754676633104128
r9             0x6143506374224
r10            0x7fffffffd1f0140737488343536
r11            0x7ffff61752a0140737322111648
r12            0x6128506367312
r13            0x00
r14            0x6205606423904
r15            0x7ffff7bcf146140737349742918
rip            0x7ffff61752c00x7ffff61752c0 <vorbis_block_clear+32>
eflags         0x202[ IF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb) ni


Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x80) at malloc.c:2929
2929malloc.c: No such file or directory.
(gdb) bt
#0  __GI___libc_free (mem=0x80) at malloc.c:2929
#1  0x00007ffff61752c5 in vorbis_block_clear ()
   from /usr/local/lib/libvorbis.so.0
#2  0x00007ffff65ac5ae in splt_ogg_v_free (oggstate=0x61fca0) at ogg.c:162
#3  0x00007ffff65ace0b in splt_ogg_info (in=<optimized out>, 
    state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0) at ogg.c:545
#4  0x00007ffff65acf75 in splt_ogg_get_info (state=state@entry=0x60ddb0, 
    file_input=<optimized out>, error=error@entry=0x7fffffffdbf0) at ogg.c:108
#5  0x00007ffff65ae6c7 in splt_pl_init (state=0x60ddb0, error=0x7fffffffdbf0)
    at ogg.c:1482
#6  0x00007ffff7bcac16 in splt_tp_get_original_tags_and_append (
    error=0x7fffffffdbf0, state=0x60ddb0) at tags_parser.c:545
#7  splt_tp_process_original_tags_variable (tpu=tpu@entry=0x61f800, 
    state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0, 
    set_original_tags=1) at tags_parser.c:514
#8  0x00007ffff7bcb4d1 in splt_tp_process_tag_variable (error=0x7fffffffdbf0, 
    state=0x60ddb0, tpu=0x61f800, end_paranthesis=0x7ffff7bcf14c "]", 
    tag_variable_start=0x7ffff7bcf146 "o,@N=1]") at tags_parser.c:363
#9  splt_tp_process_tags (error=0x7fffffffdbf0, state=0x60ddb0, tpu=0x61f800, 
    tags=0x7ffff7bcf143 "%[@o,@N=1]") at tags_parser.c:293
#10 splt_tp_put_tags_from_string (state=state@entry=0x60ddb0, 
    tags=tags@entry=0x7ffff7bcf143 "%[@o,@N=1]", 
    error=error@entry=0x7fffffffdbf0) at tags_parser.c:192
---Type <return> to continue, or q <return> to quit---
#11 0x00007ffff7bbb4f3 in mp3splt_split (state=state@entry=0x60ddb0)
    at mp3splt.c:1232
#12 0x0000000000403320 in main (argc=<optimized out>, 
    orig_argv=<optimized out>) at mp3splt.c:872
(gdb) 
--------------------
 int vorbis_block_clear(vorbis_block *vb){
 int i;
 vorbis_block_internal *vbi=vb->internal;


 _vorbis_block_ripcord(vb);
 if(vb->localstore)_ogg_free(vb->localstore);  <========


 if(vbi){
   for(i=0;i<PACKETBLOBS;i++){
     oggpack_writeclear(vbi->packetblob[i]);
     if(i!=PACKETBLOBS/2)_ogg_free(vbi->packetblob[i]);
   }
   _ogg_free(vbi);
 }
 memset(vb,0,sizeof(*vb));
 return(0);
 }