divide by zero issue (#2340) · Issues · Xiph.Org / Vorbis

divide by zero issue

there is divide by zero issue when parameter word of ov_read_filter is 0 in vorbisfile.c file.

parameter word set by ov_read API, and user can set any value to word.

long ov_read_filter(OggVorbis_File *vf,char *buffer,int length,

...

if(samples>0){

/* yay! proceed to pack data into the byte buffer */

long channels=ov_info(vf,-1)->channels;
long bytespersample=word * channels;
vorbis_fpu_control fpu;

// bytespersample is 0 when parameter word is 0, then divide by zero.
if(samples>length/bytespersample)samples=length/bytespersample;

POC: modify parameter word of line 67 of vorbisfile_example.c to 0, like following:

long ret=ov_read(&vf,pcmout,sizeof(pcmout),0,0,1,&current_section);

compile vorbisfile_example and run like this :

cat xxxx.ogg | .libs/vorbisfile_example

floating point exception occured.

If you indentify this issue as a vulnerability, please provide me with following information:

1.the affected versions.

2.patch

3.please assign a CVE-ID, discoverer is Guoxiang Niu, EaglEye Team

thank you

there is divide by zero issue when parameter word of ov_read_filter is 0 in vorbisfile.c file.

parameter word set by ov_read API, and user can set any value to word.

long ov_read_filter(OggVorbis_File *vf,char *buffer,int length,

...

if(samples>0){

/* yay! proceed to pack data into the byte buffer */

long channels=ov_info(vf,-1)->channels;
    long bytespersample=word * channels;
    vorbis_fpu_control fpu;
    
	// bytespersample is 0 when parameter word is 0, then divide by zero.
	if(samples>length/bytespersample)samples=length/bytespersample; 
	
POC:
modify parameter word of line 67 of vorbisfile_example.c to 0, like following:

long ret=ov_read(&vf,pcmout,sizeof(pcmout),0,0,1,&current_section);
	
compile vorbisfile_example and run like this :

cat xxxx.ogg | .libs/vorbisfile_example