Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
Vorbis
Vorbis
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 21
    • Issues 21
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 0
    • Merge Requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI/CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Xiph.Org
  • VorbisVorbis
  • Issues
  • #2340

Closed
Open
Created Feb 03, 2019 by niugx@niugx

divide by zero issue

there is divide by zero issue when parameter word of ov_read_filter is 0 in vorbisfile.c file.

parameter word set by ov_read API, and user can set any value to word.

long ov_read_filter(OggVorbis_File *vf,char *buffer,int length,

...

if(samples>0){

/* yay! proceed to pack data into the byte buffer */

long channels=ov_info(vf,-1)->channels;
long bytespersample=word * channels;
vorbis_fpu_control fpu;

// bytespersample is 0 when parameter word is 0, then divide by zero.
if(samples>length/bytespersample)samples=length/bytespersample; 

POC: modify parameter word of line 67 of vorbisfile_example.c to 0, like following:

long ret=ov_read(&vf,pcmout,sizeof(pcmout),0,0,1,&current_section);

compile vorbisfile_example and run like this :

cat xxxx.ogg | .libs/vorbisfile_example

floating point exception occured.

If you indentify this issue as a vulnerability, please provide me with following information:

1.the affected versions.

2.patch

3.please assign a CVE-ID, discoverer is Guoxiang Niu, EaglEye Team

thank you

Edited Feb 03, 2019 by niugx
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None