divide by zero issue
there is divide by zero issue when parameter word of ov_read_filter is 0 in vorbisfile.c file.
parameter word set by ov_read API, and user can set any value to word.
long ov_read_filter(OggVorbis_File *vf,char *buffer,int length,
...
if(samples>0){
/* yay! proceed to pack data into the byte buffer */
long channels=ov_info(vf,-1)->channels;
long bytespersample=word * channels;
vorbis_fpu_control fpu;
// bytespersample is 0 when parameter word is 0, then divide by zero.
if(samples>length/bytespersample)samples=length/bytespersample; POC: modify parameter word of line 67 of vorbisfile_example.c to 0, like following:
long ret=ov_read(&vf,pcmout,sizeof(pcmout),0,0,1,¤t_section);compile vorbisfile_example and run like this :
cat xxxx.ogg | .libs/vorbisfile_examplefloating point exception occured.
If you indentify this issue as a vulnerability, please provide me with following information:
1.the affected versions.
2.patch
3.please assign a CVE-ID, discoverer is Guoxiang Niu, EaglEye Team
thank you