• Guido Günther's avatar
    CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not initialized · c1c2831f
    Guido Günther authored
    If the number of channels is not within the allowed range
    we call oggback_writeclear altough it's not initialized yet.
    
    This fixes
    
        =23371== Invalid free() / delete / delete[] / realloc()
        ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
        ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
        ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
        ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
        ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
        ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
        ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
        ==23371==    by 0x10D82A: process (sox.c:1753)
        ==23371==    by 0x10D82A: main (sox.c:3012)
        ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
        ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
        ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
        ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
        ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
        ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
        ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
        ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
        ==23371==    by 0x10D82A: process (sox.c:1753)
        ==23371==    by 0x10D82A: main (sox.c:3012)
    
    as seen when using the testcase from CVE-2017-11333 with
    008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
    there before.
    c1c2831f
Name
Last commit
Last update
debian Loading commit data...
doc Loading commit data...
examples Loading commit data...
include Loading commit data...
lib Loading commit data...
m4 Loading commit data...
macosx Loading commit data...
symbian Loading commit data...
test Loading commit data...
vq Loading commit data...
win32 Loading commit data...
.gitignore Loading commit data...
.travis.yml Loading commit data...
.ycm_extra_conf.py Loading commit data...
AUTHORS Loading commit data...
CHANGES Loading commit data...
CMakeLists.txt Loading commit data...
COPYING Loading commit data...
Makefile.am Loading commit data...
README.md Loading commit data...
appveyor.yml Loading commit data...
autogen.sh Loading commit data...
configure.ac Loading commit data...
libvorbis.spec.in Loading commit data...
vorbis-uninstalled.pc.in Loading commit data...
vorbis.m4 Loading commit data...
vorbis.pc.in Loading commit data...
vorbisenc-uninstalled.pc.in Loading commit data...
vorbisenc.pc.in Loading commit data...
vorbisfile-uninstalled.pc.in Loading commit data...
vorbisfile.pc.in Loading commit data...