• Guido Günther's avatar
    CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not initialized · c1c2831f
    Guido Günther authored
    If the number of channels is not within the allowed range
    we call oggback_writeclear altough it's not initialized yet.
    
    This fixes
    
        =23371== Invalid free() / delete / delete[] / realloc()
        ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
        ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
        ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
        ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
        ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
        ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
        ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
        ==23371==    by 0x10D82A: process (sox.c:1753)
        ==23371==    by 0x10D82A: main (sox.c:3012)
        ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
        ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
        ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
        ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
        ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
        ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
        ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
        ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
        ==23371==    by 0x10D82A: process (sox.c:1753)
        ==23371==    by 0x10D82A: main (sox.c:3012)
    
    as seen when using the testcase from CVE-2017-11333 with
    008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
    there before.
    c1c2831f
Name
Last commit
Last update
..
books Loading commit data...
modes Loading commit data...
CMakeLists.txt Loading commit data...
Makefile.am Loading commit data...
analysis.c Loading commit data...
backends.h Loading commit data...
barkmel.c Loading commit data...
bitrate.c Loading commit data...
bitrate.h Loading commit data...
block.c Loading commit data...
codebook.c Loading commit data...
codebook.h Loading commit data...
codec_internal.h Loading commit data...
envelope.c Loading commit data...
envelope.h Loading commit data...
floor0.c Loading commit data...
floor1.c Loading commit data...
highlevel.h Loading commit data...
info.c Loading commit data...
lookup.c Loading commit data...
lookup.h Loading commit data...
lookup_data.h Loading commit data...
lookups.pl Loading commit data...
lpc.c Loading commit data...
lpc.h Loading commit data...
lsp.c Loading commit data...
lsp.h Loading commit data...
mapping0.c Loading commit data...
masking.h Loading commit data...
mdct.c Loading commit data...
mdct.h Loading commit data...
misc.c Loading commit data...
misc.h Loading commit data...
os.h Loading commit data...
psy.c Loading commit data...
psy.h Loading commit data...
psytune.c Loading commit data...
registry.c Loading commit data...
registry.h Loading commit data...
res0.c Loading commit data...
scales.h Loading commit data...
sharedbook.c Loading commit data...
smallft.c Loading commit data...
smallft.h Loading commit data...
synthesis.c Loading commit data...
tone.c Loading commit data...
vorbisenc.c Loading commit data...
vorbisfile.c Loading commit data...
window.c Loading commit data...
window.h Loading commit data...