Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
libvorbis.6346
0002-CVE-2017-14632-vorbis_analysis_header_out-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch of Package libvorbis.6346
From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> Date: Wed, 15 Nov 2017 18:22:59 +0100 Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not initialized If the number of channels is not within the allowed range we call oggback_writeclear altough it's not initialized yet. This fixes =23371== Invalid free() / delete / delete[] / realloc() ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371== by 0x10D82A: open_output_file (sox.c:1556) ==23371== by 0x10D82A: process (sox.c:1753) ==23371== by 0x10D82A: main (sox.c:3012) ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371== by 0x10D82A: open_output_file (sox.c:1556) ==23371== by 0x10D82A: process (sox.c:1753) ==23371== by 0x10D82A: main (sox.c:3012) as seen when using the testcase from CVE-2017-11333 with 008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was there before. --- lib/info.c | 1 + 1 file changed, 1 insertion(+) --- a/lib/info.c +++ b/lib/info.c @@ -579,6 +579,7 @@ int vorbis_analysis_headerout(vorbis_dsp private_state *b=v->backend_state; if(!b||vi->channels<=0||vi->channels>256){ + b = NULL; ret=OV_EFAULT; goto err_out; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor