stb_vorbis: fix CVE-2023-45679 and CVE-2023-45680.

Based on the patches by Jaroslav Lobačevski (@JarLob) submitted to mainstream at: nothings/stb#1557 and nothings/stb#1558 GHSL-2023-169/CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit() GHSL-2023-170/CVE-2023-45680: Null pointer dereference in vorbis_deinit() (cherry picked from commit 4361f57)
libsdl-org · Dec 11, 2023 · 5827461 · 5827461
1 parent 0d57461
commit 5827461
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/src/codecs/stb_vorbis/stb_vorbis.h b/src/codecs/stb_vorbis/stb_vorbis.h
@@ -3750,8 +3750,13 @@ static int start_decoder(vorb *f)
    f->comment_list = NULL;
    if (f->comment_list_length > 0)
    {
-      f->comment_list = (char**) setup_malloc(f, sizeof(char*) * (f->comment_list_length));
-      if (f->comment_list == NULL)                  return error(f, VORBIS_outofmem);
+      len = sizeof(char*) * f->comment_list_length;
+      f->comment_list = (char**) setup_malloc(f, len);
+      if (f->comment_list == NULL) {
+         f->comment_list_length = 0;
+         return error(f, VORBIS_outofmem);
+      }
+      memset(f->comment_list, 0, len);
    }
 
    for(i=0; i < f->comment_list_length; ++i) {