stb_vorbis CVE fixes #578
Merged
stb_vorbis CVE fixes #578
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted to mainstream at: nothings/stb#1554 and nothings/stb#1555 GHSL-2023-166/CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder() GHSL-2023-167/CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted to mainstream at: nothings/stb#1557 and nothings/stb#1558 GHSL-2023-169/CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit() GHSL-2023-170/CVE-2023-45680: Null pointer dereference in vorbis_deinit()
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to mainstream at nothings/stb#1559 GHSL-2023-171/CVE-2023-45681: Out of bounds heap buffer write
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to mainstream at nothings/stb#1560 GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
slouken
approved these changes
Dec 11, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The following 4 patches are based on PR submissions at mainstream.
I modified most of the patches and notified the patch author about
them.
(1) Fix CVE-2023-45676 and CVE-2023-45677 (integer overflow in setup_malloc()):
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted
to mainstream at: nothings/stb#1554 and nothings/stb#1555
GHSL-2023-166/CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder()
GHSL-2023-167/CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
Test files (for convenience): 1554.ogg.zip, 1555.ogg.zip
(2) Fix CVE-2023-45679 and CVE-2023-45680:
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted
to mainstream at: nothings/stb#1557 and nothings/stb#1558
GHSL-2023-169/CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
GHSL-2023-170/CVE-2023-45680: Null pointer dereference in vorbis_deinit()
Test files (for convenience): 1557.ogg.zip, 1558.ogg.zip
(3) Fix CVE-2023-45681 (integer overflow):
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at nothings/stb#1559
GHSL-2023-171/CVE-2023-45681: Out of bounds heap buffer write
Test files (for convenience): 1559.ogg.zip
(4) Fix CVE-2023-45682:
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at nothings/stb#1560
GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
Test files (for convenience): 1560.ogg.zip
(5) music_ogg_stb.c: Error-out early if the vorbis file has no samples
This is not a CVE fix, but 1560.ogg attached above runs in an endless loop
in our playmus program, so this was my quick solution. Any other solutions
are welcome, of course.
This is prepared against SDL2 branch: If this goes in, I will cherry-pick
into SDL3 branch (and can also apply to Ryan's SDL_sound.)
@slouken, @icculus: Please review.