-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stb_vorbis CVE fixes #706
stb_vorbis CVE fixes #706
Conversation
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted to mainstream at: nothings/stb#1557 and nothings/stb#1558 GHSL-2023-169/CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit() GHSL-2023-170/CVE-2023-45680: Null pointer dereference in vorbis_deinit()
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to mainstream at nothings/stb#1559 GHSL-2023-171/CVE-2023-45681: Out of bounds heap buffer write
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted to mainstream at: nothings/stb#1554 and nothings/stb#1555 GHSL-2023-166/CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder() GHSL-2023-167/CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to mainstream at nothings/stb#1560 GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
... and fix make_block_array for it along the way.
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #706 +/- ##
======================================
Coverage 82% 82%
======================================
Files 171 171
Lines 31229 31271 +42
======================================
+ Hits 25751 25793 +42
Misses 5478 5478
Continue to review full report in Codecov by Sentry.
|
067ce46
to
ec62bbf
Compare
13a9fca
to
8dbdf93
Compare
BTW, I forked stb and created a branch for stb_vorbis updates here: I think I applied everything that's already applied in SDL_mixer, |
// libxmp hack: decode work buffer (used in inverse_mdct and decode_residues) | ||
// hack: decode work buffer (used in inverse_mdct and decode_residues) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If these patches have been merged upstream, the "libxmp hack" comments can be removed entirely. They aren't part of my upstream patches, they're just documentation I added here to make it clear that they haven't been merged yet. I don't think obfuscating this intent further is a good idea though.
f->comment_list = (char**) setup_malloc(f, sizeof(char*) * (f->comment_list_length)); | ||
if (f->comment_list == NULL) return error(f, VORBIS_outofmem); | ||
if (INT_MAX / sizeof(char*) < f->comment_list_length) | ||
goto no_comment; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a pointless spaghetti usage of goto
that saves one entire line of code...
@@ -4225,7 +4235,6 @@ static int start_decoder(vorb *f) | |||
int i,max_part_read=0; | |||
for (i=0; i < f->residue_count; ++i) { | |||
Residue *r = f->residue_config + i; | |||
/* libxmp hack: https://github.com/nothings/stb/pull/1487 */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, no, the divergences from upstream should remain documented.
// libxmp hack: replaced signed overflow clamps with unsigned overflow (UBSan). | ||
// Reported upstream: https://github.com/nothings/stb/issues/1168. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
^
I didn't spot any problems with the CVE patches aside from that tacky |
It looks like you got everything... edit: I see you've got all the patch URLs in your fork commits—if we switch to using that as an upstream then getting rid of all the "libxmp hack" comments might actually be fine, since the burden of merging with stb would be on your fork. |
That was the idea yes: the mainstream seems is really slow or uninterested in patches, and that's why I removed the extra comments. Feel free to push to my branch to revise |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was the idea yes: the mainstream seems is really slow or uninterested in patches, and that's why I removed the extra comments.
Feel free to push to my branch to revise
Okay, I think it's fine for now as long as they're documented somewhere.
The following 4 patches are based on PR submissions at mainstream.
I modified most of the patches and notified the patch author about
them.
(1) Fix CVE-2023-45679 and CVE-2023-45680:
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted
to mainstream at: nothings/stb#1557 and nothings/stb#1558
GHSL-2023-169/CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
GHSL-2023-170/CVE-2023-45680: Null pointer dereference in vorbis_deinit()
(2) Fix CVE-2023-45681 (integer overflow):
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at nothings/stb#1559
GHSL-2023-171/CVE-2023-45681: Out of bounds heap buffer write
(3) Fix CVE-2023-45676 and CVE-2023-45677 (integer overflow in setup_malloc()):
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted
to mainstream at: nothings/stb#1554 and nothings/stb#1555
GHSL-2023-166/CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder()
GHSL-2023-167/CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
(4) Fix CVE-2023-45682:
Based on patch by Jaroslav Lobačevski (@JarLob) submitted to
mainstream at nothings/stb#1560
GHSL-2023-172/CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
(5) apply CVE-2023-45676/CVE-2023-45677 fix to setup_temp_malloc(),
and fix make_block_array() for it along the way.
(The first two patches don't actually affect us because we disable the comments
support, but I included them here for completeness..)
@AliceLR: Please review.