An integer overflow flaw, leading to an out-of-bounds memory read, was found in the way the oggenc utility, which is used to encode audio into the Ogg Vorbis format, processed certain WAV files. An attacker could provide a specially crafted WAV file that would crash oggenc when processed.
Created vorbis-tools tracking bugs for this issue:
Affects: fedora-all [bug 1184452]
*** Bug 1185269 has been marked as a duplicate of this bug. ***
I am not able to reproduce the crash on x86_64 using vorbis-tools-1.4.0-18.fc21 and attachment #983303 [details]. Valgrind output is sane:
$ rpm -q vorbis-tools
$ curl -JO 'https://bugzilla.redhat.com/attachment.cgi?id=983303'
curl: Saved to filename 'crash_ex.wav'
$ valgrind oggenc -r -o test.ogg ./crash_ex.wav
==24113== Memcheck, a memory error detector
==24113== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==24113== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==24113== Command: oggenc -r -o test.ogg ./crash_ex.wav
Encoding "./crash_ex.wav" to
at quality 3.00
Done encoding file "test.ogg"
File length: 0m 00.0s
Elapsed time: 0m 00.7s
Average bitrate: 692.3 kb/s
==24113== HEAP SUMMARY:
==24113== in use at exit: 0 bytes in 0 blocks
==24113== total heap usage: 1,128 allocs, 1,128 frees, 585,608 bytes allocated
==24113== All heap blocks were freed -- no leaks are possible
==24113== For counts of detected and suppressed errors, rerun with: -v
==24113== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Please provide self-contained steps to reproduce the bug.
Thanks for the hint! I should not have used the -r option. My mistake.
I have proposed a patch upstream:
vorbis-tools-1.4.0-19.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
vorbis-tools-1.4.0-14.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.