Red Hat Bugzilla – Bug 438125
vorbis: multiple issues in ogg vorbis and tremor
Last modified: 2008-06-19 09:00:07 EDT
Will Drewry of the Google Security Team reported multiple issues in OGG Vorbis
and Tremor libraries, that could cause application using those libraries to
crash (NULL pointer dereference or divide by zero), enter an infinite loop or
cause heap overflow caused by integer overflow.
Here are the fixes according to Monty:
r14604: check for / reject impossibly large codebook requests;
protects against the case of overflowing a 32 bit integer and
requesting a negative heap allocation.
r14602: reject nonsensiscal 0-dimension codebooks. Prevents a divide
by zero crash.
r14598, r14600: Prevent heap overflows caused by dim=bignum and
partition_codewords = partion_values^dim. partition_codewords is
actually overdetermined; in the case of inconsistency, mark stream
undecodable. Protects against the case of overflowing a 32 bit
integer and requesting a negative heap allocation.
The revisions refer to the xiph subversion repository:
Monty also says we want revision 14502:
"It just checked to see if the declared string lengths (vorbis comments are
length coded) are longer than the actual comment packet."
All individual issues are resolved now, closing this bug as well.