An integer overflow flaw, leading to an out-of-bounds memory read, was found in the way the oggenc utility, which is used to encode audio into the Ogg Vorbis format, processed certain WAV files. An attacker could provide a specially crafted WAV file that would crash oggenc when processed. Upstream report: https://trac.xiph.org/ticket/2136
Created vorbis-tools tracking bugs for this issue: Affects: fedora-all [bug 1184452]
*** Bug 1185269 has been marked as a duplicate of this bug. ***
I am not able to reproduce the crash on x86_64 using vorbis-tools-1.4.0-18.fc21 and attachment #983303 [details]. Valgrind output is sane: $ rpm -q vorbis-tools vorbis-tools-1.4.0-18.fc21.x86_64 $ curl -JO 'https://bugzilla.redhat.com/attachment.cgi?id=983303' curl: Saved to filename 'crash_ex.wav' $ valgrind oggenc -r -o test.ogg ./crash_ex.wav ==24113== Memcheck, a memory error detector ==24113== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==24113== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==24113== Command: oggenc -r -o test.ogg ./crash_ex.wav ==24113== Encoding "./crash_ex.wav" to "test.ogg" at quality 3.00 Done encoding file "test.ogg" File length: 0m 00.0s Elapsed time: 0m 00.7s Rate: 0.0041 Average bitrate: 692.3 kb/s ==24113== ==24113== HEAP SUMMARY: ==24113== in use at exit: 0 bytes in 0 blocks ==24113== total heap usage: 1,128 allocs, 1,128 frees, 585,608 bytes allocated ==24113== ==24113== All heap blocks were freed -- no leaks are possible ==24113== ==24113== For counts of detected and suppressed errors, rerun with: -v ==24113== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) Please provide self-contained steps to reproduce the bug.
Thanks for the hint! I should not have used the -r option. My mistake.
I have proposed a patch upstream: http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html
vorbis-tools-1.4.0-19.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
vorbis-tools-1.4.0-14.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.