In dissect_opus() at wireshark-3.6.8/epan/dissectors/packet-opus.c:254, frame_count is truncated below 0x3F (63) and checked if framesize * frame_count > 120 * MAX_FRAMES_COUNT. But when stack variable frames[MAX_FRAMES_COUNT] is indexed with frame_count later, we didn't make sure frame_count won't excess MAX_FRAMES_COUNT, leading to stack-over-flow write when the begin/size values are put into frames later.
This flaw affects the current released stable wireshark/tshark/... on Linux/Windows/Mac/..., previous versions may also be affected. This issue hasn't been reported elsewhere.
https://www.wireshark.org/security/wnpa-sec-2022-07 - OPUS dissector crash. Issue 18378.
Created wireshark tracking bugs for this issue:
Affects: fedora-all [bug 2138744]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):