Closed Bug 507030 Opened 16 years ago Closed 16 years ago

crash (segfault) @ vorbis_book_init_decode when playing corrupted ogg vorbis file

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: keeler, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical])

Attachments

(2 files)

test file that causes crash
8.00 KB, audio/ogg
Details
stack trace of oggplayer
2.04 KB, text/plain
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.12) Gecko/2009070811 Ubuntu/9.04 (jaunty) Firefox/3.0.12 Build Identifier: mozilla-central revision 7149d895e5b3 Segmentation fault when playing corrupted ogg vorbis file (attached). Reproducible: Always Steps to Reproduce: 1. Load attached file. 2. Possibly reload the page a couple of times. Actual Results: firefox crashes Expected Results: some sort of "this file is corrupted" message
I wasn't able to get a stack trace from firefox for some reason, but here's the stack trace of oggplayer.
In vorbis_sharedbook.c, we have the following: (in vorbis_book_init_decode, starting at line 358) ogg_uint32_t *codes=_make_words(s->lengthlist,s->entries,c->used_entries); ogg_uint32_t **codep=alloca(sizeof(*codep)*n); if(codes==NULL)goto err_out; When running the given file, _make_words returns null, causing the program to jump to err_out and call vorbis_book_clear. However, because n is very large, alloca has modified the stack pointer by more than 30 MB, which causes a segfault. This is very probably exploitable (n is derived from the number of entries in the passed-in static_codebook, which presumably depends on the input file). One really quick fix would be to move the null check to above the call to alloca, but this doesn't get rid on the underlying problem, which is the unsafe use of alloca.
Whiteboard: [sg:critical]
Bug poke: is this being worked on? I could write the patch for the quick fix I proposed above, but I'm not sure what to do about the alloca calls. Should they just be changed to malloc? (with appropriate calls to free, of course)
xiphmont, the author of the code, is cc'd on the bug. I'm interested in what his thoughts on a fix are,
This does not crash on trunk for me.
Status: UNCONFIRMED → NEW
Ever confirmed: true
WFM [Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a1pre) Gecko/20091020 Minefield/3.7a1pre]. File loads, but won't play. Would be a good testcase/crashtest.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: