From 4361f572dac8dc390a991cec2e5b96324c8b186d Mon Sep 17 00:00:00 2001
From: Ozkan Sezer <[EMAIL REDACTED]>
Date: Mon, 11 Dec 2023 05:50:10 +0300
Subject: [PATCH] stb_vorbis: fix CVE-2023-45679 and CVE-2023-45680.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Based on the patches by Jaroslav Lobačevski (@JarLob) submitted
to mainstream at: https://github.com/nothings/stb/pull/1557 and
https://github.com/nothings/stb/pull/1558
GHSL-2023-169/CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
GHSL-2023-170/CVE-2023-45680: Null pointer dereference in vorbis_deinit()
---
src/codecs/stb_vorbis/stb_vorbis.h | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/codecs/stb_vorbis/stb_vorbis.h b/src/codecs/stb_vorbis/stb_vorbis.h
index cf454279..e1a83ad5 100644
--- a/src/codecs/stb_vorbis/stb_vorbis.h
+++ b/src/codecs/stb_vorbis/stb_vorbis.h
@@ -3750,8 +3750,13 @@ static int start_decoder(vorb *f)
f->comment_list = NULL;
if (f->comment_list_length > 0)
{
- f->comment_list = (char**) setup_malloc(f, sizeof(char*) * (f->comment_list_length));
- if (f->comment_list == NULL) return error(f, VORBIS_outofmem);
+ len = sizeof(char*) * f->comment_list_length;
+ f->comment_list = (char**) setup_malloc(f, len);
+ if (f->comment_list == NULL) {
+ f->comment_list_length = 0;
+ return error(f, VORBIS_outofmem);
+ }
+ memset(f->comment_list, 0, len);
}
for(i=0; i < f->comment_list_length; ++i) {