stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in start_decoder. In that case the function returns early, but some of the pointers in f->comment_list are left initialized and later setup_free is called on these pointers in vorbis_deinit. This issue may lead to code execution.
Weakness
The product calls free() twice on the same memory address.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Stb_vorbis.c | Nothings | 1.22 (including) | 1.22 (including) |
| Libstb | Ubuntu | bionic | * |
| Libstb | Ubuntu | focal | * |
| Libstb | Ubuntu | lunar | * |
| Libstb | Ubuntu | mantic | * |
| Libstb | Ubuntu | oracular | * |
| Libstb | Ubuntu | plucky | * |
| Libstb | Ubuntu | trusty | * |
| Libstb | Ubuntu | xenial | * |
Potential Mitigations
References
- https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3660-L3677
- https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L4208-L4215
- https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/
- https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3660-L3677
- https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L4208-L4215
- https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/