Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A potential bug of NPD #36

Closed
ash1852 opened this issue Sep 5, 2022 · 3 comments
Closed

A potential bug of NPD #36

ash1852 opened this issue Sep 5, 2022 · 3 comments
Assignees
@rillian

Comments

@ash1852
Copy link

ash1852 commented Sep 5, 2022
edited
Loading

Hi, I found a potential null pointer dereference bug in the project source code of opusfile, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps that generate the bug, the red arrows represent the control flow,the file path can be seen in the blue framed section.
image
Although the code shown is for version 0.9 but is still exist in current version

opusfile/src/opusfile.c

Lines 1527 to 1532 in cf218fb

if(_initial_bytes>0){
char *buffer;
buffer=ogg_sync_buffer(&_of->oy,(long)_initial_bytes);
memcpy(buffer,_initial_data,_initial_bytes*sizeof(*buffer));
ogg_sync_wrote(&_of->oy,(long)_initial_bytes);
}

would you can help to check if this bug is true?thank you for your effort and patience!
ePirat pushed a commit that referenced this issue Sep 7, 2022
@rillian
Propagate allocation failure from ogg_sync_buffer.
a46042a 
Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns
a null pointer. This allows more graceful recovery by the caller
in the unlikely event of a fallable ogg_malloc call.

We do check the return value elsewhere in the code, so the new
checks make the code more consistent.

Thanks to #36 for reporting.
@rillian
Copy link
Contributor

rillian commented Sep 7, 2022

A lot of our code assumes malloc is infallible, just like we don't validate any of the pointer arguments in this function. But it looks like opusfile does check occasionally, so checking and returning OP_EFAULT would be reasonable here.

@ash1852
Copy link
Author

ash1852 commented Sep 7, 2022

ok.thank you for your effort.

@rillian rillian self-assigned this Sep 7, 2022
rillian added a commit that referenced this issue Sep 7, 2022
@rillian
Propagate allocation failure from ogg_sync_buffer.
0a4cd79 
Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns
a null pointer. This allows more graceful recovery by the caller
in the unlikely event of a fallible ogg_malloc call.

We do check the return value elsewhere in the code, so the new
checks make the code more consistent.

Thanks to #36 for reporting.

Signed-off-by: Timothy B. Terriberry <[email protected]>
Signed-off-by: Mark Harris <[email protected]>
@rillian
Copy link
Contributor

rillian commented Sep 7, 2022

Fixed in 0a4cd79. Thanks for the report!

@rillian rillian closed this as completed Sep 7, 2022
LeSuisse added a commit to LeSuisse/nixpkgs that referenced this issue Jan 27, 2023
@LeSuisse
opusfile: apply patch for CVE-2022-47021
6515a7a 
Upstream issue: xiph/opusfile#36
@LeSuisse LeSuisse mentioned this issue Jan 27, 2023
Merged
13 tasks
github-actions bot pushed a commit to NixOS/nixpkgs that referenced this issue Jan 28, 2023
@LeSuisse @github-actions
opusfile: apply patch for CVE-2022-47021
31af78c 
Upstream issue: xiph/opusfile#36

(cherry picked from commit 6515a7a)
sezero pushed a commit to libsdl-org/opusfile that referenced this issue Mar 2, 2023
@rillian @sezero
Propagate allocation failure from ogg_sync_buffer.
9b13ae6 
Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns
a null pointer. This allows more graceful recovery by the caller
in the unlikely event of a fallible ogg_malloc call.

We do check the return value elsewhere in the code, so the new
checks make the code more consistent.

Thanks to xiph#36 for reporting.

Signed-off-by: Timothy B. Terriberry <[email protected]>
Signed-off-by: Mark Harris <[email protected]>
(cherry picked from commit 0a4cd79)
kraj pushed a commit to YoeDistro/meta-openembedded that referenced this issue Dec 24, 2024
@petermarko @kraj
opusfile: patch CVE-2022-47021
95b8d05 
This patch is mentioned in [1] and [2].

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-47021
[2] xiph/opusfile#36

Signed-off-by: Peter Marko <[email protected]>
Signed-off-by: Khem Raj <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rillian rillian

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rillian @ash1852