CVE-2023-45675

Name
CVE-2023-45675
Description
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer` is pre-allocated. Instead of returning `NULL` as in `malloc` case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3652-L3658
MISC https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3658
MISC https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/
MISC https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L950-L960
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVQ7ONFH5GWLMXYEAJG32A3EUKUCEVCR/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVABVF4GEM6BYD5L4L64RCRSXUHY6LGN/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMXKOKPP4BKTNUTF5KSRDQAWOUILQZNO/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nothings:stb_vorbis.c:1.22:*:*:*:*:*:*:* stb_vorbis.c == None == 1.22

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
stb edge-community 0_git20231012-r0 Simon Zeni <simon@bl4ckb0ne.ca> fixed
stb 3.19-community 0_git20231012-r0 Simon Zeni <simon@bl4ckb0ne.ca> fixed
stb 3.20-community 0_git20231012-r0 Simon Zeni <simon@bl4ckb0ne.ca> fixed