mirror of
https://github.com/asterisk/asterisk.git
synced 2026-06-30 12:10:12 -07:00
c3c40b5dbf
The ogg_speex_read() function copies OGG packet data via memcpy() without validating the packet size against the destination buffer (BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG audio packet causes a heap buffer overflow that corrupts the adjacent speex_desc structure containing libogg heap pointers, leading to a crash (SIGSEGV) on playback. Add a bounds check for both negative and oversized values before the memcpy, consistent with how format_ogg_vorbis bounds its reads via ov_read(). Resolves: #GHSA-8jhw-m2hg-vp3h