Files
Milan Kyselica 1cf1895499 format_ogg_speex: Add bounds check to prevent heap buffer overflow
The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h
2026-06-25 08:21:09 -06:00
..
2024-12-10 13:25:08 +00:00
2021-11-16 06:01:45 -06:00