mirror of
https://github.com/asterisk/asterisk.git
synced 2026-07-02 04:53:32 -07:00
2f38860a5a
The ogg_speex_read() function copies OGG packet data via memcpy() without validating the packet size against the destination buffer (BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG audio packet causes a heap buffer overflow that corrupts the adjacent speex_desc structure containing libogg heap pointers, leading to a crash (SIGSEGV) on playback. Add a bounds check for both negative and oversized values before the memcpy, consistent with how format_ogg_vorbis bounds its reads via ov_read(). Resolves: #GHSA-8jhw-m2hg-vp3h