CVE-2023-45675 0 byte write heap buffer overflow in start_decoder in stb_vorbis

2023-10-2023:26:45

CWE-787

GitHub_M

www.cve.org

buffer overflow

stb_vorbis

code execution

mit licensed library

ogg vorbis files

heap overflow

start_decoder

crafted file

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.3%

JSON

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in f->vendor[len] = (char)'\0';. The root cause is that if the len read in start_decoder is -1 and len + 1 becomes 0 when passed to setup_malloc. The setup_malloc behaves differently when f->alloc.alloc_buffer is pre-allocated. Instead of returning NULL as in malloc case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.

CNA Affected

[
  {
    "vendor": "nothings",
    "product": "stb",
    "versions": [
      {
        "version": "<= 1.22",
        "status": "affected"
      }
    ]
  }
]