Dear Vorbis devs, I'm Robert Kausch, author of fre:ac - free audio converter. Please consider using _ogg_malloc/_ogg_free in place of alloca in vorbis_comment_add_tag. alloca will cause undefined behaviour/crashing when it causes a stack overflow which can easily happen when adding cover art in a METADATA_BLOCK_PICTURE comment. I had a user trying to convert a FLAC file with a 2 MB embedded cover art that caused a crash in vorbis_comment_add_tag. Thanks and best regards, Robert PS @ list moderator: I sent message before I joined the list a few days ago, but it was ignored. The mail should still be in the moderation queue; please disregard that one. -- ---- Robert Kausch robert.kausch at freac.org
On 2015-10-12 12:04 PM, Robert Kausch wrote:> Please consider using _ogg_malloc/_ogg_free in place of alloca in > vorbis_comment_add_tag. alloca will cause undefined behaviour/crashing > when it causes a stack overflow which can easily happen when adding > cover art in a METADATA_BLOCK_PICTURE comment.Thanks for the report. I've done a quick fix. Please test. https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=c75b3b1282de1010883aa1391bc8ea31dc8ac98e -r
> Ralph Giles <giles at thaumas.net> hat am 14. Oktober 2015 um 01:19 geschrieben: > > Thanks for the report. I've done a quick fix. Please test. > > https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=c75b3b1282de1010883aa1391bc8ea31dc8ac98eWorks great, thanks! I think replacing alloca in vorbis_comment_query and vorbis_comment_query_count is not really necessary as only the tag id without content is used in those methods. On the other hand, it might be a good idea to avoid alloca where possible. An alternative would be to continue using alloca in those two methods, but check and fail if the id lenght is greater than a few kB. Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.xiph.org/pipermail/vorbis-dev/attachments/20151015/31cca922/attachment.htm