Control: tags -1 + patch
This patch has been applied upstream to fix this security problem. It
is also included in the 1.2.0beta1 release which was tagged upstream
today.
commit 5665f86b8fd8345bb09469990e79221562ac204b
Author: Petter Reinholdtsen <
pere@debian.org>
Date: Mon Mar 10 22:45:57 2025 +0100
Avoid negative bit shift operatoin in huffdec.c (CVE-2024-56431).
A crash was discovered using input fuzzying, in th_decode_ceaderin()
where the len value in the oc_fuff_tree_unpack() can end up as -1.
Added a check to ensure this do not happen.
Based on feedback from Timothy B. Terriberry.
The issue was discovered using gcc sanitazion, which reported the following:
huffdec.c:228:27: runtime error: shift exponent -1 is negative
#0 0x5d471012bfd0 in oc_huff_tree_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:228
#1 0x5d471012c134 in oc_huff_trees_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:392
#2 0x5d471010a98c in oc_setup_unpack /home/uos/libtheora-18570/theora/lib/decinfo.c:169
#3 0x5d471010a98c in oc_dec_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:238
#4 0x5d471010a98c in th_decode_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:266
#5 0x5d47100fd638 in TheoraDecoder::initialize() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:66
#6 0x5d47100ffa76 in TheoraDecoder::Run() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:180
#7 0x5d47100ffe48 in main /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:240
#8 0x7cc9a5e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7cc9a5e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
#10 0x5d47100f9964 in _start (/home/uos/libtheora-18570/libtheora-18570/poc1+0x83964)
Fixes github pull request #19.
diff --git a/lib/huffdec.c b/lib/huffdec.c
index cc1828d..1bab3dd 100644
--- a/lib/huffdec.c
+++ b/lib/huffdec.c
@@ -224,6 +224,7 @@ int oc_huff_tree_unpack(oc_pack_buf *_opb,unsigned char _tokens[256][2]){
_tokens[ntokens][1]=(unsigned char)(len+neb);
ntokens++;
}
+ if(len<=0)break;
code_bit=0x80000000U>>len-1;
while(len>0&&(code&code_bit)){
code^=code_bit;
--
Happy hacking
Petter Reinholdtsen
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)