The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.
Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().
Resolves: #GHSA-8jhw-m2hg-vp3h
return NULL;
}
+ if (s->op.bytes < 0 || s->op.bytes > BUF_SIZE) {
+ ast_log(LOG_WARNING, "OGG/Speex packet too large (%ld > %d), skipping\n",
+ s->op.bytes, BUF_SIZE);
+ return NULL;
+ }
+
AST_FRAME_SET_BUFFER(&fs->fr, fs->buf, AST_FRIENDLY_OFFSET, BUF_SIZE);
memcpy(fs->fr.data.ptr, s->op.packet, s->op.bytes);
fs->fr.datalen = s->op.bytes;