]> git.ipfire.org Git - thirdparty/asterisk.git/commitdiff
format_ogg_speex: Add bounds check to prevent heap buffer overflow
authorMilan Kyselica <mil.kyselica@gmail.com>
Mon, 23 Mar 2026 14:15:18 +0000 (15:15 +0100)
committerGeorge Joseph <gtjoseph@users.noreply.github.com>
Thu, 25 Jun 2026 14:21:09 +0000 (08:21 -0600)
The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

formats/format_ogg_speex.c

index 7dc95ab80a5f85bb079c4d68826ce91e5751fbfe..cf5b7ec0361632b3e718b2ad4dabe1219f23568f 100644 (file)
@@ -234,6 +234,12 @@ static struct ast_frame *ogg_speex_read(struct ast_filestream *fs,
                return NULL;
        }
 
+       if (s->op.bytes < 0 || s->op.bytes > BUF_SIZE) {
+               ast_log(LOG_WARNING, "OGG/Speex packet too large (%ld > %d), skipping\n",
+                       s->op.bytes, BUF_SIZE);
+               return NULL;
+       }
+
        AST_FRAME_SET_BUFFER(&fs->fr, fs->buf, AST_FRIENDLY_OFFSET, BUF_SIZE);
        memcpy(fs->fr.data.ptr, s->op.packet, s->op.bytes);
        fs->fr.datalen = s->op.bytes;