| Título | nothings stb (stb_vorbis.c) ≤ 1.22 Free of Pointer not at Start of Buffer |
|---|
| Descripción | An invalid free vulnerability exists in `setup_free()` in stb_vorbis.c v1.22 and earlier. When processing a crafted Ogg Vorbis file, the `vorbis_deinit()` function at line 4214 calls `setup_free()` at line 966 to free internal decoder structures. Due to corrupted internal state from malformed Vorbis setup headers, `setup_free()` attempts to free an invalid pointer, causing a crash in the memory allocator.
This is triggered via `stb_vorbis_open_memory()` or `stb_vorbis_decode_memory()` when the decoder encounters an error during setup and attempts cleanup. The crash occurs inside the allocator's `Deallocate()` function due to an invalid pointer being passed to `free()`.
ASAN output:
```
ERROR: AddressSanitizer: SEGV on unknown address
READ memory access in __asan::Allocator::Deallocate
#1 free
#2 setup_free stb_vorbis.c:966
#3 vorbis_deinit stb_vorbis.c:4214
#4 stb_vorbis_open_memory stb_vorbis.c:5122
#5 stb_vorbis_decode_memory stb_vorbis.c:5390
``` |
|---|
| Fuente | ⚠️ https://gist.github.com/d0razi/cc7f70bba08c1a455d9933e97b8b57c1 |
|---|
| Usuario | d0razi (UID 96474) |
|---|
| Sumisión | 2026-03-16 01:15 (hace 21 días) |
|---|
| Moderación | 2026-04-01 14:40 (17 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 354648 [Nothings stb hasta 1.22 stb_vorbis.c setup_free denegación de servicio] |
|---|
| Puntos | 20 |
|---|