| 제목 | nothings stb (stb_vorbis.c) ≤ 1.22 Free of Pointer not at Start of Buffer |
|---|
| 설명 | An invalid free vulnerability exists in `setup_free()` in stb_vorbis.c v1.22 and earlier. When processing a crafted Ogg Vorbis file, the `vorbis_deinit()` function at line 4214 calls `setup_free()` at line 966 to free internal decoder structures. Due to corrupted internal state from malformed Vorbis setup headers, `setup_free()` attempts to free an invalid pointer, causing a crash in the memory allocator.
This is triggered via `stb_vorbis_open_memory()` or `stb_vorbis_decode_memory()` when the decoder encounters an error during setup and attempts cleanup. The crash occurs inside the allocator's `Deallocate()` function due to an invalid pointer being passed to `free()`.
ASAN output:
```
ERROR: AddressSanitizer: SEGV on unknown address
READ memory access in __asan::Allocator::Deallocate
#1 free
#2 setup_free stb_vorbis.c:966
#3 vorbis_deinit stb_vorbis.c:4214
#4 stb_vorbis_open_memory stb_vorbis.c:5122
#5 stb_vorbis_decode_memory stb_vorbis.c:5390
``` |
|---|
| 원천 | ⚠️ https://gist.github.com/d0razi/cc7f70bba08c1a455d9933e97b8b57c1 |
|---|
| 사용자 | d0razi (UID 96474) |
|---|
| 제출 | 2026. 03. 16. AM 01:15 (17 날 ago) |
|---|
| 모더레이션 | 2026. 04. 01. PM 02:40 (17 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 354648 [Nothings stb 까지 1.22 stb_vorbis.c setup_free 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|