| Título | nothings stb (stb_vorbis.c) ≤ 1.22 Free of Pointer not at Start of Buffer |
|---|
| Descrição | An invalid free vulnerability exists in `setup_free()` in stb_vorbis.c v1.22 and earlier. When processing a crafted Ogg Vorbis file, the `vorbis_deinit()` function at line 4214 calls `setup_free()` at line 966 to free internal decoder structures. Due to corrupted internal state from malformed Vorbis setup headers, `setup_free()` attempts to free an invalid pointer, causing a crash in the memory allocator.
This is triggered via `stb_vorbis_open_memory()` or `stb_vorbis_decode_memory()` when the decoder encounters an error during setup and attempts cleanup. The crash occurs inside the allocator's `Deallocate()` function due to an invalid pointer being passed to `free()`.
ASAN output:
```
ERROR: AddressSanitizer: SEGV on unknown address
READ memory access in __asan::Allocator::Deallocate
#1 free
#2 setup_free stb_vorbis.c:966
#3 vorbis_deinit stb_vorbis.c:4214
#4 stb_vorbis_open_memory stb_vorbis.c:5122
#5 stb_vorbis_decode_memory stb_vorbis.c:5390
``` |
|---|
| Fonte | ⚠️ https://gist.github.com/d0razi/cc7f70bba08c1a455d9933e97b8b57c1 |
|---|
| Utilizador | d0razi (UID 96474) |
|---|
| Submissão | 16/03/2026 01h15 (há 19 dias) |
|---|
| Moderação | 01/04/2026 14h40 (17 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 354648 [Nothings stb até 1.22 stb_vorbis.c setup_free Negação de Serviço] |
|---|
| Pontos | 20 |
|---|