Sean Barrett

39 exploits Active since Feb 2018
CVE-2019-13217 WRITEUP HIGH WRITEUP
stb_vorbis < 2019-03-04 - Heap Buffer Overflow in start_decoder
A heap buffer overflow in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file.
CVSS 7.8
CVE-2019-13218 WRITEUP MEDIUM WRITEUP
stb_vorbis < 2019-03-04 - Denial of Service via Crafted Ogg Vorbis File
Division by zero in the predict_point function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.
CVSS 5.5
CVE-2019-13219 WRITEUP MEDIUM WRITEUP
stb_vorbis < 2019-03-04 - Denial of Service via Crafted Ogg Vorbis File
A NULL pointer dereference in the get_window function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.
CVSS 5.5
CVE-2019-13220 WRITEUP HIGH WRITEUP
stb_vorbis < 2019-03-04 - Use of Uninitialized Resource in start_decoder
Use of uninitialized stack variables in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file.
CVSS 7.1
CVE-2019-13221 WRITEUP HIGH WRITEUP
stb_vorbis < 2019-03-04 - Stack Buffer Overflow in compute_codewords Function
A stack buffer overflow in the compute_codewords function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file.
CVSS 7.8
CVE-2019-13222 WRITEUP HIGH WRITEUP
stb_vorbis < 2019-03-04 - Out-of-bounds Read in draw_line Function
An out-of-bounds read of a global buffer in the draw_line function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file.
CVSS 7.1
CVE-2019-13223 WRITEUP MEDIUM WRITEUP
stb_vorbis < 2019-03-04 - Denial of Service via Crafted Ogg Vorbis File
A reachable assertion in the lookup1_values function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file.
CVSS 5.5
CVE-2023-45677 WRITEUP HIGH WRITEUP
stb_vorbis.c - Out-of-bounds Write via Negative Length Handling
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead to code execution.
CVSS 7.3
CVE-2023-45677 WRITEUP HIGH WRITEUP
stb_vorbis.c - Out-of-bounds Write via Negative Length Handling
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead to code execution.
CVSS 7.3
CVE-2023-45663 WRITEUP MEDIUM WRITEUP
stb_image.h - Use of Uninitialized Resource in stbi__getn Return Value Handling
stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.
CVSS 5.3
CVE-2023-45675 WRITEUP MEDIUM WRITEUP
stb_vorbis.c - Out-of-bounds Write via Crafted Ogg Vorbis File
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer` is pre-allocated. Instead of returning `NULL` as in `malloc` case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.
CVSS 6.5
CVE-2023-45677 WRITEUP HIGH WRITEUP
stb_vorbis.c - Out-of-bounds Write via Negative Length Handling
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead to code execution.
CVSS 7.3
CVE-2023-45682 WRITEUP MEDIUM WRITEUP
stb_vorbis.c - Out-of-bounds Read via Negative 'var' in DECODE Macro
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.
CVSS 5.3
CVE-2023-45661 WRITEUP MEDIUM WRITEUP
stb_image.h - Out-of-bounds Read in stbi__gif_load_next
stb_image is a single file MIT licensed library for processing images. A crafted image file may trigger out of bounds memcpy read in `stbi__gif_load_next`. This happens because two_back points to a memory address lower than the start of the buffer out. This issue may be used to leak internal memory allocation information.
CVSS 6.5
CVE-2023-45663 WRITEUP MEDIUM WRITEUP
stb_image.h - Use of Uninitialized Resource in stbi__getn Return Value Handling
stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.
CVSS 5.3
CVE-2023-45666 WRITEUP HIGH WRITEUP
stb_image.h - Double Free in stbi__load_gif_main
stb_image is a single file MIT licensed library for processing images. It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed
CVSS 7.3
CVE-2023-45667 WRITEUP MEDIUM WRITEUP
stb_image.h - Null Pointer Dereference in stbi__vertical_flip_slices
stb_image is a single file MIT licensed library for processing images. If `stbi__load_gif_main` in `stbi_load_gif_from_memory` fails it returns a null pointer and may keep the `z` variable uninitialized. In case the caller also sets the flip vertically flag, it continues and calls `stbi__vertical_flip_slices` with the null pointer result value and the uninitialized `z` value. This may result in a program crash.
CVSS 5.3
CVE-2023-45675 WRITEUP MEDIUM WRITEUP
stb_vorbis.c - Out-of-bounds Write via Crafted Ogg Vorbis File
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer` is pre-allocated. Instead of returning `NULL` as in `malloc` case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.
CVSS 6.5
CVE-2023-45676 WRITEUP HIGH WRITEUP
stb_vorbis.c - Out-of-bounds Write via Integer Overflow in setup_malloc
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[i] = get8_packet(f);`. The root cause is an integer overflow in `setup_malloc`. A sufficiently large value in the variable `sz` overflows with `sz+7` in and the negative value passes the maximum available memory buffer check. This issue may lead to code execution.
CVSS 7.3
CVE-2023-45677 WRITEUP HIGH WRITEUP
stb_vorbis.c - Out-of-bounds Write via Negative Length Handling
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead to code execution.
CVSS 7.3
CVE-2023-45678 WRITEUP MEDIUM WRITEUP
stb_vorbis.c - Out-of-bounds Write in start_decoder
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of buffer write in `start_decoder` because at maximum `m->submaps` can be 16 but `submap_floor` and `submap_residue` are declared as arrays of 15 elements. This issue may lead to code execution.
CVSS 6.5
CVE-2023-45679 WRITEUP HIGH WRITEUP
stb_vorbis.c - Use-After-Free in start_decoder Memory Allocation Failure
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, but some of the pointers in `f->comment_list` are left initialized and later `setup_free` is called on these pointers in `vorbis_deinit`. This issue may lead to code execution.
CVSS 7.3
CVE-2023-45680 WRITEUP MEDIUM WRITEUP
stb_vorbis.c - Denial of Service via NULL Pointer Dereference in start_decoder
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, the `f->comment_list` is set to `NULL`, but `f->comment_list_length` is not reset. Later in `vorbis_deinit` it tries to dereference the `NULL` pointer. This issue may lead to denial of service.
CVSS 5.3
CVE-2023-45682 WRITEUP MEDIUM WRITEUP
stb_vorbis.c - Out-of-bounds Read via Negative 'var' in DECODE Macro
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.
CVSS 5.3
CVE-2018-1000050 WRITEUP HIGH WRITEUP
stb_vorbis < 1.12 - Buffer Overflow in Vorbis Decoding Paths
Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer Overflow vulnerability in All vorbis decoding paths. that can result in memory corruption, denial of service, comprised execution of host program. This attack appear to be exploitable via Victim must open a specially crafted Ogg Vorbis file. This vulnerability appears to have been fixed in 1.13.
CVSS 8.8