[Bug 755167] New: [vorbisenc] Stack overflow with large input METADATA_BLOCK_PICTURE

Thu Sep 17 09:38:13 PDT 2015

https://bugzilla.gnome.org/show_bug.cgi?id=755167

            Bug ID: 755167
           Summary: [vorbisenc] Stack overflow with large input
                    METADATA_BLOCK_PICTURE
    Classification: Platform
           Product: GStreamer
           Version: 1.x
                OS: Mac OS
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gst-plugins-base
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: i80and at gmail.com
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

> gst-launch-1.0 filesrc location=Burn\ The\ Sky.mp3 ! decodebin ! audioconvert ! vorbisenc ! fakesink
> Setting pipeline to PAUSED ...
> Pipeline is PREROLLING ...
> Redistribute latency...
> Bus error: 10

Crash occurs because gst_vorbis_enc_metadata_set1() calls
vorbis_comment_add_tag() with arbitrarily large data taken from the input file
(in this case, the tag METADATA_BLOCK_PICTURE has size 1,063,488).
vorbis_comment_add_tag() will allocate a new buffer with alloca(), causing a
stack overflow.

I have a bug open for libvorbis (https://trac.xiph.org/ticket/2221) since
replacing alloca() with _ogg_alloc() resolves the issue, but it may be worth
working around this on the gstreamer side.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.