Bug#1091633: libtheora: CVE-2024-56431

Sat, 15 Mar 2025 01:54:13 -0700 

Control: tags -1 + patch

This patch has been applied upstream to fix this security problem.  It
is also included in the 1.2.0beta1 release which was tagged upstream
today.

commit 5665f86b8fd8345bb09469990e79221562ac204b
Author: Petter Reinholdtsen <p...@debian.org>
Date:   Mon Mar 10 22:45:57 2025 +0100

    Avoid negative bit shift operatoin in huffdec.c (CVE-2024-56431).
    
    A crash was discovered using input fuzzying, in th_decode_ceaderin()
    where the len value in the oc_fuff_tree_unpack() can end up as -1.
    Added a check to ensure this do not happen.
    
    Based on feedback from Timothy B. Terriberry.
    
    The issue was discovered using gcc sanitazion, which reported the following:
    
    huffdec.c:228:27: runtime error: shift exponent -1 is negative
        #0 0x5d471012bfd0 in oc_huff_tree_unpack 
/home/uos/libtheora-18570/theora/lib/huffdec.c:228
        #1 0x5d471012c134 in oc_huff_trees_unpack 
/home/uos/libtheora-18570/theora/lib/huffdec.c:392
        #2 0x5d471010a98c in oc_setup_unpack 
/home/uos/libtheora-18570/theora/lib/decinfo.c:169
        #3 0x5d471010a98c in oc_dec_headerin 
/home/uos/libtheora-18570/theora/lib/decinfo.c:238
        #4 0x5d471010a98c in th_decode_headerin 
/home/uos/libtheora-18570/theora/lib/decinfo.c:266
        #5 0x5d47100fd638 in TheoraDecoder::initialize() 
/home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:66
        #6 0x5d47100ffa76 in TheoraDecoder::Run() 
/home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:180
        #7 0x5d47100ffe48 in main 
/home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:240
        #8 0x7cc9a5e29d8f in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
        #9 0x7cc9a5e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #10 0x5d47100f9964 in _start 
(/home/uos/libtheora-18570/libtheora-18570/poc1+0x83964)
    
    Fixes github pull request #19.

diff --git a/lib/huffdec.c b/lib/huffdec.c
index cc1828d..1bab3dd 100644
--- a/lib/huffdec.c
+++ b/lib/huffdec.c
@@ -224,6 +224,7 @@ int oc_huff_tree_unpack(oc_pack_buf *_opb,unsigned char 
_tokens[256][2]){
         _tokens[ntokens][1]=(unsigned char)(len+neb);
         ntokens++;
       }
+      if(len<=0)break;
       code_bit=0x80000000U>>len-1;
       while(len>0&&(code&code_bit)){
         code^=code_bit;

-- 
Happy hacking
Petter Reinholdtsen

Reply via email to