retitle 568683 libogg-vorbis-perl: segmentation fault on corrupt ogg file (null
pointer dereference)
severity 568683 important
tags 568683 patch
thanks
I was wondering about the security, but this is just a null pointer
dereference. So, I think that at worst, this is a denial of service
in case of an on-line service. I'm raising the severity to important
for this reason (the bug is easily fixable anyway).
I've attached a patch, that seems to work. But please check that it
is OK, as I had never touched Perl interfaces before.
Note: I think that a croak when ov_comment returns a null pointer
(this is what my patch does) is probably better than returning nothing
because this is a real error in the user code (or an internal error
such as the consequence of Debian bug 568607) and because this allows
one to make a difference with an empty set of comments. I don't know
whether the form of the croak message is OK, though.
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
--- libvorbis-perl-0.05.ds1.orig/Vorbis.xs 2003-08-13 14:16:29.000000000
+0000
+++ libvorbis-perl-0.05.ds1/Vorbis.xs 2010-02-06 23:34:41.000000000 +0000
@@ -158,9 +158,11 @@
CODE:
/* fetch the comments */
comments = ov_comment(self, link);
+ if (!comments)
+ croak("file has not been initialized properly or bitstream does
not exist");
RETVAL = newHV();
/* store the comments in a hash */
- for (i=0; i < comments->comments; i++) {
+ for (i=0; comments && i < comments->comments; i++) {
key = comments->user_comments[i];
if (val = strchr(key, '=')) {
keylen = val - key;
