Nothings Stb Vorbis.C vulnerabilities

CVE-2023-47212 [CRITICAL] CWE-190 CVE-2023-47212: A heap-based buffer overflow vulnerability exists in the comment functionality of stb _vorbis.c v1.2 A heap-based buffer overflow vulnerability exists in the comment functionality of stb _vorbis.c v1.22. A specially crafted .ogg file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2023-45678 [HIGH] CWE-787 CVE-2023-45678: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of buffer write in `start_decoder` because at maximum `m->submaps` can be 16 but `submap_floor` and `submap_residue` are declared as arrays of 15 elements. This issue may lead to code execution.

CVE-2023-45679 [HIGH] CWE-415 CVE-2023-45679: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, but some of the pointers in `f->comment_list` are left initialized and later `setup_free` is called on these pointers in `vorbis_deinit`. This issue may lead

CVE-2023-45676 [HIGH] CWE-787 CVE-2023-45676: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[i] = get8_packet(f);`. The root cause is an integer overflow in `setup_malloc`. A sufficiently large value in the variable `sz` overflows with `sz+7` in and the negative value passes the maximum available memor

CVE-2023-45677 [HIGH] CWE-787 CVE-2023-45677: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `l

CVE-2023-45682 [HIGH] CWE-125 CVE-2023-45682: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.

CVE-2023-45681 [HIGH] CWE-787 CVE-2023-45681: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another

CVE-2023-45675 [HIGH] CWE-787 CVE-2023-45675: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer`

CVE-2023-45680 [MEDIUM] CWE-476 CVE-2023-45680: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, the `f->comment_list` is set to `NULL`, but `f->comment_list_length` is not reset. Later in `vorbis_deinit` it tries to dereference the `NULL` pointer. Thi