A potential bug of NPD

[ash1852]

Hi, I found a potential null pointer dereference bug in the project source code of opusfile, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps that generate the bug, the red arrows represent the control flow,the file path can be seen in the blue framed section.

Although the code shown is for version 0.9 but is still exist in current version

opusfile/src/opusfile.c

Lines 1527 to 1532 in cf218fb

	if(_initial_bytes>0){
	char *buffer;
	buffer=ogg_sync_buffer(&_of->oy,(long)_initial_bytes);
	memcpy(buffer,_initial_data,_initial_bytes*sizeof(*buffer));
	ogg_sync_wrote(&_of->oy,(long)_initial_bytes);
	}

would you can help to check if this bug is true?thank you for your effort and patience!

[rillian]

A lot of our code assumes malloc is infallible, just like we don't validate any of the pointer arguments in this function. But it looks like opusfile does check occasionally, so checking and returning OP_EFAULT would be reasonable here.

[ash1852]

ok.thank you for your effort.

[rillian]

Fixed in 0a4cd79. Thanks for the report!

[nanonyme]

@rillian would it be possible to actually make a release with this fix? There is a CVE reported against this and everyone is now applying the patch downstream while waiting for opusfile release.