[Speex-dev] speex affected by vulnerability described in [oCERT 2008-02]

Conrad Parker conrad at metadecks.org
Mon Apr 7 19:39:43 PDT 2008

On 08/04/2008, Jean-Marc Valin <jean-marc.valin at usherbrooke.ca> wrote:
> Andrea Barisani a écrit :
>  > We
>  > published yesterday an advisory about libfishsound, you can find it at the
>  > following URL:
>  >
>  > http://www.ocert.org/advisories/ocert-2008-2.html
>  >
>  > The issues seems to affect Speex (since the code is the same) versions <=
>  > 1.1.12. While the 1.2beta branch is not vulnerable we advise that you fix
>  > with a security release what's advertised as stable version as well.
> The fundamental issue is actually not with Speex itself. What happens is
>  that libfishsound would use the Speex call to parse the header, but
>  wouldn't actually sanitise them.

I think Andrea is saying that the speexdec shipped in <= 1.1.12 does
have the bug, and suggesting a 1.0.x release that fixes it (as 1.0.5
is still advertised as the "stable"  branch at

>  That being said, I think it's worth
>  putting a workaround in Speex that just rejects headers that have
>  invalid modes or other invalid data.

I sent Jean-Marc a patch that does that recently. This issue is also
avoided if the speex_lib_get_mode() function is used instead of
indexing into the global speex_mode_list[]. See
for a discussion about that.

Anyway, I wouldn't call these "workarounds", just part of making a
robust API :-)



More information about the Speex-dev mailing list