<div dir="ltr"><div>Hi,</div><div><br></div><div>I came into a crash when using 32-bit `speexdec` and found that there's an address overflow in function `<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,253,207);color:rgb(0,0,0);font-family:Menlo;font-size:11px">print_comments()`:</span></div><div><font color="#000000" face="Menlo"><span style="font-size:11px;font-variant-ligatures:no-common-ligatures"><br></span></font><p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures;color:rgb(48,186,35)">static</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> </span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures;color:rgb(48,186,35)">void</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> print_comments(</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures;color:rgb(48,186,35)">char</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> *comments, </span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures;color:rgb(48,186,35)">int</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> length)</span><br></p><p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">
</span></p><p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">{</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures;color:rgb(48,186,35)">char</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> *c=comments;</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures;color:rgb(48,186,35)">int</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> len, i, nb_fields;</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures;color:rgb(48,186,35)">char</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> *end;</span></p>
<p class="gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207);min-height:13px"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span></span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(203,119,33)">if</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> (length<</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">8</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">)</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span>{<span class="gmail-Apple-converted-space">   </span></span></p>
<p class="gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(193,53,31);background-color:rgb(255,253,207)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">      </span>fprintf (</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">stderr</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">, </span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">"Invalid/corrupted comments</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures;color:rgb(211,56,209)">\n</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">"</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">);</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">      </span></span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(203,119,33)">return</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">;</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span>}<span class="gmail-Apple-converted-space">   </span></span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span>end = c+length;</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span>len=readint(c, </span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">0</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">);<span class="gmail-Apple-converted-space"> </span></span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span>c+=</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">4</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">;</span></p><p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">// 'c+len' MAY OVERFLOW</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span></span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(203,119,33)">if</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> (len < </span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">0</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"> || c+len>end)</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span>{<span class="gmail-Apple-converted-space">   </span></span></p>
<p class="gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(193,53,31);background-color:rgb(255,253,207)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">      </span>fprintf (</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">stderr</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">, </span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">"Invalid/corrupted comments</span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures;color:rgb(211,56,209)">\n</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">"</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">);</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">      </span></span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(203,119,33)">return</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">;</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">   </span>}</span></p><p></p>


</div><div><br></div><div>The pointer `c` happened to be greater than `0x80000000` and the sum overflowed, even though `length` is positive.</div><div><br></div><div>Here's the patch code:</div><div><br></div><div>




<span></span>





<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><b>diff --git a/src/speexdec.c b/src/speexdec.c</b></span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><b>index 4721dc1..18786f1 100644</b></span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><b>--- a/src/speexdec.c</b></span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><b>+++ b/src/speexdec.c</b></span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(48,184,197)">@@ -105,7 +105,7 @@</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> static void print_comments(char *comments, int length)</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span>end = c+length;</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span>len=readint(c, 0);</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span>c+=4;</span></p>
<p class="gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(193,53,31);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">- <span class="gmail-Apple-converted-space">  </span>if (len < 0 || c+len>end)</span></p>
<p class="gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(48,186,35);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">+ <span class="gmail-Apple-converted-space">  </span>if (len < 0 || c+len>end || c+len<c)</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span>{</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">       </span>fprintf (stderr, "Invalid/corrupted comments\n");</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">       </span>return;</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(48,184,197)">@@ -129,7 +129,7 @@</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> static void print_comments(char *comments, int length)</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">       </span>}</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">       </span>len=readint(c, 0);</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">       </span>c+=4;</span></p>
<p class="gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(193,53,31);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">-<span class="gmail-Apple-converted-space">      </span>if (len < 0 || c+len>end)</span></p>
<p class="gmail-p3" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(48,186,35);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">+<span class="gmail-Apple-converted-space">      </span>if (len < 0 || c+len>end || c+len<c)</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">       </span>{</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">          </span>fprintf (stderr, "Invalid/corrupted comments\n");</span></p>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">          </span>return;</span></p>


<br></div><div>Thanks!</div><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Best regards,<br><br>Ruikai Liu<br></div>
</div>