PJSIP Opus PLC Buffer Overflow Vulnerability Leading to Application Crash

A buffer overflow vulnerability has been identified in PJSIP versions prior to 2.16, specifically within the Opus audio codec's Packet Loss Concealment (PLC) feature. This vulnerability arises because the PLC can zero-fill the input frame based on the decoder's packet time (ptime), while the actual input frame length, determined by the stream's ptime, may be shorter. As a result, PJSIP applications using the Opus codec in the receiving direction may experience a memory overwrite, leading to an unexpected application termination.

Impact

Exploitation of this vulnerability causes a buffer overflow, resulting in a memory overwrite that can lead to a crash of the application using the PJSIP library.

Reproduction

The vulnerability can be reproduced by using PJSIP version 2.15.1 or earlier with the Opus audio codec enabled for incoming streams. When a stream is received where the frame length is shorter than the expected decoder ptime, the PLC feature will incorrectly zero-fill the buffer, causing a memory overwrite.

Remediation

Users can upgrade to PJSIP version 2.16 or later, where this vulnerability has been patched.