Nothings STB Vorbis Remote Invalid Free Vulnerability in Memory Deallocation

An invalid free vulnerability has been identified in Nothings STB Vorbis versions through 1.22. The issue arises in the 'setup_free' function of 'stb_vorbis.c', where the 'vorbis_deinit()' function calls 'setup_free()' to deallocate internal decoder structures. When processing a crafted Ogg Vorbis file, malformed setup headers can corrupt the internal state, leading 'setup_free()' to attempt to free an invalid pointer. This causes a crash in the memory allocator, as indicated by AddressSanitizer output. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability leads to a crash of the application, caused by an invalid pointer being freed, which disrupts normal memory management and can potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by compiling a program with AddressSanitizer enabled that uses the STB Vorbis decoder. The program should be written to open a crafted Ogg Vorbis file that triggers the invalid free condition by corrupting the decoder's internal state. When the decoder attempts to clean up by freeing resources, the invalid pointer causes a segmentation fault, demonstrating the vulnerability.