Nothings Stb Out-of-Bounds Write Vulnerability in Vorbis Decoder

A heap buffer overflow vulnerability has been identified in Nothings stb versions through 1.22, specifically within the Vorbis decoding component. The issue arises in the 'start_decoder' function of 'stb_vorbis.c', where an integer overflow occurs during the allocation of the comment list. This vulnerability allows for out-of-bounds writes, leading to significant heap corruption. The flaw can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability causes a heap-based out-of-bounds write, with potential consequences including arbitrary code execution, denial-of-service, or general heap corruption.

Reproduction

The vulnerability can be reproduced by decoding a crafted Ogg Vorbis file using the 'stb_vorbis' library. The file should be prepared to trigger the integer overflow in the comment list allocation, which can be achieved by setting the 'comment_list_length' to a value that causes the allocation size to overflow and truncate, leading to out-of-bounds writes.