Codec · C

How to fuzz libvorbis

Vorbis's VQ codebooks and floor curves involve arithmetic that is easy to overflow.

libvorbis has a documented history of heap corruption bugs in its vector quantisation codebook decoder and floor-curve interpolation. OGG/Vorbis files are still widely used in games and media; a malformed file in a game's asset bundle reaches the decoder with no further validation.

Common bug classes

•Heap buffer overflow in VQ codebook lookup table
•Divide-by-zero in floor type 1 interpolation
•Integer overflow in residue partition class assignment
•Out-of-bounds read in mode/mapping header parsing
•Null dereference on truncated codebook packet

Recommended setup

Fuzzers

→ AFL++
→ libFuzzer

Sanitizers

→ ASan
→ UBSan

Harness scaffold

#include <stdint.h>
#include <stddef.h>
#include <vorbis/codec.h>

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  vorbis_info vi;
  vorbis_comment vc;
  vorbis_info_init(&vi);
  vorbis_comment_init(&vc);
  /* Attempt to initialise synthesis from raw packet stream */
  ogg_packet op = {
    .packet = (unsigned char *)data,
    .bytes  = (long)size,
    .b_o_s  = 1, .e_o_s = 0, .granulepos = 0, .packetno = 0
  };
  vorbis_synthesis_headerin(&vi, &vc, &op);
  vorbis_comment_clear(&vc);
  vorbis_info_clear(&vi);
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Notable CVEs found by fuzzing

→ CVE-2018-10392
→ CVE-2018-10393

Start fuzzing libvorbis on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.