xiph / speex Goto Github PK

So i wrote a test.c to verify the encoding function. I used 'stdio.h' and 'speex.h' as header files. After i type "gcc -o test test.c",it displays errors like "undefined reference to 'speex_encoder_init' "(and other functions such as speex_encode, speex_bits_reset). I guess there is something wrong with my cammand line,but i really don't know how to fix it.

We use Veracode for scanning our mobile application. It complains the following when this library is used in my code.

The result of this call to calloc() is not checked for success before being used. This can result in application instability or crashing if memory is not available.

Can this be fixed?

when speexenc encode wav file , deal with channels 0 will generate a Division by zero error which will cause the software crash
sample.tar.gz
usage :
speexenc sample -

vulnerability function:
static int read_samples(FILE *fin,int frame_size, int bits, int channels, int lsb, short * input, char *buff, spx_int32_t size)
{
unsigned char in[MAX_FRAME_BYTES2];
int i;
short *s;
int nb_read;
size_t to_read;

if (size && *size<=0)
{
return 0;
}

to_read = bits/8channelsframe_size;

I can not understand why we make speex_decode_int of jitter->current_packet 2 times
first time after get packet from buffer, after set flag valid_bits to 1, second time at next speex_jitter_get call

speex_jitter_buffer.c:

void speex_jitter_get(SpeexJitter *jitter, spx_int16_t *out, int *current_timestamp) {
   //....
   if (jitter->valid_bits)
   {
//
//         here we decode last received packet to out second time
//
      ret = speex_decode_int(jitter->dec, &jitter->current_packet, out);
      //...
   }
   
   //....

//     
//        here we decode last received packet to out first time
//
      ret = speex_decode_int(jitter->dec, &jitter->current_packet, out);
      if (ret == 0)
      {
         jitter->valid_bits = 1;
     }
//....
}

Thanks!

Visual Studio projects are obsolete, VS2008 project is broken.

I have working CMakeLists.txt project for speex, with almost every Autotools option implemented. That means you can generate Unix makefiles, VS 6.0-2017 projects and many more.

If you are interested, i will make pull request or patch.

Our fuzzing tool has found an input that makes speexenc hang on it. Attached is the corrupted input.

32.zip

speexenc  32 -

Is the speex_preprocessor taken out?

Was it replaced with something else?

I have found a stack buffer overflow vulnerability in speexenc,this may cause a rce by open a crafted wav file
sample2.zip
the vulnerability function:
speexenc.c:122
} else {
nb_read = fread(in,1,to_read,fin);

This bug is found in git commit 6e04bfa.

to reproduce the bug:
valgrind ./speexenc test.input -

PoC input is attached.(this input is generated by fuzzer, the pdf suffix is to bypass github's upload regulation)
poc.pdf

We have implemented speex in our engine for the time being then we are switching over to the speexdsp when we get a cmake file made for it. For now we are testing with this. We are getting clear audio through our bitstream and its coming out nicely at the other end writing 8 frames each time, as i understand it though the frame size of speex is 20ms no matter what band mode you choose, our engine updates the loop every 32ms, and we are noticing a dip in audio each time, was curious if it is possible to change the frame size timing? or is this something that would need to be fixed by using speexdsp?

Bug description

The speex decoder in libspeex does not properly sanitize its input.

Applications using libspeex can crash when decoding bad speex frames, resulting in denial-of-service. It may also be possible to achieve remote code execution.

This bug was initially reported as signalapp/Signal-Android#6334.

Steps to reproduce

• Write a minimal program using libspeex to decode raw speex data. You can use this one: https://gist.github.com/klemensbaum/fb7c41c981ac43a5abbb3d8fb99d3902
• Obtain some sample audio and convert it to raw speex frames. Save each frame as a separate file in a testcases directory.
• (optional) Prune redundant test cases with afl-tmin
• Run afl-fuzz over it: afl-fuzz -i testcases -o findings -- ./speex-fuzz @@

Actual result: afl-fuzz finds a lot of crashes
Expected result: afl-fuzz doesn't find any crashes

Example crashes

Some example crashes found during a short afl-fuzz run: https://gist.github.com/klemensbaum/3df0260fe459c10a5adb2fd569b41dda

I now have a need to obtain the voice stream in speex format in real time, sampleRate: 16000, channelCount: 1, read a byte with a fixed length of 300 and call Decode to convert pcm, but audio data loss and noise appear in the pcm file after conversion.

1. May I ask how much length of byte conversion should I set?
2. When inputting different byte lengths, an error message appears, for example: More than two wideband layers found. What parameters do I need to adjust?
   I hope you can help me solve this problem as soon as possible, I wish you a happy life, thank you!

Hi,
Is the speex component being maintained? It seems like it hasn't been updated for a long time.
^_^