[vorbisenc] Stack overflow with large input METADATA_BLOCK_PICTURE
Submitted by Andrew Aldridge
Link to original bug (#755167)
Description
gst-launch-1.0 filesrc location=Burn\ The\ Sky.mp3 ! decodebin ! audioconvert ! vorbisenc ! fakesink
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
Redistribute latency...
Bus error: 10
Crash occurs because gst_vorbis_enc_metadata_set1() calls vorbis_comment_add_tag() with arbitrarily large data taken from the input file (in this case, the tag METADATA_BLOCK_PICTURE has size 1,063,488). vorbis_comment_add_tag() will allocate a new buffer with alloca(), causing a stack overflow.
I have a bug open for libvorbis (https://trac.xiph.org/ticket/2221) since replacing alloca() with _ogg_alloc() resolves the issue, but it may be worth working around this on the gstreamer side.
Version: 1.x