Comment 37 for bug 218652

Speex upstream added check in speex_packet_to_header(), so that can address this
problem for all affected apps, that use speex_packet_to_header and check its
return value (all applications seem to do that correctly). For caller of
speex_packet_to_header that does not check return value, it will reduce problem
to a crash caused by NULL pointer dereference.

Patch applied to speex_packet_to_header():

$ svn diff -c 14701 http://svn.xiph.org/trunk/speex/libspeex/
Index: speex_header.c
===================================================================
--- speex_header.c (revision 14700)
+++ speex_header.c (revision 14701)
@@ -178,6 +178,13 @@
    ENDIAN_SWITCH(le_header->frames_per_packet);
    ENDIAN_SWITCH(le_header->extra_headers);

+ if (le_header->mode >= SPEEX_NB_MODES || le_header->mode < 0)
+ {
+ speex_notify("Invalid mode specified in Speex header");
+ speex_free (le_header);
+ return NULL;
+ }
+
    if (le_header->nb_channels>2)
       le_header->nb_channels = 2;
    if (le_header->nb_channels<1)

$ svn log -r 14701 http://svn.xiph.org/trunk/speex/libspeex/
------------------------------------------------------------------------
r14701 | jm | 2008-04-11 05:48:46 +0200 (Fri, 11 Apr 2008) | 5 lines

Patch by kfish that checks for headers with invalid mode numbers. Technically,
it should have been the application's responsability, but many didn't, so
we ended up with security issues. Considering that there's no real use for
modes that Speex doesn't know about, this should workaround a lot of problems.

------------------------------------------------------------------------