Commit 1cf1895499 for asterisk.org

commit 1cf189549994e0898954c814ce5a023cd969f1db
Author: Milan Kyselica <mil.kyselica@gmail.com>
Date:   Mon Mar 23 15:15:18 2026 +0100

    format_ogg_speex: Add bounds check to prevent heap buffer overflow

    The ogg_speex_read() function copies OGG packet data via memcpy()
    without validating the packet size against the destination buffer
    (BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
    audio packet causes a heap buffer overflow that corrupts the
    adjacent speex_desc structure containing libogg heap pointers,
    leading to a crash (SIGSEGV) on playback.

    Add a bounds check for both negative and oversized values before
    the memcpy, consistent with how format_ogg_vorbis bounds its reads
    via ov_read().

    Resolves: #GHSA-8jhw-m2hg-vp3h

diff --git a/formats/format_ogg_speex.c b/formats/format_ogg_speex.c
index 7dc95ab80a..cf5b7ec036 100644
--- a/formats/format_ogg_speex.c
+++ b/formats/format_ogg_speex.c
@@ -234,6 +234,12 @@ static struct ast_frame *ogg_speex_read(struct ast_filestream *fs,
 		return NULL;
 	}

+	if (s->op.bytes < 0 || s->op.bytes > BUF_SIZE) {
+		ast_log(LOG_WARNING, "OGG/Speex packet too large (%ld > %d), skipping\n",
+			s->op.bytes, BUF_SIZE);
+		return NULL;
+	}
+
 	AST_FRAME_SET_BUFFER(&fs->fr, fs->buf, AST_FRIENDLY_OFFSET, BUF_SIZE);
 	memcpy(fs->fr.data.ptr, s->op.packet, s->op.bytes);
 	fs->fr.datalen = s->op.bytes;