PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.
1:13.17.2~dfsg-1ubuntu11:13.17.2~dfsg-2ubuntu11:13.18.1~dfsg-1ubuntu11:13.18.3~dfsg-1ubuntu11:13.18.3~dfsg-1ubuntu21:13.18.3~dfsg-1ubuntu31:13.18.3~dfsg-1ubuntu41:16.2.1~dfsg-2build21:16.2.1~dfsg-2build31:16.2.1~dfsg-2ubuntu11:16.16.1~dfsg+~2.10-11:16.16.1~dfsg-21:16.16.1~dfsg-41:16.16.1~dfsg-4build11:18.10.0~dfsg+~cs6.10.40431411-21:20.4.0~dfsg+~cs6.13.40431414-21:20.5.0~dfsg+~cs6.13.40431414-11:20.5.1~dfsg+~cs6.13.40431414-11:20.5.2~dfsg+~cs6.13.40431414-11:20.6.0~dfsg+~cs6.13.40431414-11:20.6.0~dfsg+~cs6.13.40431414-21:20.6.0~dfsg+~cs6.13.40431414-2build31:20.6.0~dfsg+~cs6.13.40431414-2build41:20.6.0~dfsg+~cs6.13.40431414-2build51:22.2.0~dfsg+~cs6.15.60671435-21:22.3.0~dfsg+~cs6.15.60671435-11:22.4.1~dfsg+~cs6.15.60671435-11:22.4.1~dfsg+~cs6.15.60671435-21:22.5.1~dfsg+~cs6.15.60671435-11:22.5.2~dfsg+~cs6.15.60671435-11:22.5.2~dfsg+~cs6.15.60671435-11:13.1.0~dfsg-1.1ubuntu31:13.1.0~dfsg-1.1ubuntu41:13.1.0~dfsg-1.1ubuntu4.11:13.1.0~dfsg-1.1ubuntu4.1+esm12.1.0.0.ast20130823-12.1.0.0.ast20130823-1+deb8u1build0.16.04.12.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm12.6~dfsg-22.7.1~dfsg-12.7.1~dfsg-1build12.7.2~dfsg-12.7.2~dfsg-1ubuntu0.1~esm12.7~dfsg-1Exploitability
AV:LAC:LAT:NPR:NUI:PVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:NCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N