[3.7] libsndfile: heap-based buffer over-read and incomplete fix (CVE-2018-19758, CVE-2019-3832)
CVE-2018-19758: heap-based buffer over-read at wav.c in wav_write_header
There is a heap-based buffer over-read at wav.c in wav_write_header in
that will cause a denial of service.
when fixing this issue, the fix needs to be made complete to not open CVE-2019-3832
CVE-2019-3832: incomplete fix for CVE-2018-19758 still allow to read beyond buffer limits
It was discovered the fix for CVE-2018-19758 is not complete and it
still allows to read beyond the limit of the buffer in function
wav_write_header() in wav.c.
Function wav_write_header() iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked
and the library can read beyond the limits of the `loops` array, possibly making the application crash.
(from redmine: issue id 10109, created on 2019-03-14)
- parent #10105