[3.7] libsndfile: heap-based buffer over-read and incomplete fix (CVE-2018-19758, CVE-2019-3832)
CVE-2018-19758: heap-based buffer over-read at wav.c in wav_write_header
There is a heap-based buffer over-read at wav.c in wav_write_header in
libsndfile 1.0.28
that will cause a denial of service.
References:
https://github.com/erikd/libsndfile/issues/435
https://nvd.nist.gov/vuln/detail/CVE-2018-19758
Patch:
https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e
when fixing this issue, the fix needs to be made complete to not open
CVE-2019-3832
CVE-2019-3832: incomplete fix for CVE-2018-19758 still allow to read beyond buffer limits
It was discovered the fix for CVE-2018-19758 is not complete and it
still allows to read beyond the limit of the buffer in function
wav_write_header() in wav.c.
Function wav_write_header() iterates through the `loops` array for
an amount of times read from the file itself. However, this value is not
correctly checked
and the library can read beyond the limits of the `loops` array,
possibly making the application crash.
References:
https://github.com/erikd/libsndfile/issues/456\#issuecomment-463542436
https://github.com/erikd/libsndfile/pull/460
Patch:
https://github.com/erikd/libsndfile/commit/6d7ce94c020cc720a6b28719d1a7879181790008
(from redmine: issue id 10109, created on 2019-03-14)
- Relations:
- parent #10105