In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, there is a Use-After-Free vulnerability triggered by supplying a malformed AIFF file. A Crafted input will lead to a denial of service attack during conversion of an audio file. Upstream issue: https://sourceforge.net/p/sox/bugs/298/
Created sox tracking bugs for this issue: Affects: fedora-all [bug 1510925]
upstream discussion: https://sourceforge.net/p/sox/mailman/sox-devel/thread/CAG_ZyaA_WyTTEWeGYPUhG95M3wOv64vTqn8jeH4JYvgMnx83Tw@mail.gmail.com/#msg36128861 patch: https://sourceforge.net/p/sox/mailman/sox-devel/thread/20171120110535.14410-1-mans@mansr.com/#msg36129559
Fixed in sox-14.4.2.0-16.fc27 and sox-14.4.2.0-17.fc26.