The WavFileBase class in WavFile.cpp in Olli Parviainen SoundTouch 2.0 allows remote attackers to cause a denial of service (double free) or possibly have unspecified other impact, as demonstrated by SoundStretch. Upstream issue: https://gitlab.com/soundtouch/soundtouch/issues/14 References: https://github.com/TeamSeri0us/pocs/tree/master/soundtouch/2018_09_03
Created soundtouch tracking bugs for this issue: Affects: epel-6 [bug 1631057] Affects: fedora-all [bug 1631056]
This is not double free in fact, it is actually off-by-one error that happens in WavOutFile::write(float*, int) function: case 3: { char *temp2 = (char *)temp; for (int i = 0; i < numElems; i ++) { int value = saturate(buffer[i] * 8388608.0f, -8388608.0f, 8388607.0f); *((int*)temp2) = _swap32(value); temp2 += 3; } break; temp is allocated with size numElems * 3. In the last loop when i == numElems - 1, int value is stored into temp2 which on most architectures has 4 bytes, therefore the last byte is written out of bounds, which overwrites the PREV_INUSE bit in next chunk. When convBuff is later freed, glibc finds that PREV_INUSE bit is clear, triggering double free detection as a result.
Statement: This issue did not affect the versions of soundtouch as shipped with Red Hat Enterprise Linux 7 as they did not include the vulnerable code.
hi, can you provide a patch to apply in source code ? please Upstream still not solve the problem [1] Thanks. [1] https://gitlab.com/soundtouch/soundtouch/issues/14
Upstream patch: https://gitlab.com/soundtouch/soundtouch/commit/7f594f8b7d10bbc16a4a31de8ec5a279af9c7378 (https://gitlab.com/soundtouch/soundtouch/commit/09e04252dde9ef02a7d254315b13089996afe302 - this was the previous attempt to fix which was found incomplete)