There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. References: https://bugzilla.redhat.com/show_bug.cgi?id=1643812
Created libsndfile tracking bugs for this issue: Affects: fedora-all [bug 1659639]
Upstream patch: https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e
Upstream issue: https://github.com/erikd/libsndfile/issues/435
Function wav_write_header() in wav.c iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked and the library can read beyond the limits of the `loops` array, possibly making the application crash. However, I believe the proposed fix for this CVE is not complete and it still allows to read outside the bounds of the loops array. Upstream has been informed of the issue through https://github.com/erikd/libsndfile/issues/456 .
See bug 1677216 for the new flaw created because of the incomplete fix of CVE-2018-19758.