Bug 1678297 (CVE-2019-8357) - CVE-2019-8357 sox: null pointer dereference in function lsx_make_lpf in effect_i_dsp.c
Summary: CVE-2019-8357 sox: null pointer dereference in function lsx_make_lpf in effec...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-8357
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1678298 1680119
Blocks: 1678305
TreeView+ depends on / blocked
 
Reported: 2019-02-18 13:01 UTC by Dhananjay Arunesh
Modified: 2021-10-27 03:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-27 03:25:26 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-02-18 13:01:02 UTC
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.

Reference:
https://sourceforge.net/p/sox/bugs/318

Comment 1 Dhananjay Arunesh 2019-02-18 13:01:13 UTC
Created sox tracking bugs for this issue:

Affects: fedora-all [bug 1678298]

Comment 3 Scott Gayou 2019-02-22 18:26:22 UTC
in lsx_make_lpf, num_taps is passed in a large value (402653185 in poc).

malloc then fails here:

```
  │360       double * h = malloc(num_taps * sizeof(*h)), sum = 0; 
```

sizeof(*h) is 8, which ends up passing around 3GB to malloc, which returns 0.

The fix is to check the malloc return code and also potentially sanitize whatever is setting the large num_taps earlier.

Code doesn't seem to exist in earlier versions than that shipped in Red Hat Enterprise Linux 7.


Note You need to log in before you can comment on or make changes to this bug.