In Audio File Library (aka audiofile) 0.3.6, there exists one NULL pointer dereference bug in ulaw2linear_buf in G711.cpp in libmodules.a that allows an attacker to cause a denial of service via a crafted file. Upstream Issue: https://github.com/mpruett/audiofile/issues/54
Created audiofile tracking bugs for this issue: Affects: fedora-all [bug 1726068]
This may be a duplicate of the existing bugs about ulaw2linear_buf https://github.com/mpruett/audiofile/issues?utf8=%E2%9C%93&q=ulaw2linear_buf
There is an integer overflow within the copyaudiodata() function in sfcommands/sfconvert.c when multiplying malloc(kBufferFrameCount * frameSize); Combined with making frameSize unsigned, this fixes crashes for https://github.com/mpruett/audiofile/issues/54 https://github.com/mpruett/audiofile/issues/46 https://github.com/mpruett/audiofile/issues/38 Further issues in the code: The ModuleState::setup() function in modules/ModuleState.cpp has integer overflows when multiplying int bufsize = outChunk->frameCount * outChunk->f.bytesPerFrame(true); and further down int bufsize = inChunk->frameCount * inChunk->f.bytesPerFrame(true); It's probably also a good idea to use unsigned types for bufsize and maxbufsize. The copyaudiodata() function in sfcommands/sfconvert.c also fails to check for the success of malloc(), causing some of the NULL ptr dereferences seen. Module chunk allocation could possibly need checks, too.
*** This bug has been marked as a duplicate of bug 1432943 ***
Statement: This flaw was found to be a duplicate of CVE-2017-6838. Please see https://access.redhat.com/security/cve/CVE-2017-6838 for information about affected products and security errata.