Bug 1659638 (CVE-2018-19758) - CVE-2018-19758 libsndfile: heap-based buffer over-read at wav.c in wav_write_header
Summary: CVE-2018-19758 libsndfile: heap-based buffer over-read at wav.c in wav_write_...
Alias: CVE-2018-19758
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1659639 1673297 1673298
Blocks: 1659634
TreeView+ depends on / blocked
Reported: 2018-12-14 20:49 UTC by Laura Pardo
Modified: 2021-10-27 03:19 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-27 03:19:23 UTC

Attachments (Terms of Use)

Description Laura Pardo 2018-12-14 20:49:12 UTC
There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. 


Comment 1 Laura Pardo 2018-12-14 20:49:25 UTC
Created libsndfile tracking bugs for this issue:

Affects: fedora-all [bug 1659639]

Comment 3 Riccardo Schirone 2019-02-07 08:38:05 UTC
Upstream issue:

Comment 4 Riccardo Schirone 2019-02-07 09:21:32 UTC
Function wav_write_header() in wav.c iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked and the library can read beyond the limits of the `loops` array, possibly making the application crash.

However, I believe the proposed fix for this CVE is not complete and it still allows to read outside the bounds of the loops array.
Upstream has been informed of the issue through https://github.com/erikd/libsndfile/issues/456 .

Comment 7 Riccardo Schirone 2019-02-14 10:08:43 UTC
See bug 1677216 for the new flaw created because of the incomplete fix of CVE-2018-19758.

Note You need to log in before you can comment on or make changes to this bug.