In Audio File Library (aka audiofile) 0.3.6, there exists one NULL pointer dereference bug in ulaw2linear_buf in G711.cpp in libmodules.a that allows an attacker to cause a denial of service via a crafted file.
Created audiofile tracking bugs for this issue:
Affects: fedora-all [bug 1726068]
This may be a duplicate of the existing bugs about ulaw2linear_buf
There is an integer overflow within the copyaudiodata() function in sfcommands/sfconvert.c when multiplying malloc(kBufferFrameCount * frameSize);
Combined with making frameSize unsigned, this fixes crashes for
Further issues in the code:
The ModuleState::setup() function in modules/ModuleState.cpp has integer overflows when multiplying
int bufsize = outChunk->frameCount * outChunk->f.bytesPerFrame(true);
and further down
int bufsize = inChunk->frameCount * inChunk->f.bytesPerFrame(true);
It's probably also a good idea to use unsigned types for bufsize and maxbufsize.
The copyaudiodata() function in sfcommands/sfconvert.c also fails to check for the success of malloc(), causing some of the NULL ptr dereferences seen. Module chunk allocation could possibly need checks, too.
*** This bug has been marked as a duplicate of bug 1432943 ***
This flaw was found to be a duplicate of CVE-2017-6838. Please see https://access.redhat.com/security/cve/CVE-2017-6838 for information about affected products and security errata.