It was discovered the fix for CVE-2018-19758 is not complete and it still allows to read beyond the limit of the buffer in function wav_write_header() in wav.c. Function wav_write_header() iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked and the library can read beyond the limits of the `loops` array, possibly making the application crash.
Name: Riccardo Schirone (Red Hat)
Created libsndfile tracking bugs for this issue:
Affects: fedora-all [bug 1677219]
A PR has been submitted upstream to fix this issue: https://github.com/erikd/libsndfile/pull/460