Bug 1678284 (CVE-2019-8354) - CVE-2019-8354 sox: integer overflow in function lsx_make_lpf in effect_i_dsp.c
Summary: CVE-2019-8354 sox: integer overflow in function lsx_make_lpf in effect_i_dsp.c
Alias: CVE-2019-8354
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1678286 1680175
Blocks: 1678305
TreeView+ depends on / blocked
Reported: 2019-02-18 12:39 UTC by Dhananjay Arunesh
Modified: 2021-10-27 03:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-27 03:25:07 UTC

Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-02-18 12:39:58 UTC
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.


Comment 1 Dhananjay Arunesh 2019-02-18 12:41:00 UTC
Created sox tracking bugs for this issue:

Affects: fedora-all [bug 1678286]

Comment 2 Scott Gayou 2019-02-19 19:20:29 UTC
Reproduced on Red Hat Enterprise 7 easily. 5 and 6 look to be using versions before the target functionality was introduced (which looks to be around 2008).

Program received signal SIGSEGV, Segmentation fault.
u120_1 (p=0x613c18, output_fifo=0x613c88) at rate_poly_fir.h:55
55	    output[i] = sum;
(gdb) bt
#0  u120_1 (p=0x613c18, output_fifo=0x613c88) at rate_poly_fir.h:55
#1  0x00007ffff7b85e95 in rate_process (p=p@entry=0x612ff0) at rate.c:377
#2  0x00007ffff7b91b62 in rate_flush (p=0x612ff0) at rate.c:404
#3  drain (effp=<optimized out>, obuf=<optimized out>, osamp=<optimized out>) at rate.c:525
#4  0x00007ffff7b7598b in drain_effect (chain=0x613930, chain=0x613930, n=1) at effects.c:318
#5  sox_flow_effects (chain=0x613930, callback=callback@entry=0x405b10 <update_status>, client_data=client_data@entry=0x0) at effects.c:387
#6  0x0000000000407ca6 in process () at sox.c:1794
#7  0x0000000000403075 in main (argc=13, argv=0x7fffffffe3a8) at sox.c:3012

Note You need to log in before you can comment on or make changes to this bug.