1678297 – (CVE-2019-8357) CVE-2019-8357 sox: null pointer dereference in function lsx_make_lpf in effect_i_dsp.c

Bug 1678297 (CVE-2019-8357) - CVE-2019-8357 sox: null pointer dereference in function lsx_make_lpf in effect_i_dsp.c

Summary: CVE-2019-8357 sox: null pointer dereference in function lsx_make_lpf in effec...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-8357
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1678298 1680119
Blocks:	1678305
TreeView+	depends on / blocked

Reported:	2019-02-18 13:01 UTC by Dhananjay Arunesh
Modified:	2021-10-27 03:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-27 03:25:26 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-02-18 13:01:02 UTC

An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.

Reference:
https://sourceforge.net/p/sox/bugs/318

Comment 1 Dhananjay Arunesh 2019-02-18 13:01:13 UTC

Created sox tracking bugs for this issue:

Affects: fedora-all [bug 1678298]

Comment 3 Scott Gayou 2019-02-22 18:26:22 UTC

in lsx_make_lpf, num_taps is passed in a large value (402653185 in poc).

malloc then fails here:

```
  │360       double * h = malloc(num_taps * sizeof(*h)), sum = 0; 
```

sizeof(*h) is 8, which ends up passing around 3GB to malloc, which returns 0.

The fix is to check the malloc return code and also potentially sanitize whatever is setting the large num_taps earlier.

Code doesn't seem to exist in earlier versions than that shipped in Red Hat Enterprise Linux 7.

Note You need to log in before you can comment on or make changes to this bug.