The vulnerability can lead to heap-based buffer overflow via a crafted sound file, and potentially control heap data by forge buffer content to perform heap exploitation. Upstream Reference: https://github.com/libsndfile/libsndfile/issues/731
Created libsndfile tracking bugs for this issue: Affects: fedora-all [bug 2027692]
Flaw summary: There's an out-of-bounds READ possible in libsndfile's flac_buffer_copy() routine in flac.c. This could be triggered by a specially crafted file that is processed by a program linked with libsndfile. Technical detail: In the following for loop: for (i = 0 ; i < len && pflac->remain > 0 ; i++) { offset = pflac->pos + i * channels ; if (pflac->bufferpos >= frame->header.blocksize) break ; if (offset + channels > pflac->len) break ; for (j = 0 ; j < channels ; j++) retpcm [offset + j] = ((uint32_t) buffer [j][pflac->bufferpos]) << shift ; pflac->remain -= channels ; pflac->bufferpos++ ; } ; } ; We see that there's an if check to ensure the loop terminates if pflac->bufferpos >= frame->header.blocksize. In this case, frame->header.blocksize can be set to a value greater than the size of `buffer`, and since `buffer` is indexed by `pflac->bufferpos`, the loop will not terminate before causing an out-of-bounds read when reading `buffer`. The upstream patch[1] introduces a check to prevent the above, and errors out upon failure. 1. https://github.com/libsndfile/libsndfile/pull/732/commits/4c30646abf7834e406f7e2429c70bc254e18beab
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1968 https://access.redhat.com/errata/RHSA-2022:1968
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4156