New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
out of bounds read in sf_write_int #427
Comments
This issue was assigned CVE-2018-19432 |
Thanks. @erikd usually does bugfixing. Can you check this bug exists in |
Thanks, this bug is fixed by checking out the value of channels, in master brunch. Have a nice day! |
Hi @YourButterfly @evpobr could You please confirm, whether this issue got fixed or not? |
The code is here in github. Is it not possible for you to confirm? |
The poc defines a number of channels = 255 > MAX_CHANNELS (=16). This triggers a first overflow which is silently ignored in sndfile-deinterleave.c:main:
This is the main problem. If a file defines a number of channels > MAX_CHANNELS we should either artificially reduce the number of channels or reject it. Hence this issue is not a duplicate of #346 but rather a duplicate of #397 fixed in aaea680. (FTR, issue #397 was assigned CVE-2018-13139) |
version
libsndfile: Version released 1.0.28
description
An issue was discovered in libsndfile 1.0.28. There is an out of bounds read at function sf_write_int, will lead to a denial of service or the others.
debug info
In function deinterleave_int, 'ch' is 0x10 , leads to the array bounds, and then crash in function sf_write_int .
poc.tar.gz
others
this bug is reported by pwd@360TeamSeri0us,
please send email to teamSeri0us360@gmail.com if you have some quetion.
The text was updated successfully, but these errors were encountered: