Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A heap Out-of-bounds Read in WavpackPackSamples (src/pack_utils.c) #110

Closed
jeffreyer opened this issue Nov 23, 2021 · 3 comments
Closed

Comments

@jeffreyer
Copy link

jeffreyer commented Nov 23, 2021

Hi,

I have found a heap out of bounds read bug in function WavpackPackSamples, base on the commit a0ba858, code that caused crash shows below:
source:src/pack_utils.c+632

    628              if (wps->wphdr.flags & MONO_FLAG) {
    629                  switch (wpc->config.bytes_per_sample) {
    630                      case 1:
    631                          while (cnt--) {
 →  632                                     *dptr++ = (signed char) *sptr;
    633                              sptr += nch;
    634                          }
    635
    636                          break;

Variable cnt is too large, that makes pointer sptr read beyond heap bound.

Crash file:
crash.zip

@dbry
Copy link
Owner

dbry commented Nov 23, 2021

Thanks so much for reporting this...quite a catch! Please let me know if you find anything else.

Fixed in 773f9d0 .

@carnil
Copy link

carnil commented Mar 12, 2022

CVE-2021-44269 appears to have been assigned for this issue.

@dbry
Copy link
Owner

dbry commented Mar 12, 2022

Thanks for the heads up! Fortunately this doesn't affect libwavpack (only the command-line program) and it can only cause a crash (no code execution). So the only possible security issue would be a denial-of-service for a website that uses the WavPack command-line program on user-provided files. And the only site I know about that did that stopped supporting WavPack a long time ago.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants