Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
global-buffer-overflow in the function i2alaw_array and i2ulaw_array #429
An issue was discovered in libsndfile 1.0.28. There is a global-buffer-overflow at the function i2alaw_array and i2ulaw_array, will lead to a denial of service or the others.
./sndfile-convert -alaw poc out.raw ./sndfile-convert -ulaw poc out.raw
Regarding the ulaw issue:
i2ulaw_array fills buffer with encoded values from ptr. The encoding works by doing something like
meaning that we have to make sure ptr [count] >= 0.
If ptr [count] < 0 we do
but in this case ptr [count] = -2147483648 so - ptr [count] is UB and we perform OOB read.
A trivial patch would be something like
I'll investigate further and submit a PR when ready.