-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incomplete fix for CVE-2018-19758 #456
Comments
I can confirm that the existing fix is insufficient. |
CVE-2019-3832 was assigned to this flaw. |
Yeah, sounds like loop_count needs to be limited to 0xff. Looking at the code, I wonder if that's not the only problem though. In wav_read_smpl_chunk(), loop_count is read and its value is used to iterate over the loops array, without sanitizing it to [0-16] first. Thus if that functions deals with untrusted data, it can potentially read out of bounds. |
Looks like wav_read_smpl_chunk is covered because of this check: if (j < ARRAY_LEN (psf->instrument->loops)) I addressed wav_write_header in #460 |
#460 has been merged. |
Hi,
I think the fix for CVE-2018-19758 in fa667c2 is not complete and it is still possible to trigger the same flaw just by adjusting the PoC a bit.
In
sndfile.h.in
:Loops is defined as an array of 16 elements, so reducing
loop_count
to a 16bit number does not really solve the out-of-bound read issue. The value should be checked and wrapped to 16 (not 16bits) or the process terminated immediately because the input is malformed.How to reproduce
poc.tar.gz
Extra
If the issue is confirmed, I will request a new CVE for it as the old one may have been already fixed in some distributions, which would not get the real fix otherwise.
The text was updated successfully, but these errors were encountered: