Bugzilla – Bug 1125575
VUL-1: CVE-2019-3832: libsndfile: libsndfile: incomplete fix for still allow to read beyond buffer limits
Last modified: 2019-02-15 12:47:54 UTC
rh#1677216 It was discovered the fix for CVE-2018-19758 is not complete and it still allows to read beyond the limit of the buffer in function wav_write_header() in wav.c. Function wav_write_header() iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked and the library can read beyond the limits of the `loops` array, possibly making the application crash. Upstream issue: https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436 References: https://bugzilla.redhat.com/show_bug.cgi?id=1677216 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3832
Hi Takashi, I think we are not affected because the fix you developed looks to solve the issue completely. I still would like you to confirm this understanding. Maybe your fix could also help upstream to solve the issue correctly ?
Yes, my fix should avoid this OOB access, if I understand the issue correctly.
thanks for the confirmation. -> closing