Bug 1125575 - (CVE-2019-3832) VUL-1: CVE-2019-3832: libsndfile: libsndfile: incomplete fix for still allow to read beyond buffer limits
VUL-1: CVE-2019-3832: libsndfile: libsndfile: incomplete fix for still allow...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P5 - None : Minor
: ---
Assigned To: Takashi Iwai
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-02-15 10:55 UTC by Robert Frohl
Modified: 2019-02-15 12:47 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-02-15 10:55:46 UTC

It was discovered the fix for CVE-2018-19758 is not complete and it still allows to read beyond the limit of the buffer in function wav_write_header() in wav.c. Function wav_write_header() iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked and the library can read beyond the limits of the `loops` array, possibly making the application crash.

Upstream issue:

Comment 1 Robert Frohl 2019-02-15 10:57:44 UTC
Hi Takashi,
I think we are not affected because the fix you developed looks to solve the issue completely. I still would like you to confirm this understanding.

Maybe your fix could also help upstream to solve the issue correctly ?
Comment 2 Takashi Iwai 2019-02-15 11:11:51 UTC
Yes, my fix should avoid this OOB access, if I understand the issue correctly.
Comment 3 Robert Frohl 2019-02-15 12:47:54 UTC
thanks for the confirmation.
-> closing