An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
| Vendor | Product | Versions |
|---|---|---|
| libsndfile | libsndfile | n/a, Current master, all release versions through 1.2.2 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| open source | open source libsndfile | cert_advisory | 90% |
Updated affected versions to include current master and all release versions through 1.2.2, and CVSS score updated from 7.5 to 7.8.
Updated severity to CRITICAL, marked as actively exploited, and added new tag 'buffer overflow'.
Initial creation
