Closed jeffreyer closed 2 years ago
Thanks so much for reporting this...quite a catch! Please let me know if you find anything else.
Fixed in https://github.com/dbry/WavPack/commit/773f9d0803c6888ae7d5391878d7337f24216f4a .
CVE-2021-44269 appears to have been assigned for this issue.
Thanks for the heads up! Fortunately this doesn't affect libwavpack
(only the command-line program) and it can only cause a crash (no code execution). So the only possible security issue would be a denial-of-service for a website that uses the WavPack command-line program on user-provided files. And the only site I know about that did that stopped supporting WavPack a long time ago.
Hi,
I have found a heap out of bounds read bug in function WavpackPackSamples, base on the commit a0ba858455b7c94f26c8f75511592323a70c3feb, code that caused crash shows below: source:src/pack_utils.c+632
Variable cnt is too large, that makes pointer sptr read beyond heap bound.
Crash file: crash.zip