Open KihongHeo opened 3 years ago
Hi,
I am wondering if there might exist an integer underflow error:
comm_samples can be an any integer: https://github.com/festvox/speech_tools/blob/e2dcb2a37ed6bfe324ee586b739322a80cb51fc3/speech_class/EST_wave_io.cc#L796
comm_samples
If length is zero, then data_length can be a negative integer: https://github.com/festvox/speech_tools/blob/e2dcb2a37ed6bfe324ee586b739322a80cb51fc3/speech_class/EST_wave_io.cc#L839
length
data_length
So num_samples can be also a negative integer: https://github.com/festvox/speech_tools/blob/e2dcb2a37ed6bfe324ee586b739322a80cb51fc3/speech_class/EST_wave_io.cc#L857
num_samples
Call to fread with the negative integer: https://github.com/festvox/speech_tools/blob/e2dcb2a37ed6bfe324ee586b739322a80cb51fc3/speech_class/EST_wave_io.cc#L845
fread
memcpy with a negative number can be vulnerable: https://github.com/festvox/speech_tools/blob/e2dcb2a37ed6bfe324ee586b739322a80cb51fc3/base_class/EST_Token.cc#L407
memcpy
Thanks for your time.
Hi,
I am wondering if there might exist an integer underflow error:
comm_samplescan be an any integer: https://github.com/festvox/speech_tools/blob/e2dcb2a37ed6bfe324ee586b739322a80cb51fc3/speech_class/EST_wave_io.cc#L796If
lengthis zero, thendata_lengthcan be a negative integer: https://github.com/festvox/speech_tools/blob/e2dcb2a37ed6bfe324ee586b739322a80cb51fc3/speech_class/EST_wave_io.cc#L839So
num_samplescan be also a negative integer: https://github.com/festvox/speech_tools/blob/e2dcb2a37ed6bfe324ee586b739322a80cb51fc3/speech_class/EST_wave_io.cc#L857Call to
freadwith the negative integer: https://github.com/festvox/speech_tools/blob/e2dcb2a37ed6bfe324ee586b739322a80cb51fc3/speech_class/EST_wave_io.cc#L845memcpywith a negative number can be vulnerable: https://github.com/festvox/speech_tools/blob/e2dcb2a37ed6bfe324ee586b739322a80cb51fc3/base_class/EST_Token.cc#L407Thanks for your time.