Headline
CVE-2019-1010317: Uninitialized Read in ParseCaffHeaderConfig() · Issue #66 · dbry/WavPack
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.
The parsing of the attached file uninit-caff.wav leads to a read of an uninitialized location in memory. The uninitialized read can be uncovered using a tool such as Valgrind or MemorySanitizer. For example:
$ valgrind cli/wavpack uninit-caff.wav
==21063== Memcheck, a memory error detector
==21063== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==21063== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==21063== Command: ./cli/wavpack uninit-caff.wav
==21063==
WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0
Copyright (c) 1998 - 2019 David Bryant. All Rights Reserved.
creating uninit-caff.wv,==21063== Conditional jump or move depends on uninitialised value(s)
==21063== at 0x411C43: ParseCaffHeaderConfig (caff.c:486)
==21063== by 0x408A94: pack_file (wavpack.c:1777)
==21063== by 0x404AE2: main (wavpack.c:1273)
It appears that this is an uninitialized read of the field caf_audio_format.mBytesPerPacket on this line.