Headline
CVE-2019-13590: SoX - Sound eXchange / Bugs
An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c.
There are 2 issues here:
1. In sox-fmt.c function startread, there is no check on the value passed to the value of comment_bytes. If the value of comment_bytes is on the boundary of overflow, it results in “comment_bytes + 1” to be 0, hence calling lsx_calloc will give null pointer.
2. Further, there is no check that this returned buffer can be null. Passing the null buffer down the line will trigger a segmentation fault when the program tried to use the buffer to store the result of fread (in formats_i.c on function lsx_readbuf).
Attached is a sample of the input file. The command to trigger the bug is --single-threaded <file> -t aiff /dev/null channels 1 rate 16k fade 3 norm. An information about the binary: 32 bit, limited to 800MB memory, under Linux Ubuntu 16.04, compiled with libmad only.</file>
The output of SoX with -V -V enabled:
time: Oct 3 2018 08:02:13
uname: <removed> #178-Ubuntu SMP Tue Jun 11 08:30:22 UTC 2019 x86_64
compiler: gcc 4.2.1 Compatible Clang 7.0.0 (branches/release_70)
arch: 1248 48 44 L </removed>
Related news
Ubuntu Security Notice 5904-2 - USN-5904-1 fixed vulnerabilities in SoX. It was discovered that the fix for CVE-2021-33844 was incomplete. This update fixes the problem. Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS.
Ubuntu Security Notice 5904-1 - Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.