oss-sec mailing list archives
Multiple memory corruption vulnerabilities in SoX 14.4.2
From: Michele Spagnuolo <mikispag () gmail com>
Date: Wed, 22 Jul 2015 19:55:42 +0200
Hello, I would like to report publicly new memory corruption vulnerabilities in the latest SoX, 14.4.2 - these have been reported in April 2015 through oCERT, but they have notified me they still haven't received a response from upstream. Please see this shared folder, visible to anybody with the link: https://drive.google.com/folderview?id=0B52EFul-UCEIflZhcjlrRGlqcWdER2xJZWR4dmVUQ1RaRGl6a09sbVdGYjg2MER6OHl3aUU&usp=sharing The write heap buffer overflows are related to ADPCM handling in WAV files, while the read heap buffer overflow is while opening a .VOC. For each crash, you have the input file and a .txt with the ASAN output. Thanks, Michele Spagnuolo Google Security Team CVE-ASSIGN: Please assign CVEs. Thanks.
Current thread:
- Multiple memory corruption vulnerabilities in SoX 14.4.2 Michele Spagnuolo (Jul 22)
- Re: Multiple memory corruption vulnerabilities in SoX 14.4.2 Solar Designer (Jul 22)