Multiple memory corruption vulnerabilities in SoX 14.4.2

[Michele Spagnuolo <mikispag () gmail com>]

​Hello,

I would like to report publicly new memory corruption vulnerabilities in
the latest SoX, 14.4.2 - these have been reported in April 2015 through
oCERT, but they have notified me they still haven't received a response
from upstream.

Please see this shared folder, visible to anybody with the link:
https://drive.google.com/folderview?id=0B52EFul-UCEIflZhcjlrRGlqcWdER2xJZWR4dmVUQ1RaRGl6a09sbVdGYjg2MER6OHl3aUU&usp=sharing

The write heap buffer overflows are related to ADPCM handling in WAV files,
while the read heap buffer overflow is while opening a .VOC.

For each crash, you have the input file and a .txt with the ASAN output.

Thanks,
Michele Spagnuolo
Google Security Team​

CVE-ASSIGN: Please assign CVEs. Thanks.