Hi, On Sun, Jul 14, 2019 at 10:16:46PM +0200, Salvatore Bonaccorso wrote: > Source: sox > Version: 14.4.2+git20190427-1 > Severity: important > Tags: security upstream > Forwarded: https://sourceforge.net/p/sox/bugs/325/ > > Hi, > > The following vulnerability was published for sox. > > CVE-2019-13590[0]: > | An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h > | (startread function), there is an integer overflow on the result of > | integer addition (wraparound to 0) fed into the lsx_calloc macro that > | wraps malloc. When a NULL pointer is returned, it is used without a > | prior check that it is a valid pointer, leading to a NULL pointer > | dereference on lsx_readbuf in formats_i.c.
This has been fixed upstream with https://sourceforge.net/p/sox/code/ci/7b6a889217d62ed7e28188621403cc7542fd1f7e/ . Regards, Salvatore
