There are 2 issues here:
1. In sox-fmt.c function startread, there is no check on the value passed to the value of comment_bytes. If the value of comment_bytes is on the boundary of overflow, it results in "comment_bytes + 1" to be 0, hence calling lsx_calloc will give null pointer.
2. Further, there is no check that this returned buffer can be null. Passing the null buffer down the line will trigger a segmentation fault when the program tried to use the buffer to store the result of fread (in formats_i.c on function lsx_readbuf).
Attached is a sample of the input file. The command to trigger the bug is --single-threaded <file> -t aiff /dev/null channels 1 rate 16k fade 3 norm. An information about the binary: 32 bit, limited to 800MB memory, under Linux Ubuntu 16.04, compiled with libmad only.</file>
The output of SoX with -V -V enabled:
time: Oct 3 2018 08:02:13
uname: <removed> #178-Ubuntu SMP Tue Jun 11 08:30:22 UTC 2019 x86_64
compiler: gcc 4.2.1 Compatible Clang 7.0.0 (branches/release_70)
arch: 1248 48 44 L </removed>
Fix sox-14.4.2 NULL pointer dereference on lsx_readbuf in formats_i.c by
doing a prior check that it is a valid pointer before passing into lsx_calloc.
===
This my first patch, and I also posted here: https://sourceforge.net/p/sox/patches/118/
Please help to instruct how to make it happen, thanks!
Hi, I would really appreciate it if you could share more detail with me.
I am trying to fix the CVE bug: https://vomit.googleplex.com/advisory?id=CVE/CVE-2019-13590
I also correct my commit msg from" before passing into lsx_readchars." to " before passing into lsx_calloc", if this is the reason you thought the fix is invalid.
Thanks alot!
==
Fix sox-14.4.2 NULL pointer dereference on lsx_readbuf in formats_i.c by
doing a prior check that it is a valid pointer before passing into lsx_readchars.
I have already fixed it. That's what the "closed-fixed" status means.
Thanks for answering.
One more question would you mind if me create a patch from your commit and submit it to gentoo git hub? Or you'd prefer to do by your self ?