When changing both sample format and number of channels, data gets corrupted; if new sample format smaller than old, possible buffer overflow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
audiofile (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When libaudiofile is used to change both the number of channels of an audio file (e.g. from stereo to mono) and the sample format (e.g. from 16-bit samples to 8-bit samples), the output file will contain corrupted data.
If the new sample format is smaller than the old one, there is a risk of buffer overflow: e.g. when the input file has 16-bit samples and the output file has 8-bit samples, afReadFrames will treat the buffer to read the samples (argument void *data) as a pointer to int16_t instead of int8_t, therefore it will write past its end.
The attached program (which is a rework of a file already present in the upstream's test suite, reworked by me) shows the problem. The 2 variables byte and abyte are int8_t. afReadFrames is told to read 1 8-bit sample into byte, but ends up treating &byte as a pointer to an int16_t, thus overwriting abyte (when abyte is stored right after byte in memory, which is what happens when I compile with gcc).
I proposed a fix (before realising about the buffer overflow, only about the data corruption) at https:/
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libaudiofile1 0.3.6-2
ProcVersionSign
Uname: Linux 3.19.0-15-generic x86_64
ApportVersion: 2.17.2-0ubuntu1.5
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Oct 4 23:55:03 2015
InstallationDate: Installed on 2010-11-07 (1792 days ago)
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
SourcePackage: audiofile
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
information type: | Private Security → Public Security |
This has been assigned CVE-2015-7747 by MITRE: http:// www.openwall. com/lists/ oss-security/ 2015/10/ 08/1