libsndfile IMA ADPCM Codec Integer Overflow Vulnerability Leading to Heap Buffer Overflow

A vulnerability exists in the IMA ADPCM codec of libsndfile version 1.2.2. The issue arises in the WAV file handling, where an integer overflow occurs during the calculation of the frame count. This overflow happens because the product of 'samples per block' and 'blocks' exceeds the maximum value an integer can hold, causing a negative value to be computed. The incorrect frame count can lead to a heap buffer overflow, creating a potential denial-of-service condition. Both the 'samples per block' and 'blocks' values are controlled by the attacker through the WAV file header.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating a WAV file with a 'samples per block' value of 50000 and a 'blocks' value of 50000. This combination causes the integer multiplication to overflow, leading to the vulnerability. The crafted WAV file can be processed by libsndfile, triggering the overflow and subsequent buffer overflow.

Remediation

Users can upgrade to the latest version of libsndfile, where this vulnerability has been addressed.