#! /bin/sh

# CVE-2019-8355
# An issue was discovered in SoX 14.4.2. In xmalloc.h, there is
# an integer overflow on the result of multiplication fed into
# the lsx_valloc macro that wraps malloc. When the buffer is allocated,
# it is smaller than expected, leading to a heap-based buffer overflow
# in channels_start in remix.c.
#
# https://sourceforge.net/p/sox/bugs/320
# In xmalloc.h, there is no check on the value passed to lsx_valloc,
# where the value passed further to lsx_malloc may yield integer overflow.
# When the result overflows, it can trigger heap-buffer-overflow
# due to allocated memory that is smaller than expected.
# Attached is a sample of the input file, in this case
# the heap-buffer-overflow is triggered in remix.c line 237.
#
# Discovered 2019-02-07 by Hendra Gunadi 

# 14.4.2;
# Segmentation fault (core dumped)
# and exits 139

# Debian:
# sox FAIL formats: can't open input file `xmalloc_31_integer_overflow.mp3': implausibly large number of channels
# and exits 2

# 42b355:
# /home/martin/SoX/sox-code/src/.libs/sox FAIL xmalloc: malloc size overflow
# and exits 0

rm -f core

${sox:-sox} --single-threaded xmalloc_31_integer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm
status=$?

rm -f core

case $status in
0) status=255;;
2) status=0;;
esac

exit $status
