shithub: sox

Info  •  Files  •  Log  •  Branches

aiff: fix crash on empty comment chunk (CVE-2017-15642)

This fixes a use after free and double free if an empty comment
chunk follows a non-empty one.

--- a/src/aiff.c

+++ b/src/aiff.c

@@ -62,7 +62,6 @@

   size_t ssndsize = 0;

   char *annotation;

   char *author;

-  char *comment = NULL;

   char *copyright;

   char *nametext;

@@ -270,6 +269,7 @@

       free(annotation);

     }

     else if (strncmp(buf, "COMT", (size_t)4) == 0) {

+      char *comment = NULL;

       rc = commentChunk(&comment, "Comment:", ft);

       if (rc) {

         /* Fail already called in function */