Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <afK86CC-LCeCSOZM@ans-MacBook-Pro.local>
Date: Thu, 30 Apr 2026 02:22:36 +0000
From: Feng Ning <feng@...ora.ai>
To: oss-security@...ts.openwall.com
Subject: [CVE-2026-37555] libsndfile IMA-ADPCM integer overflow (incomplete fix for CVE-2022-33065)

Hi,

I'm disclosing an integer overflow vulnerability in libsndfile's IMA-ADPCM decoder that leads to heap corruption when processing crafted WAV files.

**CVE:** CVE-2026-37555
**Product:** libsndfile (Erik de Castro Lopo)
**Affected:** Current master and all release versions through 1.2.2
**CWE:** CWE-190 (Integer Overflow)
**CVSS 3.1:** 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
**Credit:** Feng Ning, Innora Security Research

## Summary

This is an incomplete fix for CVE-2022-33065. The original fix in src/ima_adpcm.c correctly cast the multiplication to sf_count_t on the AIFF code path (line 241) but missed two other locations performing the same type of arithmetic.

## Details

In src/ima_adpcm.c, sample count calculations use int*int multiplication that overflows before assignment to sf_count_t:

**Line 235 (WAV open path):**
```c
sf.frames = samplesperblock * blocks;
```

**Line 167 (close path):**
```c
sf.frames = samplesperblock * blockcount / channels;
```

Both `samplesperblock` and `blocks`/`blockcount` are `int`. When their product exceeds INT32_MAX, the multiplication wraps. For example, samplesperblock=50000 and blocks=50000 yields 2,500,000,000, which overflows int32 to -1,794,967,296. This negative value propagates into frame count calculations, leading to undersized buffer allocations and heap corruption during decoding.

For comparison, the AIFF path at line 241 was already fixed in the CVE-2022-33065 patch:
```c
sf.frames = (sf_count_t) samplesperblock * blocks / channels;
```

## Fix

Cast the first operand to sf_count_t on lines 235 and 167, matching the existing fix on line 241:

```c
sf.frames = (sf_count_t) samplesperblock * blocks;
sf.frames = (sf_count_t) samplesperblock * blockcount / channels;
```

## References

- CVE-2022-33065 (original fix, incomplete)
- MITRE ticket #2019024

I've contacted the maintainer. No patch has been released yet.

Regards,
Feng Ning

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.