libsndfile PAF File Integer Overflow

July 28, 2011

libsndfile is a widely-used C library for reading and writing audio files. It supports a wide variety of audio encodings and sound file formats and will convert automatically from one to another. In addition to the library itself, the package provides command-line programs for converting one format to another (sndfile-convert), for playing audio files (sndfile-play), and for obtaining information about the contents of an audio file (sndfile-info).

libsndfile supports many different audio file formats, including Creative Technology's (formerly Ensoniq's) Professional Audio Recording Integrated System (PARIS) Audio Format (PAF). The PAF is a linear Pulse-code modulation (PCM) based format that can store 8, 16, or 24-bit samples. The format of the PAF file header is:

 Offset Length Description ----------------------------------------------------------------------- 0x0000 4 File format marker (also determines header endianess) 0x0004 4 Version 0x0008 4 Endianess specification 0x000C 4 Sample rate 0x0010 4 Format (sample size) 0x0014 4 Number of Channels 0x0018 4 Source 

An integer buffer overflow vulnerability exists in the PAF processing code of the libsndfile library. The vulnerable codes do not validate the provided PAF file data when it's calculating the memory size to allocate, which may cause an integer overflow. A remote, unauthenticated attacker can exploit this vulnerability to inject and execute arbitrary code in the context of the affected user.

SonicWALL UTM team has researched and analyzed this vulnerability. Two IPS signatures have been created to detect/prevent the attacks addressing this issue.

  • 1109 libsndfile PAF File Integer Overflow 1
  • 1111 libsndfile PAF File Integer Overflow 2

This vulnerability has been assigned by CVE as CVE-2011-2696