#! /bin/sh

# CVE-2019-13590
# An issue was discovered in libsox.a in SoX 14.4.2.
# In sox-fmt.h (startread function), there is an integer overflow on the
# result of integer addition (wraparound to 0) fed into the lsx_calloc macro
# that wraps malloc. When a NULL pointer is returned, it is used
# without a prior check that it is a valid pointer, leading to
# a NULL pointer dereference on lsx_readbuf in formats_i.c.
#
# https://sourceforge.net/p/sox/bugs/325
# In sox-fmt.c function startread, there is no check on the value passed to
# the value of comment_bytes. If the value of comment_bytes is on
# the boundary of overflow, it results in "comment_bytes + 1" to be 0,
# hence calling lsx_calloc will give null pointer.
#
# Discovered 2019-06-28 by Hendra Gunadi 

# 14.4.2;
# Segmentation fault (core dumped)

# Debian and 42b355:
# sox FAIL formats: can't open input file `sox-fmt_56_integer_overflow.mp3': invalid sox file format header
# and exit 2

rm -f core

${sox:-sox} --single-threaded sox-fmt_56_integer_overflow.mp3 -t aiff out.aiff channels 1 rate 16k fade 3 norm
status=$?

rm -f core

case $status in
0) status=255;;
2) status=0;;
esac

exit $status
