Vulnerabilities > CVE-2019-13590 - NULL Pointer Dereference vulnerability in Sound Exchange Project Sound Exchange 14.4.2

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

sound-exchange-project

CWE-476

NVD

Published: 2019-07-14

Updated: 2023-02-10

Summary

An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c.

Vulnerable Configurations

Part	Description	Count
Application	Sound_Exchange_Project Sound Exchange Project Sound Exchange 14.4.2	1

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

References

https://sourceforge.net/p/sox/bugs/325/
https://lists.debian.org/debian-lts-announce/2023/02/msg00009.html