src/common.h | 1 1 + 0 - 0 !
src/flac.c | 13 13 + 0 - 0 !
src/sndfile.c | 1 1 + 0 - 0 !
3 files changed, 15 insertions(+)

 fixing buffer read/write overruns in flac-code

src/flac.c | 13 4 + 9 - 0 !
1 file changed, 4 insertions(+), 9 deletions(-)

 fixing another memory leak in flac code

src/flac.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 fixed yet another buffer read overflow in flac code

src/aiff.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix for cve-2017-6892

src/wav.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix for cve-2019-3832

src/common.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 fix heap buffer overflows when writing strings in binheader

src/rf64.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 fix rf64 on armel/armhf archs

doc/bugs.html | 2 1 + 1 - 0 !
programs/sndfile-convert.c | 2 1 + 1 - 0 !
src/ogg.c | 2 1 + 1 - 0 !
src/wavlike.c | 2 1 + 1 - 0 !
4 files changed, 4 insertions(+), 4 deletions(-)

 fixed spelling errors

src/alaw.c | 9 7 + 2 - 0 !
src/ulaw.c | 9 7 + 2 - 0 !
2 files changed, 14 insertions(+), 4 deletions(-)

 a/ulaw: fix multiple buffer overflows (#432)

i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
properly, leading to buffer underflow. INT_MIN is a special value
since - INT_MIN cannot be represented as int.

In this case round - INT_MIN to INT_MAX and proceed as usual.

f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
properly, leading to null pointer dereference.

In this case, arbitrarily set the buffer value to 0.

This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
fixes #344 (CVE-2017-17456 and CVE-2017-17457).

src/double64.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 double64_init: check psf->sf.channels against upper bound

This prevents division by zero later in the code.

While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.

CVE-2017-14634

Closes: https://github.com/erikd/libsndfile/issues/318
Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>

src/wav.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 src/wav.c: fix heap read overflow

This is CVE-2018-19758.

Closes: https://github.com/erikd/libsndfile/issues/435

programs/sndfile-deinterleave.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 check max_channels in sndfile-deinterleave

Allocated buffer has space for only 16 channels. Verify that input file
meets this limit.

Fixes #397

src/ms_adpcm.c | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 [patch] ms_adpcm: fix and extend size checks

'blockalign' is the size of a block, and each block contains 7 samples
per channel as part of the preamble, so check against 'samplesperblock'
rather than 'blockalign'. Also add an additional check that the block
is big enough to hold the samples it claims to hold.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803