CVE-2020-36150
Description
Heap buffer overflow in the loudness function of libmysofa 0.5–1.1 allows application crash via a maliciously crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in the loudness function of libmysofa 0.5–1.1 allows application crash via a maliciously crafted file.
Vulnerability
A heap buffer overflow exists in the loudness function in libmysofa/src/hrtf/tools.c (line 179) of the libmysofa library, affecting versions 0.5 through 1.1. The function incorrectly handles input data, leading to a heap buffer overread of approximately 126,976 bytes. The issue is triggered when opening a maliciously crafted HRTF file via mysofa_open (or mysofa_open_default), which sets the loudness() call in loudness.c:49 to process out-of-bounds data [1].
Exploitation
An attacker can exploit this vulnerability by crafting a specially designed audio file (e.g., an HRTF SOFA file) and inducing a victim application using libmysofa to open it. No special network position is required; the attack vector is local file opening. The user interaction involves opening the malicious file with a program that calls the libmysofa library. The segmentation fault occurs immediately, as demonstrated by a reproducible crash triggered via a simple test program [1].
Impact
Successful exploitation causes a denial-of-service condition (application crash due to segmentation fault). The heap buffer overread may also access unallocated memory, potentially leaking sensitive information or leading to further memory corruption, though the primary documented impact is a crash [1].
Mitigation
The issue is fixed in libmysofa version 1.1.1 and later, as per the upstream advisory. Fedora packages have been updated accordingly [2]. Users should upgrade to version 1.1.1 or later. No workaround is available; any application using an affected version should be updated.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- libmysofa/libmysofadescription
- osv-coords2 versionspkg:rpm/opensuse/libmysofa&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/libmysofa&distro=SUSE%20Package%20Hub%2015%20SP2
< 0.9.1-lp152.3.3.1+ 1 more
- (no CPE)range: < 0.9.1-lp152.3.3.1
- (no CPE)range: < 0.9.1-bp152.4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in loudness() allows heap buffer overread when size exceeds allocated buffer length."
Attack vector
An attacker provides a maliciously crafted HRTF file to `mysofa_open`. The `loudness()` function at `tools.c:179-180` performs `res += *in * *in` without validating that the input buffer `in` is large enough for the `size` parameter, leading to a heap buffer overread of 126976 bytes and a segmentation fault [ref_id=1]. No authentication or special network access is required beyond delivering the crafted file.
Affected code
The heap buffer overread occurs in the `loudness()` function at `libmysofa/src/hrtf/tools.c:179-180`. It is called from `mysofa_loudness` (`loudness.c:49`), which is invoked by `mysofa_open_default` (`easy.c:56`) and ultimately `mysofa_open` (`easy.c:86`).
What the fix does
The advisory does not include a published patch. The fix would need to add bounds checking in `loudness()` to ensure the loop does not read beyond the allocated heap buffer before dereferencing `in`. Without such a check, any caller that passes a `size` larger than the actual buffer length triggers the out-of-bounds access.
Preconditions
- inputThe attacker must supply a crafted HRTF file that causes the loudness function to read beyond the allocated heap buffer.
- configThe victim application must call mysofa_open (or mysofa_open_default) on the attacker-controlled file.
Reproduction
```c int filter_length; int err; struct MYSOFA_EASY *easy = NULL; easy = mysofa_open(filename, 48000, &filter_length, &err); printf("Result: %p err: %d\n", easy, err); mysofa_close(easy); ``` Opening the crafted file `crash_000_loudness.zip` with the above code triggers the heap buffer overread at `tools.c:179` [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQLNZOVVONQSZZJHQVZT6NMOUUDMGBBR/mitrevendor-advisoryx_refsource_FEDORA
- github.com/hoene/libmysofa/issues/135mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.