CVE-2020-36151
Description
Heap buffer overflow in libmysofa's resampler allows denial of service via crafted HRTF files in versions 0.5 through 1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in libmysofa's resampler allows denial of service via crafted HRTF files in versions 0.5 through 1.1.
Vulnerability
In libmysofa versions 0.5 through 1.1, the function mysofa_resampler_reset_mem in src/resampler/speex_resampler.c contains a heap buffer overflow due to incorrect handling of input data. Specifically, the function attempts to zero a memory block using a size of -1 cast to an unsigned integer, resulting in an extremely large write operation that overflows the heap buffer. The bug is triggered when processing a crafted SOFA (HRTF) file via mysofa_open, which calls the vulnerable resampler code path [1].
Exploitation
An attacker can exploit this vulnerability by supplying a maliciously crafted SOFA file to an application using libmysofa. The attack requires no authentication; the victim simply needs to open the crafted file (e.g., via mysofa_open). The overflow occurs during the resampling initialization step, before any audio processing, making it exploitable solely through file input. No special privileges or network position are required beyond the ability to deliver the file to the target application [1].
Impact
Successful exploitation causes a heap buffer overflow that overwrites a large block of memory, leading to application crash (denial of service). Based on the AddressSanitizer report, the overflow is a WRITE of size 17179869180 (approximately 16 GB), which will corrupt heap metadata or adjacent data, likely causing immediate termination or unpredictable behavior [1]. There is no evidence in the available references of code execution potential, but the severity is high due to the ease of triggering and the large memory corruption.
Mitigation
The issue was reported in the GitHub issue tracker on 2020-08-26 [1], but as of the publication date of this CVE (2021-02-08), no patched version has been identified in the references. Users should avoid processing untrusted SOFA files with libmysofa versions 0.5 through 1.1 until a fix is released. Fedora package announcements may contain updates [2], but the linked reference is inaccessible due to bot-protection. The library maintainers should release a corrected version that validates the filter length before use in mysofa_resampler_reset_mem.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- libmysofa/libmysofadescription
- osv-coords2 versionspkg:rpm/opensuse/libmysofa&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/libmysofa&distro=SUSE%20Package%20Hub%2015%20SP2
< 0.9.1-lp152.3.3.1+ 1 more
- (no CPE)range: < 0.9.1-lp152.3.3.1
- (no CPE)range: < 0.9.1-bp152.4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of filter length in mysofa_resampler_reset_mem causes a negative value to be cast to unsigned, resulting in an oversized memset that overflows the heap buffer."
Attack vector
An attacker provides a maliciously crafted HRTF file to an application that calls `mysofa_open`. The file causes `mysofa_resampler_reset_mem` to compute a memory block size of `-1` cast to an unsigned integer, which becomes a huge positive value. The subsequent `memset` then writes zeroes far beyond the allocated heap buffer, causing a heap-buffer-overflow [ref_id=1]. No authentication or special network access is required; the attack vector is local file processing.
Affected code
The heap buffer overflow occurs in `mysofa_resampler_reset_mem` in `speex_resampler.c:791`, called via `mysofa_resample` in `resample.c:55` and `mysofa_open_default` / `mysofa_open` in `easy.c:49,86`. The bug is in the libmysofa library versions 0.5 through 1.1.
What the fix does
The advisory does not include a published patch. The root cause is that `mysofa_resampler_reset_mem` does not validate the computed size before passing it to `memset`, allowing a negative value (cast to unsigned) to produce an enormous write length. A proper fix would add bounds checking on the filter length or the resulting memory size before performing the zeroing operation.
Preconditions
- inputThe victim application must call mysofa_open (or mysofa_open_default) on a file crafted by the attacker.
- authNo authentication or special privileges required; the attack is triggered by file processing.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQLNZOVVONQSZZJHQVZT6NMOUUDMGBBR/mitrevendor-advisoryx_refsource_FEDORA
- github.com/hoene/libmysofa/issues/134mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.