Heap-based Buffer Overflow in hoene/libmysofa
Description
Libmysofa 0.6.x and earlier contain a heap-based buffer overflow in readOHDRHeaderMessageDataLayout when reloading HRTF data, leading to potential code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Libmysofa 0.6.x and earlier contain a heap-based buffer overflow in readOHDRHeaderMessageDataLayout when reloading HRTF data, leading to potential code execution.
Vulnerability
A heap-based buffer overflow exists in libmysofa (versions 0.6.x and earlier) in the readOHDRHeaderMessageDataLayout function within hdf/reader.c [3][4]. The flaw occurs when the function re-reads data layout information without properly freeing previously allocated memory, leading to a use-after-free scenario that can overflow the heap. Affected versions include all releases up to and including 0.6, with the fix introduced in commit 890400ebd092c574707d0c132124f8ff047e20e1 [3].
Exploitation
An attacker must provide a crafted SOFA (Spatially Oriented Format for Acoustics) file that triggers the vulnerable code path. When libmysofa processes the file, the function readOHDRHeaderMessageDataLayout is called multiple times, and without the fix, the function frees the old data->data pointer only if data->data is already non-null [3]. Exploitation requires no special privileges beyond the ability to supply a malformed SOFA file; user interaction may involve opening the file with an application that uses libmysofa.
Impact
Successful exploitation results in a heap-based buffer overflow, which can lead to arbitrary code execution or denial of service. The CVSSv3 score is not provided, but the bug is classified as a heap overflow and could allow an attacker to corrupt adjacent heap memory, potentially gaining control of the process.
Mitigation
The vulnerability is fixed in commit 890400ebd092c574707d0c132124f8ff047e20e1 [3]. Users should update libmysofa to a version that includes this patch (e.g., any release after 0.6). No official patched release version is named in the references; package maintainers for Fedora and other distributions are expected to backport the fix [1][2]. If a patch cannot be applied, avoid processing untrusted SOFA files with applications using libmysofa.
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WGY7TAZX2M4NYXXGNHIBBKKN5XMSMKQ4/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGQ45S4RH7MC42NHTAGOIHYR4C5IRTMZ/
- Fix for issue 163 · hoene/libmysofa@890400e
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing deallocation of a previously allocated heap buffer before reallocation in readOHDRHeaderMessageDataLayout allows a heap-based buffer overflow."
Attack vector
An attacker crafts a malicious SOFA file that triggers the `readOHDRHeaderMessageDataLayout` function multiple times for the same data structure. The first call allocates a heap buffer; the second call overwrites `data->data_len` and allocates a new buffer via `calloc` without freeing the old one, leaving the old pointer dangling. Subsequent reads into the stale buffer can cause a heap-based buffer overflow [CWE-122]. The attack requires only the ability to supply a crafted SOFA file to an application using libmysofa.
Affected code
The vulnerability resides in the `readOHDRHeaderMessageDataLayout` function within libmysofa's SOFA file parser. The original code allocated a new heap buffer via `calloc` without first freeing any previously allocated `data->data` pointer, leading to a memory leak and potential use of a stale pointer. The patch moves the allocation logic outside the `if (!data->data)` guard and adds an explicit `free(data->data)` before reallocation.
What the fix does
The patch removes the `if (!data->data)` guard that prevented reallocation when `data->data` was already non-null. Instead, it unconditionally frees the old buffer with `free(data->data)` and sets the pointer to NULL before calling `calloc`. This ensures that each allocation is paired with a prior deallocation, eliminating both the memory leak and the use of a stale heap pointer that could lead to a buffer overflow.
Preconditions
- inputAttacker must supply a crafted SOFA file that causes the same data structure to be processed by readOHDRHeaderMessageDataLayout more than once.
- configThe application must use libmysofa to parse the attacker-supplied file.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PGQ45S4RH7MC42NHTAGOIHYR4C5IRTMZ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WGY7TAZX2M4NYXXGNHIBBKKN5XMSMKQ4/mitrevendor-advisoryx_refsource_FEDORA
- github.com/hoene/libmysofa/commit/890400ebd092c574707d0c132124f8ff047e20e1mitrex_refsource_MISC
- huntr.dev/bounties/7ca8d9ea-e2a6-4294-af28-70260bb53bc1mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.