CVE-2026-37555
Description
An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
Affected products
1- cpe:2.3:a:libsndfile_project:libsndfile:1.2.2:*:*:*:*:*:*:*
Patches
19a829113c88aima_adpcm: fix int overflow in ima_reader_init()
1 file changed · +3 −3
src/ima_adpcm.c+3 −3 modified@@ -187,7 +187,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) ** to avoid having to branch when pulling apart the nibbles. */ count = ((samplesperblock - 2) | 7) + 2 ; - pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign + samplesperblock + sizeof(short) * count) ; + pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign + samplesperblock + sizeof (short) * count) ; if (! (pima = calloc (1, pimasize))) return SFE_MALLOC_FAILED ; @@ -238,7 +238,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) case SF_FORMAT_AIFF : psf_log_printf (psf, "still need to check block count\n") ; pima->decode_block = aiff_ima_decode_block ; - psf->sf.frames = pima->samplesperblock * pima->blocks / pima->channels ; + psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks / pima->channels ; break ; default : @@ -391,7 +391,7 @@ aiff_ima_encode_block (SF_PRIVATE *psf, IMA_ADPCM_PRIVATE *pima) static int wavlike_ima_decode_block (SF_PRIVATE *psf, IMA_ADPCM_PRIVATE *pima) { int chan, k, predictor, blockindx, indx, indxstart, diff ; - short step, bytecode, stepindx [2] = { 0 }; + short step, bytecode, stepindx [2] = { 0 } ; pima->blockcount ++ ; pima->samplecount = 0 ;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/libsndfile/libsndfile/commit/9a829113c88a51e57c1e46473e90609e4b7df151nvdPatch
- gist.github.com/sgInnora/a5f5c19e4bf6f4fb74fab7b0ef2bfcc1nvdExploitThird Party Advisory
- github.com/libsndfile/libsndfile/issues/833nvdIssue Tracking
News mentions
0No linked articles in our index yet.