The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.
{ "vanir_signatures": [ { "id": "CVE-2018-19840-01548206", "signature_type": "Line", "digest": { "line_hashes": [ "109524009393532704057515757123608873934", "308187253253712338333845699135135578363", "160307732922576192310224126902144133758" ], "threshold": 0.9 }, "target": { "file": "src/pack_utils.c" }, "source": "https://github.com/dbry/wavpack/commit/070ef6f138956d9ea9612e69586152339dbefe51", "signature_version": "v1", "deprecated": false }, { "id": "CVE-2018-19840-edf4b29c", "signature_type": "Function", "digest": { "function_hash": "33576504915719694319716314055280451550", "length": 5678.0 }, "target": { "file": "src/pack_utils.c", "function": "WavpackSetConfiguration64" }, "source": "https://github.com/dbry/wavpack/commit/070ef6f138956d9ea9612e69586152339dbefe51", "signature_version": "v1", "deprecated": false } ] }