The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (out-of-bounds read and application crash) via a crafted WavPack Lossless Audio file, as demonstrated by wvunpack.
{ "vanir_signatures": [ { "signature_version": "v1", "target": { "file": "src/open_utils.c" }, "deprecated": false, "source": "https://github.com/dbry/wavpack/commit/bba5389dc598a92bdf2b297c3ea34620b6679b5b", "digest": { "line_hashes": [ "224602488121191747575636366238954744606", "112956552720096278729890579258692831865", "72432928959116191838765111329690449515", "276822696370643268534024155463350602056", "160161462248455470574702774187473831199", "84386254632126936859290170204951445156", "260889058634551390355239300320213468146", "134242469936737286629811066641293856359", "119148543310043654915559546939612768560" ], "threshold": 0.9 }, "signature_type": "Line", "id": "CVE-2018-19841-31d60b64" }, { "signature_version": "v1", "target": { "file": "src/open_utils.c", "function": "WavpackVerifySingleBlock" }, "deprecated": false, "source": "https://github.com/dbry/wavpack/commit/bba5389dc598a92bdf2b297c3ea34620b6679b5b", "digest": { "length": 1674.0, "function_hash": "79353240025617127913251080894080099937" }, "signature_type": "Function", "id": "CVE-2018-19841-5fbfadb8" } ] }