Submit #769766: jarikomppa soloud SoLoud 20200207 and master-branch Out-of-Bounds Readinfo

Titlejarikomppa soloud SoLoud 20200207 and master-branch Out-of-Bounds Read
Description### Description The crash occurs within drwav_read_pcm_frames_s16__msadpcm, which is invoked via SoLoud::Wav::loadMem. The AddressSanitizer report indicates an invalid READ memory access of size 4 on a global buffer. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Type: Global-buffer-overflow (Read) - Location: src/audiosource/wav/dr_wav.h (inside drwav_read_pcm_frames_s16__msadpcm) - Context: The issue is triggered when parsing a crafted WAV file (MSADPCM format). The invalid read occurs 4 bytes before the global variable g_drwavAlawTable. ### Reproduce 1. Build soloud and harness with Release optimization and ASAN enabled. <details> <summary>harness.cpp</summary> ``` #include "soloud.h" #include "soloud_wav.h" #include <stdint.h> #include <stdlib.h> #include <stdio.h> int main(int argc, char **argv) { if (argc < 2) { return 1; } FILE *f = fopen(argv[1], "rb"); if (!f) { return 1; } fseek(f, 0, SEEK_END); long len = ftell(f); fseek(f, 0, SEEK_SET); unsigned char *buf = (unsigned char *)malloc(len); if (!buf) { fclose(f); return 1; } if (fread(buf, 1, len, f) != (size_t)len) { free(buf); fclose(f); return 1; } fclose(f); SoLoud::Soloud soloud; soloud.init(SoLoud::Soloud::CLIP_ROUNDOFF | SoLoud::Soloud::ENABLE_VISUALIZATION, SoLoud::Soloud::NULLDRIVER); SoLoud::Wav wav; int res = wav.loadMem(buf, len, false, false); if (res == 0) { SoLoud::handle h = soloud.play(wav); soloud.stop(h); } soloud.deinit(); free(buf); return 0; } ``` </details> 2. Run with the crashing [file](https://github.com/oneafter/0209/blob/main/so3/repro): ``` ./harness repro ``` <details> <summary>ASAN report</summary> ``` ==56122==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55b60ae9589c at pc 0x55b60ad857f9 bp 0x7fff0ab51570 sp 0x7fff0ab51568 READ of size 4 at 0x55b60ae9589c thread T0 #0 0x55b60ad857f8 in drwav_read_pcm_frames_s16__msadpcm(drwav*, unsigned long long, short*) /src/soloud/src/audiosource/wav/dr_wav.h #1 0x55b60ad8a29b in drwav_read_pcm_frames_s16 /src/soloud/src/audiosource/wav/dr_wav.h:6157:16 #2 0x55b60ad910db in drwav_read_pcm_frames_f32__msadpcm(drwav*, unsigned long long, float*) /src/soloud/src/audiosource/wav/dr_wav.h:6376:35 #3 0x55b60ad910db in drwav_read_pcm_frames_f32 /src/soloud/src/audiosource/wav/dr_wav.h:6526:16 #4 0x55b60ad4a6b2 in SoLoud::Wav::loadwav(SoLoud::MemoryFile*) /src/soloud/src/audiosource/wav/soloud_wav.cpp:121:4 #5 0x55b60ad4d5d4 in SoLoud::Wav::loadMem(unsigned char const*, unsigned int, bool, bool) /src/soloud/src/audiosource/wav/soloud_wav.cpp:314:10 #6 0x55b60acf1124 in main /src/soloud/harness.cpp:39:19 #7 0x7f669f5e51c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #8 0x7f669f5e528a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #9 0x55b60ac0d5d4 in _start (/src/soloud/harness+0x395d4) (BuildId: 564525bdfb4ff8144e0982209d7e978677d8be1c) 0x55b60ae9589c is located 4 bytes before global variable '__PRETTY_FUNCTION__._ZL30drwav_read_pcm_frames_s16__imaP5drwavyPs' defined in '/src/soloud/src/audiosource/wav/dr_wav.h:5737' (0x55b60ae958a0) of size 82 '__PRETTY_FUNCTION__._ZL30drwav_read_pcm_frames_s16__imaP5drwavyPs' is ascii string 'drwav_uint64 drwav_read_pcm_frames_s16__ima(drwav *, drwav_uint64, drwav_int16 *)' 0x55b60ae9589c is located 88 bytes after global variable 'drwav_read_pcm_frames_s16__ima(drwav*, unsigned long long, short*)::stepTable' defined in '/src/soloud/src/audiosource/wav/dr_wav.h:5725' (0x55b60ae956e0) of size 356 SUMMARY: AddressSanitizer: global-buffer-overflow /src/soloud/src/audiosource/wav/dr_wav.h in drwav_read_pcm_frames_s16__msadpcm(drwav*, unsigned long long, short*) Shadow bytes around the buggy address: 0x55b60ae95600: 00 00 00 04 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 0x55b60ae95680: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 0x55b60ae95700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x55b60ae95780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x55b60ae95800: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 =>0x55b60ae95880: f9 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 02 f9 0x55b60ae95900: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x55b60ae95980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x55b60ae95a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x55b60ae95a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x55b60ae95b00: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==56122==ABORTING ``` </details>
Source⚠️ https://github.com/jarikomppa/soloud/issues/401
User
 Oneafter (UID 92781)
Submission03/02/2026 03:09 (1 month ago)
Moderation03/11/2026 20:01 (10 days later)
StatusAccepted
VulDB entry350532 [jarikomppa soloud up to 20200207 WAV File Parser dr_wav.h drwav_read_pcm_frames_s16__msadpcm out-of-bounds]
Points20

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!