← Advisories

SoX 14.4.2 (wav.c) Division By Zero

Low
Advisory ID
ZSL-2022-5712
Release Date
18 September 2022
Vendor
Chris Bagwell - http://sox.sourceforge.net
Affected Version
<=14.4.2
CVE
CVE-2022-50798
Tested On
Ubuntu 18.04.6 LTS, Microsoft Windows 10 Home
Summary

SoX (Sound eXchange) is the Swiss Army knife of sound processing tools: it can convert sound files between many different file formats and audio devices, and can apply many sound effects and transformations, as well as doing basic analysis and providing input to more capable analysis and plotting tools.

Description

SoX suffers from a division by zero attack when handling WAV files, resulting in denial of service vulnerability and possibly loss of data.

Proof of Concept
sox_div0.txtTXT
sox_div0.wav.zipZIP
Disclosure Timeline
N/A
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/168417
[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/236674
[3]https://www.exploit-db.com/exploits/51034
[4]https://www.cve.org/CVERecord?id=CVE-2022-50798
Changelog
18.09.2022Initial release
22.09.2022Added reference [1] and [2]
10.04.2023Added reference [3]
24.03.2026Added reference [4]