CVE-2014-8145

Step 1: Payload Delivery: The attacker crafts a malicious WAV file containing a specially crafted header with oversized or malformed data. Step 2: File Ingestion: The victim's system, running a vulnerable version of SoX, attempts to process the malicious WAV file. This could be triggered by user interaction (e.g., opening the file) or automated processes (e.g., audio processing scripts). Step 3: Vulnerability Trigger: The start_read or AdpcmReadBlock function is called to parse the WAV file. The crafted header causes an integer overflow or other calculation error when determining buffer sizes. Step 4: Heap Overflow: The function attempts to write data to a heap-allocated buffer, but due to the size miscalculation, it writes beyond the allocated memory boundaries, overwriting adjacent heap data. Step 5: Code Execution/DoS: The overwritten data can corrupt program control flow, leading to arbitrary code execution (e.g., by overwriting function pointers) or a denial-of-service (DoS) condition (e.g., by crashing the application or system).

The vulnerability lies within the start_read and AdpcmReadBlock functions of SoX when processing WAV files. Specifically, the code fails to properly validate the size of data read from the WAV file's headers, leading to a heap-based buffer overflow. When a specially crafted WAV file with malicious data in the header is processed, the functions attempt to write data beyond the allocated buffer on the heap. This overwrites adjacent memory, potentially corrupting critical data structures, hijacking program execution, or enabling arbitrary code execution. The root cause is a lack of bounds checking on the size parameters used when allocating and writing to memory buffers. The start_read function likely mishandles the initial read of the WAV header, and AdpcmReadBlock likely miscalculates the size of the audio data blocks. This allows an attacker to control the amount of data written, leading to the overflow.