#! /bin/sh

# CVE-2017-18189
# In the startread function in xa.c in Sound eXchange (SoX) through 14.4.2,
# a corrupt header specifying zero channels triggers an infinite loop with
# a resultant NULL pointer dereference, which may allow a remote attacker
# to cause a denial-of-service.
#
# https://bugs.debian.org/881121
# Running 'sox poc.aiff output.aiff speed 1.027' with the attached file
# raises nul l pointer dereference which may allow a remote attack
# to cause a denial-of-service attack.
# I expected the program to terminate without segfault, but the program crashes.
#
# Discovered 08 Nov 2017 by Joonun Jang <joonun.jang@gmail.com>

# 14.4.2:
# dumps core and exits 139
# with asan exits 1

# Debian and 42b355:
# sox FAIL formats: can't open input file `poc.aiff': invalid channel count 0
# and exit 2

rm -f core out.aiff

${sox:-sox} poc.aiff out.aiff speed 1.027
status=$?

rm -f core out.aiff

case "$status" in
0) status=255;;
2) status=0;;
esac

exit $status
