CVE-2018-19840

The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.

Weakness

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Affected Software

Name	Vendor	Start Version	End Version
Wavpack	Wavpack	*	5.1.0 (including)

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00029.html
http://packetstormsecurity.com/files/155743/Slackware-Security-Advisory-wavpack-Updates.html
https://github.com/dbry/WavPack/commit/070ef6f138956d9ea9612e69586152339dbefe51
https://github.com/dbry/WavPack/issues/53
https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BLSOEVEKF4VNNVNZ2AN46BJUT4TGVWT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZGXJUHCGQI6XKLCBUZHXPYIIWMFWA22/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVVKOBJR5APOB3KWUWJ4UWQHUBZQL6C6/
https://seclists.org/bugtraq/2019/Dec/37
https://security.gentoo.org/glsa/202007-19
https://usn.ubuntu.com/3839-1/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-19840
CWE	https://cwe.mitre.org/data/definitions/835.html

Loop with Unreachable Exit Condition ('Infinite Loop')

Weakness

Affected Software

References