Dear Maintainer,

We have identified a Heap-buffer-overflow memory bug in sndfile.c in commit c81375f070f3c676496

To reproduce the bug:

compile with asan:

export CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g"
export CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" 

and run:

./sndfile-convert POC out.wav
poc_overflow.zip

Please find the detailed report below:

==3760181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000020 at pc 0x000000498c97 bp 0x7fffc34ef030 sp 0x7fffc34ee7f8
READ of size 64 at 0x602000000020 thread T0
#0 0x498c96 in __asan_memcpy (/benchmark/libsndfile/out/afl/sndfile-convert+0x498c96)
#1 0x4ed8bb in sf_command /benchmark/libsndfile/src/sndfile.c
#2 0x4cc061 in copy_metadata /benchmark/libsndfile/programs/sndfile-convert.c:396:7
#3 0x4cc061 in main /benchmark/libsndfile/programs/sndfile-convert.c:351:2
#4 0x7fa3c1f2ac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#5 0x41fb69 in _start (/benchmark/libsndfile/out/afl/sndfile-convert+0x41fb69)

0x602000000020 is located 0 bytes to the right of 16-byte region [0x602000000010,0x602000000020)
allocated by thread T0 here:
#0 0x49983d in malloc (/benchmark/libsndfile/out/afl/sndfile-convert+0x49983d)
#1 0x5130cf in aiff_read_chanmap /benchmark/libsndfile/src/aiff.c:1797:27
#2 0x5130cf in aiff_read_header /benchmark/libsndfile/src/aiff.c:885:19
#3 0x5130cf in aiff_open /benchmark/libsndfile/src/aiff.c:249:17
#4 0x4da9f6 in psf_open_file /benchmark/libsndfile/src/sndfile.c:3169:13
#5 0x4cac9e in main /benchmark/libsndfile/programs/sndfile-convert.c:290:16
#6 0x7fa3c1f2ac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

Thanks,
Andrew