Description
The Advanced Linux Sound Architecture (ALSA) library before 1.2.16.1 contains a double-free vulnerability in parse_def() in src/conf.c that allows attackers to corrupt memory by supplying maliciously crafted ALSA configuration text. When parsing nested compound or array configuration blocks, parse_def() fails to check return values before continuing, causing snd_config_delete() to be called twice on the same already-freed node, resulting in a NULL-pointer write or invalid memory read.
Problem types
Product status
Any version before 1.2.16.1
Credits
Dmitrijs Trizna of Aisle Research
Luigino Camastra of Aisle Research
Guido Vranken of Aisle Research
Ze Sheng of Aisle Research
References
lore.kernel.org/...HAcBhAyHUUBPLBN-Yj_SiV6MQ@mail.gmail.com/ (Researcher Disclosure)
github.com/alsa-project/alsa-lib/releases/tag/v1.2.16.1 (Release Notes)
github.com/...ommit/536dd6f8affdf5197c12a63a71c92a70b2833cc0 (Patch Commit)
www.vulncheck.com/...ary-double-free-via-parse-def-in-conf-c