Impact
A security researcher reported a bug in the WAVFileReader module where a memory scan is bounded by untrusted data from the input file. This can result in a crash at runtime.
This impacts use of the DirectX Tool Kit for Audio SoundEffect file loading ctor if given untrusted data files, as well as the xwbtool command-line tool if used on untrusted files.
Patches
This bug has been fixed in the February 6, 2023 release. Alternatively, you can just update your copy of the reader as per this commit.
Workarounds
This does not apply if your .wav files are all 'trusted' data that were included with your application. It's primarily an issue only if you are using user-provided or network downloaded wav files.
Impact
A security researcher reported a bug in the
WAVFileReadermodule where a memory scan is bounded by untrusted data from the input file. This can result in a crash at runtime.This impacts use of the DirectX Tool Kit for Audio SoundEffect file loading ctor if given untrusted data files, as well as the xwbtool command-line tool if used on untrusted files.
Patches
This bug has been fixed in the February 6, 2023 release. Alternatively, you can just update your copy of the reader as per this commit.
Workarounds
This does not apply if your .wav files are all 'trusted' data that were included with your application. It's primarily an issue only if you are using user-provided or network downloaded wav files.