Hello,
I have identified a reproducible memory-safety issue in AudioFile, reachable through the public loadFromMemory() API when processing malformed AIFF-like input data.
I would prefer not to disclose the minimized input or detailed sanitizer output publicly before the maintainer has had a chance to review it.
Is there a preferred private security contact, email address, or disclosure route for this project?
I can provide:
- minimized malformed AIFF-like input
- ASan/UBSan crash log
- affected commit information
- clean-checkout reproduction steps
- a small standalone C++ reproducer using
loadFromMemory()
- source-level root cause notes
- suggested fix direction
Best regards,
Yukimura
Hello,
I have identified a reproducible memory-safety issue in
AudioFile, reachable through the publicloadFromMemory()API when processing malformed AIFF-like input data.I would prefer not to disclose the minimized input or detailed sanitizer output publicly before the maintainer has had a chance to review it.
Is there a preferred private security contact, email address, or disclosure route for this project?
I can provide:
loadFromMemory()Best regards,
Yukimura