[CVE-2026-37555] libsndfile IMA-ADPCM integer overflow (incomplete fix for CVE-2022-33065)

[Feng Ning <feng () innora ai>]

Hi,

I'm disclosing an integer overflow vulnerability in libsndfile's IMA-ADPCM decoder that leads to heap corruption when 
processing crafted WAV files.

**CVE:** CVE-2026-37555
**Product:** libsndfile (Erik de Castro Lopo)
**Affected:** Current master and all release versions through 1.2.2
**CWE:** CWE-190 (Integer Overflow)
**CVSS 3.1:** 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
**Credit:** Feng Ning, Innora Security Research

## Summary

This is an incomplete fix for CVE-2022-33065. The original fix in src/ima_adpcm.c correctly cast the multiplication to 
sf_count_t on the AIFF code path (line 241) but missed two other locations performing the same type of arithmetic.

## Details

In src/ima_adpcm.c, sample count calculations use int*int multiplication that overflows before assignment to sf_count_t:

**Line 235 (WAV open path):**
```c
sf.frames = samplesperblock * blocks;
```

**Line 167 (close path):**
```c
sf.frames = samplesperblock * blockcount / channels;
```

Both `samplesperblock` and `blocks`/`blockcount` are `int`. When their product exceeds INT32_MAX, the multiplication 
wraps. For example, samplesperblock=50000 and blocks=50000 yields 2,500,000,000, which overflows int32 to 
-1,794,967,296. This negative value propagates into frame count calculations, leading to undersized buffer allocations 
and heap corruption during decoding.

For comparison, the AIFF path at line 241 was already fixed in the CVE-2022-33065 patch:
```c
sf.frames = (sf_count_t) samplesperblock * blocks / channels;
```

## Fix

Cast the first operand to sf_count_t on lines 235 and 167, matching the existing fix on line 241:

```c
sf.frames = (sf_count_t) samplesperblock * blocks;
sf.frames = (sf_count_t) samplesperblock * blockcount / channels;
```

## References

- CVE-2022-33065 (original fix, incomplete)
- MITRE ticket #2019024

I've contacted the maintainer. No patch has been released yet.

Regards,
Feng Ning