{"id":"CVE-2019-20016","details":"libmysofa before 2019-11-24 does not properly restrict recursive function calls, as demonstrated by reports of stack consumption in readOHDRHeaderMessageDatatype in dataobject.c and directblockRead in fractalhead.c. NOTE: a download of v0.9 after 2019-12-06 should fully remediate this issue.","modified":"2026-04-10T06:37:52.371501Z","published":"2019-12-27T02:15:10.467Z","related":["openSUSE-SU-2021:0444-1","openSUSE-SU-2021:0459-1","openSUSE-SU-2024:10960-1"],"references":[{"type":"FIX","url":"https://github.com/hoene/libmysofa/commit/2e6fac6ab6156dae8e8c6f417741388084b70d6f"},{"type":"EVIDENCE","url":"https://github.com/hoene/libmysofa/issues/83"},{"type":"EVIDENCE","url":"https://github.com/hoene/libmysofa/issues/84"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hoene/libmysofa","events":[{"introduced":"0"},{"fixed":"f8762e95119973d2ff0949b4bcbffaa7aab3f328"},{"fixed":"2e6fac6ab6156dae8e8c6f417741388084b70d6f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.9"}]}}],"versions":["v0,.4","v0.1","v0.2","v0.4","v0.4(Windows)","v0.5","v0.6","v0.7","v0.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20016.json","vanir_signatures":[{"signature_type":"Function","id":"CVE-2019-20016-1a562a31","digest":{"length":4271,"function_hash":"22426894383875682064064341448174269836"},"deprecated":false,"target":{"file":"src/hdf/fractalhead.c","function":"directblockRead"},"source":"https://github.com/hoene/libmysofa/commit/2e6fac6ab6156dae8e8c6f417741388084b70d6f","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2019-20016-396952ad","digest":{"length":661,"function_hash":"220409858334768758030964991236568024685"},"deprecated":false,"target":{"file":"src/hrtf/reader.c","function":"mysofa_load"},"source":"https://github.com/hoene/libmysofa/commit/2e6fac6ab6156dae8e8c6f417741388084b70d6f","signature_version":"v1"},{"signature_type":"Line","id":"CVE-2019-20016-64116101","digest":{"threshold":0.9,"line_hashes":["126920402152793972054346189018412031597","192349277455691798649695065491058276126","240342474809492929687205401559339442194","110450927489098810108528014416881043090"]},"deprecated":false,"target":{"file":"src/hdf/reader.h"},"source":"https://github.com/hoene/libmysofa/commit/2e6fac6ab6156dae8e8c6f417741388084b70d6f","signature_version":"v1"},{"signature_type":"Line","id":"CVE-2019-20016-9180eedd","digest":{"threshold":0.9,"line_hashes":["218483871317559296276866678091979471851","59116885264007309288058354283826321541","325474360844867093402785901074817917631","301834355421996408333369801449968838938"]},"deprecated":false,"target":{"file":"src/hrtf/reader.c"},"source":"https://github.com/hoene/libmysofa/commit/2e6fac6ab6156dae8e8c6f417741388084b70d6f","signature_version":"v1"},{"signature_type":"Line","id":"CVE-2019-20016-96bcfeef","digest":{"threshold":0.9,"line_hashes":["309421920668530166875275141915823296016","108586805816705787476392180996387578299","92938964960654865207554545102813539782","190014348197550664022981370389235665492","195270836730953688632176371217196646522","86500040936225443048492081479754717538","295942992743340884871023245474831205552","222147066808922266623752909979925333999","99210129838139037229072738950565222511","200078829488792878604784776002487678681","54120965833940361139325454686524056353"]},"deprecated":false,"target":{"file":"src/hdf/fractalhead.c"},"source":"https://github.com/hoene/libmysofa/commit/2e6fac6ab6156dae8e8c6f417741388084b70d6f","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-10T06:37:52Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}