When libaudiofile is used to change both the number of channels of an audio file (e.g. from stereo to mono) and the sample format (e.g. from 16-bit samples to 8-bit samples), the output file will contain corrupted data.
If the new sample format is smaller than the old one, there is a risk of buffer overflow: e.g. when the input file has 16-bit samples and the output file has 8-bit samples, afReadFrames will treat the buffer to read the samples (argument void *data) as a pointer to int16_t instead of int8_t, therefore it will write past its end.
The attached program (which is a rework of a file already present in the upstream's test suite, reworked by me) shows the problem. The 2 variables byte and abyte are int8_t. afReadFrames is told to read 1 8-bit sample into byte, but ends up treating &byte as a pointer to an int16_t, thus overwriting abyte (when abyte is stored right after byte in memory, which is what happens when I compile with gcc).
I proposed a fix (before realising about the buffer overflow, only about the data corruption) at https://github.com/mpruett/audiofile/pull/25
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libaudiofile1 0.3.6-2
ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
Uname: Linux 3.19.0-15-generic x86_64
ApportVersion: 2.17.2-0ubuntu1.5
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Oct 4 23:55:03 2015
InstallationDate: Installed on 2010-11-07 (1792 days ago)
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
SourcePackage: audiofile
UpgradeStatus: No upgrade log present (probably fresh install)
This has been assigned CVE-2015-7747 by MITRE: http://