{"id":"CVE-2022-24792","summary":" Potential infinite loop when parsing WAV format file in PJSIP","details":"PJSIP is a free and open source multimedia communication library written in C. A denial-of-service vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than 31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays trusted WAV files. A patch is available on the `master` branch of the `pjsip/project` GitHub repository. As a workaround, apps can reject a WAV file received from an unknown source or validate the file first.","aliases":["GHSA-rwgw-vwxg-q799"],"modified":"2026-04-11T22:13:45.885452Z","published":"2022-04-25T00:00:00Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24792.json","cwe_ids":["CWE-835"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24792.json"},{"type":"ADVISORY","url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-rwgw-vwxg-q799"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24792"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202210-37"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5285"},{"type":"FIX","url":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pjsip/pjproject","events":[{"introduced":"0"},{"fixed":"947bc1ee6d05be10204b918df75a503415fd3213"}]}],"versions":["2.10","2.11","2.12"],"database_specific":{"vanir_signatures_modified":"2026-04-11T22:13:45Z","vanir_signatures":[{"deprecated":false,"signature_version":"v1","target":{"file":"pjlib/src/pj/file_io_ansi.c","function":"pj_file_setpos"},"digest":{"function_hash":"60263120204433072670714257998056589016","length":414},"signature_type":"Function","source":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213","id":"CVE-2022-24792-05d03dc8"},{"deprecated":false,"signature_version":"v1","target":{"file":"pjmedia/src/pjmedia/avi_player.c"},"digest":{"line_hashes":["330035909719240070606511319648916553562","327063039077951057725531642848580530494","96314009225904133892911132259951526981","174385902580228764356073450683989070702","283960523058742036860128908610764741340","101761635976506361732485310898882079329","149651238927050752326508464797219351725","186690466209121416861604510917047369574","84496458848488717437003618598429422733","90103410702752932775749928662754971312","235602112393539942855418670861770764311","11825329704778565315480468944854869115","307265511734168193014654849123086169965","170362113308601653857167239192159649050","259586377455386887778648358261562683180","281374355349652618476601907775253284879","191766905732308411324625206673384893657","109739764826957131342270461013472165867","82493775720406639430499858732133614664","266985302559214236578162068390621897245","242713667067726800469679543957380878743","248322234928671032424539694980005080202","71843235138694245016537495454054010844","40969617158878647033487161020536736222","187316605705469093594424539171823058778"],"threshold":0.9},"signature_type":"Line","source":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213","id":"CVE-2022-24792-2910d008"},{"deprecated":false,"signature_version":"v1","target":{"file":"pjmedia/src/pjmedia/wav_player.c","function":"pjmedia_wav_player_port_create"},"digest":{"function_hash":"311678921704441876877067354656706562022","length":4341},"signature_type":"Function","source":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213","id":"CVE-2022-24792-3432355f"},{"deprecated":false,"signature_version":"v1","target":{"file":"pjmedia/src/pjmedia/avi_player.c","function":"pjmedia_avi_player_create_streams"},"digest":{"function_hash":"88009946889954725590188535546192931756","length":7551},"signature_type":"Function","source":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213","id":"CVE-2022-24792-771a7ed4"},{"deprecated":false,"signature_version":"v1","target":{"file":"pjmedia/src/pjmedia/wav_playlist.c"},"digest":{"line_hashes":["234780605003106432861759692764117140651","177792145055221609529693096204886089962","155994475192612508591847130549820829912","266635302091591995785029034784720283949","219965592252872759197873819599973170915","147289216440791585185550891671924294729","216444719378403846082658826372578205277","39316611166668126294058636503084823282","237588676947409836218373790383822157839","224504939714208979918400099258740334412","255298923284740055903661691793161706318","55457058224990970764372760986186692383","323706679054757690462794396779644228660","210976495118491751050384602728845790266","172051875035855707750019585346942383979","92424731445195119019599099283851365176"],"threshold":0.9},"signature_type":"Line","source":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213","id":"CVE-2022-24792-7ad1555c"},{"deprecated":false,"signature_version":"v1","target":{"file":"pjlib/include/pj/types.h"},"digest":{"line_hashes":["265914092897662268786890147923750454382","2550956571299987187987251958021663469","275946985500384516839748078367936704995","224142126886732827707322969507471068260","221730388363705272033727877137633997309"],"threshold":0.9},"signature_type":"Line","source":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213","id":"CVE-2022-24792-7fd5bb26"},{"deprecated":false,"signature_version":"v1","target":{"file":"pjlib/src/pj/file_io_ansi.c"},"digest":{"line_hashes":["140213847486433063987625072011277509564","19275338327713763574775720682520264063","241391874304712850443472948253365473099","11019159423132371261805469580261503269","100095325496756335945068429285304604102","143793305705152029965327918096600892811"],"threshold":0.9},"signature_type":"Line","source":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213","id":"CVE-2022-24792-a367fa86"},{"deprecated":false,"signature_version":"v1","target":{"file":"pjmedia/src/pjmedia/avi_player.c","function":"avi_get_frame"},"digest":{"function_hash":"257206886943690643904865102001879039864","length":5383},"signature_type":"Function","source":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213","id":"CVE-2022-24792-a88bea6f"},{"deprecated":false,"signature_version":"v1","target":{"file":"pjmedia/src/pjmedia/wav_playlist.c","function":"pjmedia_wav_playlist_create"},"digest":{"function_hash":"319945198955750161944630612627635229115","length":5998},"signature_type":"Function","source":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213","id":"CVE-2022-24792-eee248d6"},{"deprecated":false,"signature_version":"v1","target":{"file":"pjmedia/src/pjmedia/wav_player.c"},"digest":{"line_hashes":["148851357336189296134397496263155529356","221898535019962582624255516917921757816","266877716697532895840617714338187228640","193820012315010988805755086199644990652","196502481766597944144747858118964587864","55555532733740701633646994666800368829","113795981307509510680315839610312524430","261176306718789661389230379725753154652","72488589988798473927171880718836550798","174650650864873452085684182806477980834","62838455024593073927578117288798784677","102421962031597708572588513053544625650","309958392742816604085104047263412469274","211528842485790957103416568410648229808","54616906274186259894320273291752643766","1507375392125749025754772986503779534"],"threshold":0.9},"signature_type":"Line","source":"https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213","id":"CVE-2022-24792-f818c77a"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24792.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}