There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. https://nvd.nist.gov/vuln/detail/CVE-2018-19758