From 6032557a21e4dac8bb2606bb5b58e27d85a7ff98 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Wed, 10 Jan 2018 09:58:57 +0100
Subject: [PATCH 24/29] Fix global buffer overflow in printMP3Headers.
The printMP3Headers function in util/listmp3.c processes mp3 files
without checking their bitrate values. This leads to bitrate_idx = 15
being used as index in mp2l23_bitrate_table[bitrate_idx] while
mp2l23_bitrate_table has only 14 elements.
In this commit we add a check rejecting mp3 files declaring invalid
bitrates.
This commit fixes CVE-2017-16898 (fixes: #75).
---
util/listmp3.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/util/listmp3.c b/util/listmp3.c
index de9d9f73..3564ff92 100644
--- a/util/listmp3.c
+++ b/util/listmp3.c
@@ -119,6 +119,11 @@ void printMP3Headers(FILE *f)
error("invalid samplerate index");
}
+ if (bitrate_idx == 15)
+ {
+ error("invalid bitrate 15");
+ }
+
channels = ((flags & MP3_CHANNEL) == MP3_CHANNEL_MONO) ? 1 : 2;
switch(flags & MP3_VERSION)
--
2.14.3
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
e292cda8ad33284786d7f1384ee2e82d
>
files
>
15
