From 08400cfcd1a39c12b9f8894f6b4b2146029eab2f Mon Sep 17 00:00:00 2001 From: Balint Reczey <balint@balintreczey.hu> Date: Sat, 31 Dec 2016 01:20:25 +0100 Subject: [PATCH 1/8] Fix division by zero sample rate due to global buffer overflow. Also known as CVE-2016-9264 and CVE-2016-9265. Fixes: #51, #52 --- util/listmp3.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/util/listmp3.c b/util/listmp3.c index b7f0619..80947d9 100644 --- a/util/listmp3.c +++ b/util/listmp3.c @@ -39,10 +39,11 @@ int mp2l23_bitrate_table[] = { 0, 8, 16, 24, 32, 40, 48, 56, #define MP3_SAMPLERATE 0x00000C00 #define MP3_SAMPLERATE_SHIFT 10 +#define MP3_SAMPLERATE_IDX_MAX 2 -int mp1_samplerate_table[] = { 44100, 48000, 32000 }; -int mp2_samplerate_table[] = { 22050, 24000, 16000 }; /* is this right?? */ -int mp25_samplerate_table[] = { 11025, 12000, 8000 }; /* fewer samples?? */ +int mp1_samplerate_table[MP3_SAMPLERATE_IDX_MAX + 1] = { 44100, 48000, 32000 }; +int mp2_samplerate_table[MP3_SAMPLERATE_IDX_MAX + 1] = { 22050, 24000, 16000 }; /* is this right?? */ +int mp25_samplerate_table[MP3_SAMPLERATE_IDX_MAX + 1] = { 11025, 12000, 8000 }; /* fewer samples?? */ #define MP3_PADDING 0x00000200 /* if set, add an extra slot - 4 bytes for layer 1, 1 byte for 2+3 */ @@ -103,6 +104,10 @@ void printMP3Headers(FILE *f) bitrate_idx = (flags & MP3_BITRATE) >> MP3_BITRATE_SHIFT; samplerate_idx = (flags & MP3_SAMPLERATE) >> MP3_SAMPLERATE_SHIFT; + if (samplerate_idx < 0 || samplerate_idx > MP3_SAMPLERATE_IDX_MAX) + { + error("invalid samplerate index"); + } channels = ((flags & MP3_CHANNEL) == MP3_CHANNEL_MONO) ? 1 : 2; -- 2.1.4