From 08400cfcd1a39c12b9f8894f6b4b2146029eab2f Mon Sep 17 00:00:00 2001
From: Balint Reczey <balint@balintreczey.hu>
Date: Sat, 31 Dec 2016 01:20:25 +0100
Subject: [PATCH 1/8] Fix division by zero sample rate due to global buffer
overflow.
Also known as CVE-2016-9264 and CVE-2016-9265.
Fixes: #51, #52
---
util/listmp3.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/util/listmp3.c b/util/listmp3.c
index b7f0619..80947d9 100644
--- a/util/listmp3.c
+++ b/util/listmp3.c
@@ -39,10 +39,11 @@ int mp2l23_bitrate_table[] = { 0, 8, 16, 24, 32, 40, 48, 56,
#define MP3_SAMPLERATE 0x00000C00
#define MP3_SAMPLERATE_SHIFT 10
+#define MP3_SAMPLERATE_IDX_MAX 2
-int mp1_samplerate_table[] = { 44100, 48000, 32000 };
-int mp2_samplerate_table[] = { 22050, 24000, 16000 }; /* is this right?? */
-int mp25_samplerate_table[] = { 11025, 12000, 8000 }; /* fewer samples?? */
+int mp1_samplerate_table[MP3_SAMPLERATE_IDX_MAX + 1] = { 44100, 48000, 32000 };
+int mp2_samplerate_table[MP3_SAMPLERATE_IDX_MAX + 1] = { 22050, 24000, 16000 }; /* is this right?? */
+int mp25_samplerate_table[MP3_SAMPLERATE_IDX_MAX + 1] = { 11025, 12000, 8000 }; /* fewer samples?? */
#define MP3_PADDING 0x00000200 /* if set, add an extra slot - 4 bytes
for layer 1, 1 byte for 2+3 */
@@ -103,6 +104,10 @@ void printMP3Headers(FILE *f)
bitrate_idx = (flags & MP3_BITRATE) >> MP3_BITRATE_SHIFT;
samplerate_idx = (flags & MP3_SAMPLERATE) >> MP3_SAMPLERATE_SHIFT;
+ if (samplerate_idx < 0 || samplerate_idx > MP3_SAMPLERATE_IDX_MAX)
+ {
+ error("invalid samplerate index");
+ }
channels = ((flags & MP3_CHANNEL) == MP3_CHANNEL_MONO) ? 1 : 2;
--
2.1.4
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
e292cda8ad33284786d7f1384ee2e82d
>
files
>
21
