From 1b901d77aada2480bc01b8439b9dc71c9f1a1b50 Mon Sep 17 00:00:00 2001
From: Balint Reczey <balint@balintreczey.hu>
Date: Sat, 31 Dec 2016 01:52:30 +0100
Subject: [PATCH 2/8] Fix using EOF marker -1 value as a valid flag byte
Also known as CVE-2016-9266
Fixes: #53
---
util/listmp3.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
--- a/util/listmp3.c
+++ b/util/listmp3.c
@@ -74,6 +74,8 @@
for(;;)
{
+ int flags_char;
+ int i;
/* get 4-byte header, bigendian */
if((flags = fgetc(f)) == EOF)
break;
@@ -92,9 +94,17 @@
break;
flags <<= 24;
- flags += fgetc(f) << 16;
- flags += fgetc(f) << 8;
- flags += fgetc(f);
+ for (i = 2; i >= 0; --i)
+ {
+ if ((flags_char = fgetc(f)) == EOF)
+ {
+ error("truncated file");
+ }
+ else
+ {
+ flags += flags_char << (i * 8);
+ }
+ }
if((flags & MP3_FRAME_SYNC) != MP3_FRAME_SYNC)
break;
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
e292cda8ad33284786d7f1384ee2e82d
>
files
>
22
